From aeed1407288db398242eb8724ecdd3d1a08e85e8 Mon Sep 17 00:00:00 2001 From: Dave Dalcino Date: Wed, 3 Jan 2024 13:05:37 -0800 Subject: [PATCH 1/3] add CVE-2021-23369 and CVE-2021-23383 for handlebars-source --- gems/handlebars-source/CVE-2021-23369.yml | 15 +++++++++++++++ gems/handlebars-source/CVE-2021-23383.yml | 15 +++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 gems/handlebars-source/CVE-2021-23369.yml create mode 100644 gems/handlebars-source/CVE-2021-23383.yml diff --git a/gems/handlebars-source/CVE-2021-23369.yml b/gems/handlebars-source/CVE-2021-23369.yml new file mode 100644 index 0000000000..bb4bd4825f --- /dev/null +++ b/gems/handlebars-source/CVE-2021-23369.yml @@ -0,0 +1,15 @@ +--- +gem: handlebars-source +cve: 2021-23369 +ghsa: f2jv-r9rf-7988 +url: https://github.com/advisories/GHSA-f2jv-r9rf-7988 +title: Remote code execution in handlebars when compiling templates +date: 2021-04-12 +description: | + The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when + selecting certain compiling options to compile templates coming from an untrusted source. + This vulnerability has been assigned the CVE identifier CVE-2021-23369. + +cvss_v3: 9.8 +patched_versions: + - "~> 4.7.7, >= 4.7.7" diff --git a/gems/handlebars-source/CVE-2021-23383.yml b/gems/handlebars-source/CVE-2021-23383.yml new file mode 100644 index 0000000000..27ad25ed34 --- /dev/null +++ b/gems/handlebars-source/CVE-2021-23383.yml @@ -0,0 +1,15 @@ +--- +gem: handlebars-source +cve: 2021-23383 +ghsa: 765h-qjxv-5f44 +url: https://github.com/advisories/GHSA-765h-qjxv-5f44 +title: Prototype Pollution in handlebars +date: 2021-05-04 +description: | + The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when + selecting certain compiling options to compile templates coming from an untrusted source. + This vulnerability has been assigned the CVE identifier CVE-2021-23383. + +cvss_v3: 9.8 +patched_versions: + - "~> 4.7.7, >= 4.7.7" From 995815c545aba88fd702cd0700cff98ae1073383 Mon Sep 17 00:00:00 2001 From: David Dalcino Date: Wed, 3 Jan 2024 13:32:35 -0800 Subject: [PATCH 2/3] Update CVE-2021-23369.yml fix version string --- gems/handlebars-source/CVE-2021-23369.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gems/handlebars-source/CVE-2021-23369.yml b/gems/handlebars-source/CVE-2021-23369.yml index bb4bd4825f..52916a9752 100644 --- a/gems/handlebars-source/CVE-2021-23369.yml +++ b/gems/handlebars-source/CVE-2021-23369.yml @@ -12,4 +12,4 @@ description: | cvss_v3: 9.8 patched_versions: - - "~> 4.7.7, >= 4.7.7" + - ">= 4.7.7" From a0cfd6be2de5697f70ccda322fae7cd6d2944068 Mon Sep 17 00:00:00 2001 From: David Dalcino Date: Wed, 3 Jan 2024 13:33:05 -0800 Subject: [PATCH 3/3] fix version string --- gems/handlebars-source/CVE-2021-23383.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gems/handlebars-source/CVE-2021-23383.yml b/gems/handlebars-source/CVE-2021-23383.yml index 27ad25ed34..c7eae89c2d 100644 --- a/gems/handlebars-source/CVE-2021-23383.yml +++ b/gems/handlebars-source/CVE-2021-23383.yml @@ -12,4 +12,4 @@ description: | cvss_v3: 9.8 patched_versions: - - "~> 4.7.7, >= 4.7.7" + - ">= 4.7.7"