node-red-azure-webapp icon indicating copy to clipboard operation
node-red-azure-webapp copied to clipboard
Published 3 years ago verified publisher icon jmservera

WS-2019-0064 (High) detected in handlebars-2.0.0.min.js

Open mend-bolt-for-github[bot] opened this issue 5 years ago • 0 comments

WS-2019-0064 - High Severity Vulnerability

Vulnerable Library - handlebars-2.0.0.min.js

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/2.0.0/handlebars.min.js

Path to dependency file: /node_modules/node-red-node-swagger/node_modules/swagger-ui/dist/index.html

Path to vulnerable library: /node-red-azure-webapp/node_modules/node-red-node-swagger/node_modules/swagger-ui/dist/lib/handlebars-2.0.0.js

Dependency Hierarchy:

  • :x: handlebars-2.0.0.min.js (Vulnerable Library)

Found in HEAD commit: a828769834f37b291096091f7d78329324424ce2

Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-01-30

URL: WS-2019-0064

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/

Release Date: 2019-01-30

Fix Resolution: 3.0.7,4.0.14,4.1.2

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github[bot] avatar Apr 25 '20 23:04 mend-bolt-for-github[bot]