📂 Vulnerable Library - handlebars-4.6.0.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Path to dependency file: /package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2021-44906 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
minimist-0.0.8.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2022-37598 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
uglify-js-3.12.0.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2020-7598 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
minimist-0.0.8.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2021-23369 |
🟡 Low |
2.9 |
Proof of concept |
4.0% |
handlebars-4.6.0.tgz |
Direct |
handlebars - 4.7.7,org.webjars:handlebars:4.7.7,org.webjars.npm:handlebars:4.7.7 |
✅ |
 Reachable |
| CVE-2021-23383 |
🟡 Low |
2.9 |
Proof of concept |
5.9% |
handlebars-4.6.0.tgz |
Direct |
handlebars - 4.7.7 |
✅ |
Unreachable |
Details
🟣CVE-2021-44906
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: Mar 17, 2022 01:05 PM
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: Mar 17, 2022 01:05 PM
Fix Resolution : minimist - 0.2.4,minimist - 1.2.6
🟣CVE-2022-37598
Vulnerable Library - uglify-js-3.12.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.12.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- handlebars-4.6.0.tgz (Root Library)
- ❌ uglify-js-3.12.0.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: Oct 20, 2022 12:00 AM
URL: CVE-2022-37598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2020-7598
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 11, 2020 09:40 PM
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: Mar 11, 2020 09:40 PM
Fix Resolution : minimist - 0.2.1,minimist - 1.2.3
🟡CVE-2021-23369
Vulnerable Library - handlebars-4.6.0.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.6.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ❌ handlebars-4.6.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/src/lib/notify.js (Application)
- handlebars-4.6.0/lib/index.js (Extension)
- handlebars-4.6.0/dist/cjs/handlebars.js (Extension)
-> ❌ handlebars-4.6.0/dist/cjs/handlebars/compiler/ast.js (Vulnerable Component)
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: Apr 12, 2021 01:10 PM
URL: CVE-2021-23369
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:4.0%
Score: 2.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-f2jv-r9rf-7988
Release Date: Apr 12, 2021 01:10 PM
Fix Resolution : handlebars - 4.7.7,org.webjars:handlebars:4.7.7,org.webjars.npm:handlebars:4.7.7
🟡CVE-2021-23383
Vulnerable Library - handlebars-4.6.0.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.6.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ❌ handlebars-4.6.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: May 04, 2021 08:35 AM
URL: CVE-2021-23383
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:5.9%
Score: 2.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-765h-qjxv-5f44
Release Date: May 04, 2021 08:35 AM
Fix Resolution : handlebars - 4.7.7
📂 Vulnerable Library - handlebars-4.6.0.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Path to dependency file: /package.json
Findings
Details
🟣CVE-2021-44906
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
handlebars-4.6.0.tgz (Root Library)
bunyan-1.8.14.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: Mar 17, 2022 01:05 PM
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: Mar 17, 2022 01:05 PM
Fix Resolution : minimist - 0.2.4,minimist - 1.2.6
🟣CVE-2022-37598
Vulnerable Library - uglify-js-3.12.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.12.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: Oct 20, 2022 12:00 AM
URL: CVE-2022-37598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2020-7598
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
handlebars-4.6.0.tgz (Root Library)
bunyan-1.8.14.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 11, 2020 09:40 PM
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: Mar 11, 2020 09:40 PM
Fix Resolution : minimist - 0.2.1,minimist - 1.2.3
🟡CVE-2021-23369
Vulnerable Library - handlebars-4.6.0.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.6.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: Apr 12, 2021 01:10 PM
URL: CVE-2021-23369
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:4.0%
Score: 2.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-f2jv-r9rf-7988
Release Date: Apr 12, 2021 01:10 PM
Fix Resolution : handlebars - 4.7.7,org.webjars:handlebars:4.7.7,org.webjars.npm:handlebars:4.7.7
🟡CVE-2021-23383
Vulnerable Library - handlebars-4.6.0.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.6.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: May 04, 2021 08:35 AM
URL: CVE-2021-23383
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:5.9%
Score: 2.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-765h-qjxv-5f44
Release Date: May 04, 2021 08:35 AM
Fix Resolution : handlebars - 4.7.7