express-handlebars-3.1.0.tgz: 11 vulnerabilities (highest severity is: 9.8)
Opened this issue · 0 comments
Vulnerable Library - express-handlebars-3.1.0.tgz
A Handlebars view engine for Express which doesn't suck.
Library home page: https://registry.npmjs.org/express-handlebars/-/express-handlebars-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-handlebars/package.json
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (express-handlebars version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-37598 |  Critical |
9.8 | uglify-js-3.6.0.tgz | Transitive | 4.0.0 | ✅ |
| CVE-2021-44906 | Critical |
9.8 | minimist-0.0.10.tgz | Transitive | 4.0.0 | ✅ |
| CVE-2021-23383 | Critical |
9.8 | handlebars-4.1.2.tgz | Transitive | 4.0.0 | ✅ |
| CVE-2021-23369 | Critical |
9.8 | handlebars-4.1.2.tgz | Transitive | 4.0.0 | ✅ |
| CVE-2019-19919 | Critical |
9.8 | handlebars-4.1.2.tgz | Transitive | 4.0.0 | ✅ |
| CVE-2021-32820 |  High |
8.6 | express-handlebars-3.1.0.tgz | Direct | 5.3.3 | ✅ |
| CVE-2019-20920 | High |
8.1 | handlebars-4.1.2.tgz | Transitive | 4.0.0 | ✅ |
| WS-2020-0450 | High |
7.5 | handlebars-4.1.2.tgz | Transitive | 4.0.0 | ✅ |
| CVE-2022-3517 | High |
7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
| CVE-2019-20922 | High |
7.5 | handlebars-4.1.2.tgz | Transitive | 4.0.0 | ✅ |
| CVE-2020-7598 |  Medium |
5.6 | minimist-0.0.10.tgz | Transitive | 4.0.0 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-37598
Vulnerable Library - uglify-js-3.6.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/uglify-js/package.json
Dependency Hierarchy:
- express-handlebars-3.1.0.tgz (Root Library)
- handlebars-4.1.2.tgz
- ❌ uglify-js-3.6.0.tgz (Vulnerable Library)
- handlebars-4.1.2.tgz
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution (uglify-js): 3.13.10
Direct dependency fix Resolution (express-handlebars): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-44906
Vulnerable Library - minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
- express-handlebars-3.1.0.tgz (Root Library)
- handlebars-4.1.2.tgz
- optimist-0.6.1.tgz
- ❌ minimist-0.0.10.tgz (Vulnerable Library)
- optimist-0.6.1.tgz
- handlebars-4.1.2.tgz
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Found in base branch: main
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (express-handlebars): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-23383
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-handlebars/node_modules/handlebars/package.json
Dependency Hierarchy:
- express-handlebars-3.1.0.tgz (Root Library)
- ❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (express-handlebars): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-23369
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-handlebars/node_modules/handlebars/package.json
Dependency Hierarchy:
- express-handlebars-3.1.0.tgz (Root Library)
- ❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (express-handlebars): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-19919
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-handlebars/node_modules/handlebars/package.json
Dependency Hierarchy:
- express-handlebars-3.1.0.tgz (Root Library)
- ❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Found in base branch: main
Vulnerability Details
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.
Publish Date: 2019-12-20
URL: CVE-2019-19919
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-w457-6q6x-cgp9
Release Date: 2019-12-20
Fix Resolution (handlebars): 4.3.0
Direct dependency fix Resolution (express-handlebars): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-32820
Vulnerable Library - express-handlebars-3.1.0.tgz
A Handlebars view engine for Express which doesn't suck.
Library home page: https://registry.npmjs.org/express-handlebars/-/express-handlebars-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-handlebars/package.json
Dependency Hierarchy:
- ❌ express-handlebars-3.1.0.tgz (Vulnerable Library)
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Found in base branch: main
Vulnerability Details
Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Since version 5.3.1, Notes in documentation have been added to help users avoid this potential information exposure. See express-handlebars/express-handlebars@78c47a2
Mend Note: Since version 5.3.1, Notes in documentation have been added to help users avoid this potential information exposure. See express-handlebars/express-handlebars@78c47a2
Publish Date: 2021-05-14
URL: CVE-2021-32820
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-32820
Release Date: 2021-05-14
Fix Resolution: 5.3.3
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-20920
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-handlebars/node_modules/handlebars/package.json
Dependency Hierarchy:
- express-handlebars-3.1.0.tgz (Root Library)
- ❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Found in base branch: main
Vulnerability Details
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Publish Date: 2020-09-30
URL: CVE-2019-20920
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2020-09-30
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (express-handlebars): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
WS-2020-0450
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-handlebars/node_modules/handlebars/package.json
Dependency Hierarchy:
- express-handlebars-3.1.0.tgz (Root Library)
- ❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Found in base branch: main
Vulnerability Details
Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).
Publish Date: 2020-01-09
URL: WS-2020-0450
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-01-09
Fix Resolution (handlebars): 4.6.0
Direct dependency fix Resolution (express-handlebars): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
- express-handlebars-3.1.0.tgz (Root Library)
- glob-7.1.4.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- glob-7.1.4.tgz
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Found in base branch: main
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2019-20922
Vulnerable Library - handlebars-4.1.2.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-handlebars/node_modules/handlebars/package.json
Dependency Hierarchy:
- express-handlebars-3.1.0.tgz (Root Library)
- ❌ handlebars-4.1.2.tgz (Vulnerable Library)
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Found in base branch: main
Vulnerability Details
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Mend Note: Converted from WS-2019-0491, on 2022-11-08.
Publish Date: 2020-09-30
URL: CVE-2019-20922
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2020-09-30
Fix Resolution (handlebars): 4.4.5
Direct dependency fix Resolution (express-handlebars): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-7598
Vulnerable Library - minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
- express-handlebars-3.1.0.tgz (Root Library)
- handlebars-4.1.2.tgz
- optimist-0.6.1.tgz
- ❌ minimist-0.0.10.tgz (Vulnerable Library)
- optimist-0.6.1.tgz
- handlebars-4.1.2.tgz
Found in HEAD commit: b75a51013b116ea8910d824c68c14952f61008f0
Found in base branch: main
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (express-handlebars): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.