Description
WS-2019-0103 - Medium Severity Vulnerability
Vulnerable Libraries - handlebars-4.0.12.tgz, handlebars-4.0.11.tgz
handlebars-4.0.12.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.12.tgz
Path to dependency file: angular/integration/cli-hello-world-ivy-minimal/yarn.lock
Path to vulnerable library: angular/integration/cli-hello-world-ivy-minimal/yarn.lock,angular/integration/cli-hello-world-ivy-compat/yarn.lock
Dependency Hierarchy:
- karma-coverage-istanbul-reporter-2.0.4.tgz (Root Library)
- istanbul-api-2.0.6.tgz
- istanbul-reports-2.0.1.tgz
- ❌ handlebars-4.0.12.tgz (Vulnerable Library)
- istanbul-reports-2.0.1.tgz
- istanbul-api-2.0.6.tgz
handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: angular/integration/cli-hello-world/yarn.lock
Path to vulnerable library: angular/integration/cli-hello-world/yarn.lock,angular/aio/yarn.lock,angular/yarn.lock
Dependency Hierarchy:
- karma-coverage-istanbul-reporter-1.4.1.tgz (Root Library)
- istanbul-api-1.2.1.tgz
- istanbul-reports-1.1.3.tgz
- ❌ handlebars-4.0.11.tgz (Vulnerable Library)
- istanbul-reports-1.1.3.tgz
- istanbul-api-1.2.1.tgz
Found in HEAD commit: cf1f1c0344fa01406f61ff7437a72714be39b47e
Vulnerability Details
Handlebars.js before 4.1.0 has Remote Code Execution (RCE)
Publish Date: 2019-01-30
URL: WS-2019-0103
CVSS 2 Score Details (5.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: handlebars-lang/handlebars.js@edc6220
Release Date: 2019-05-30
Fix Resolution: 4.1.0