{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Critical" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"nodejs-handlebars security update", "category":"general", "title":"Synopsis" }, { "text":"An update for nodejs-handlebars is now available for openEuler-20.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"Handlebars.js is an extension to the Mustache templating language created by Chris Wanstrath. Handlebars.js and Mustache are both logicless templating languages that keep the view and the code separated like we all know they should be.\n\nSecurity Fix(es):\n\nThe package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.(CVE-2021-23383)", "category":"general", "title":"Description" }, { "text":"An update for nodejs-handlebars is now available for openEuler-20.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Critical", "category":"general", "title":"Severity" }, { "text":"nodejs-handlebars", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2021-1196", "category":"self", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1196" }, { "summary":"CVE-2021-23383", "category":"self", "url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2021-23383&packageName=nodejs-handlebars" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383" }, { "summary":"openEuler-SA-2021-1196 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2021/csaf-openeuler-sa-2021-1196.json" } ], "title":"An update for nodejs-handlebars is now available for openEuler-20.03-LTS-SP1", "tracking":{ "initial_release_date":"2021-05-30T09:20:08+08:00", "revision_history":[ { "date":"2021-05-30T09:20:08+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:20:08+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:20:08+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:20:08+08:00", "id":"openEuler-SA-2021-1196", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nodejs-handlebars-4.0.13-2.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"nodejs-handlebars-4.0.13-2.oe1.noarch.rpm" }, "name":"nodejs-handlebars-4.0.13-2.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nodejs-handlebars-4.0.13-2.oe1.src.rpm(20.03-LTS-SP1)", "name":"nodejs-handlebars-4.0.13-2.oe1.src.rpm" }, "name":"nodejs-handlebars-4.0.13-2.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nodejs-handlebars-4.0.13-2.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nodejs-handlebars-4.0.13-2.oe1.noarch", "name":"nodejs-handlebars-4.0.13-2.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nodejs-handlebars-4.0.13-2.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nodejs-handlebars-4.0.13-2.oe1.src", "name":"nodejs-handlebars-4.0.13-2.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2021-23383", "notes":[ { "text":"The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:nodejs-handlebars-4.0.13-2.oe1.noarch", "openEuler-20.03-LTS-SP1:nodejs-handlebars-4.0.13-2.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:nodejs-handlebars-4.0.13-2.oe1.noarch", "openEuler-20.03-LTS-SP1:nodejs-handlebars-4.0.13-2.oe1.src" ], "details":"nodejs-handlebars security update", "category":"vendor_fix", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1196" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"CRITICAL", "baseScore":9.8, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:nodejs-handlebars-4.0.13-2.oe1.noarch", "openEuler-20.03-LTS-SP1:nodejs-handlebars-4.0.13-2.oe1.src" ] } ], "threats":[ { "details":"Critical", "category":"impact" } ], "title":"CVE-2021-23383" } ] }