From 98efdaa4326ff927c5195e354f2fa967d26ac376 Mon Sep 17 00:00:00 2001 From: David Dalcino Date: Wed, 17 Jan 2024 17:21:23 -0800 Subject: [PATCH] add CVE-2021-23369 and CVE-2021-23383 for `handlebars-source` (#728) --- gems/handlebars-source/CVE-2021-23369.yml | 15 +++++++++++++++ gems/handlebars-source/CVE-2021-23383.yml | 15 +++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 gems/handlebars-source/CVE-2021-23369.yml create mode 100644 gems/handlebars-source/CVE-2021-23383.yml diff --git a/gems/handlebars-source/CVE-2021-23369.yml b/gems/handlebars-source/CVE-2021-23369.yml new file mode 100644 index 0000000000..52916a9752 --- /dev/null +++ b/gems/handlebars-source/CVE-2021-23369.yml @@ -0,0 +1,15 @@ +--- +gem: handlebars-source +cve: 2021-23369 +ghsa: f2jv-r9rf-7988 +url: https://github.com/advisories/GHSA-f2jv-r9rf-7988 +title: Remote code execution in handlebars when compiling templates +date: 2021-04-12 +description: | + The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when + selecting certain compiling options to compile templates coming from an untrusted source. + This vulnerability has been assigned the CVE identifier CVE-2021-23369. + +cvss_v3: 9.8 +patched_versions: + - ">= 4.7.7" diff --git a/gems/handlebars-source/CVE-2021-23383.yml b/gems/handlebars-source/CVE-2021-23383.yml new file mode 100644 index 0000000000..c7eae89c2d --- /dev/null +++ b/gems/handlebars-source/CVE-2021-23383.yml @@ -0,0 +1,15 @@ +--- +gem: handlebars-source +cve: 2021-23383 +ghsa: 765h-qjxv-5f44 +url: https://github.com/advisories/GHSA-765h-qjxv-5f44 +title: Prototype Pollution in handlebars +date: 2021-05-04 +description: | + The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when + selecting certain compiling options to compile templates coming from an untrusted source. + This vulnerability has been assigned the CVE identifier CVE-2021-23383. + +cvss_v3: 9.8 +patched_versions: + - ">= 4.7.7"