CGA-qg5r-xjc2-5x24

Published

Last updated

https://images.chainguard.dev/security/CGA-qg5r-xjc2-5x24

Package

code-server

RepositoryWolfi

Latest Update

Not affected

Aliases

CVE-2019-19919
GHSA-w457-6q6x-cgp9

Severity

Unknown

Summary

Prototype Pollution in handlebars

Description

Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Recommendation

Upgrade to version 3.0.8, 4.3.0 or later.

References

https://nvd.nist.gov/vuln/detail/CVE-2019-19919
https://github.com/advisories/GHSA-w457-6q6x-cgp9
https://github.com/wycats/handlebars.js/issues/1558
https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db
https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js
https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml
https://github.com/wycats/handlebars.js
https://www.tenable.com/security/tns-2021-14

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CGA-qg5r-xjc2-5x24

Severity

Summary

Description

Recommendation

References

Updates

Products

Why Chainguard

Customers

Company

Resources