{
  "threat_severity" : "Moderate",
  "public_date" : "2021-04-12T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option",
    "id" : "1956688",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1956688"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-94",
  "details" : [ "The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.", "A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the compat:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "statement" : "Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana component which includes Handlebars.js.  Starting in 4.6, kibana is shipping as \"container first\" content.  As such, the fix for OCP will be seen in the affected products table under openshift4/ose-logging-kibana6.  The separate package \"kibana\" listed under \"OpenShift Container Platform 4\" is only used by 4.5 and earlier and will not be fixed.\nIn OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.\nRed Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.\nRed Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use \"compat\" option and templates from external sources, hence this issue has been rated as having a security impact of Low.",
  "affected_release" : [ {
    "product_name" : "OpenShift Logging 5.1",
    "release_date" : "2021-11-17T00:00:00Z",
    "advisory" : "RHSA-2021:4628",
    "cpe" : "cpe:/a:redhat:logging:5.1::el8",
    "package" : "openshift-logging/kibana6-rhel8:v6.8.1-48",
    "impact" : "low"
  }, {
    "product_name" : "OpenShift Logging 5.2",
    "release_date" : "2021-11-17T00:00:00Z",
    "advisory" : "RHSA-2021:4032",
    "cpe" : "cpe:/a:redhat:logging:5.2::el8",
    "package" : "openshift-logging/kibana6-rhel8:v6.8.1-47",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2021-06-29T00:00:00Z",
    "advisory" : "RHSA-2021:2500",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el8",
    "package" : "openshift4/ose-logging-kibana6:v4.6.0-202106181629.p0.git.40f3e72",
    "impact" : "low"
  }, {
    "product_name" : "RHPAM 7.13.1 async",
    "release_date" : "2023-03-20T00:00:00Z",
    "advisory" : "RHSA-2023:1334",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13",
    "package" : "handlebars"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Affected",
    "package_name" : "servicemesh-grafana",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Affected",
    "package_name" : "servicemesh-prometheus",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/application-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "pcs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "pcs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "pcs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "pcs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Fix deferred",
    "package_name" : "kibana",
    "cpe" : "cpe:/a:redhat:openshift:3.11",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "kibana",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Fix deferred",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "pcs",
    "cpe" : "cpe:/a:redhat:storage:3",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-23383\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23383" ],
  "name" : "CVE-2021-23383",
  "csaw" : false
}