Critical severityNVD Advisory· Published Dec 20, 2019· Updated Aug 5, 2024
CVE-2019-19919
CVE-2019-19919
Description
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
handlebarsnpm | >= 4.0.0, < 4.3.0 | 4.3.0 |
bootstrap-wysihtml5-railsRubyGems | >= 0.3.3.5, <= 0.3.3.8 | — |
handlebarsnpm | < 3.0.8 | 3.0.8 |
Affected products
113- handlebars/handlebarsdescription
- osv-coords112 versionspkg:apk/chainguard/code-serverpkg:apk/chainguard/code-server-compatpkg:apk/chainguard/gitlab-rails-ce-18.1pkg:apk/chainguard/gitlab-rails-ce-18.2pkg:apk/chainguard/gitlab-rails-ce-18.3pkg:apk/chainguard/gitlab-rails-ce-18.4pkg:apk/chainguard/gitlab-rails-ce-18.5pkg:apk/chainguard/gitlab-rails-ce-18.6pkg:apk/chainguard/gitlab-rails-ce-18.7pkg:apk/chainguard/gitlab-rails-ce-assets-18.1pkg:apk/chainguard/gitlab-rails-ce-assets-18.11pkg:apk/chainguard/gitlab-rails-ce-assets-18.2pkg:apk/chainguard/gitlab-rails-ce-assets-18.3pkg:apk/chainguard/gitlab-rails-ce-assets-18.4pkg:apk/chainguard/gitlab-rails-ce-assets-18.5pkg:apk/chainguard/gitlab-rails-ce-assets-18.6pkg:apk/chainguard/gitlab-rails-ce-assets-18.7pkg:apk/chainguard/gitlab-rails-ce-assets-18.8pkg:apk/chainguard/gitlab-rails-ce-assets-18.9pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.1pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.11pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.2pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.3pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.4pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.5pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.6pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.7pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.8pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.9pkg:apk/chainguard/gitlab-rails-ce-doc-18.1pkg:apk/chainguard/gitlab-rails-ce-doc-18.2pkg:apk/chainguard/gitlab-rails-ce-doc-18.3pkg:apk/chainguard/gitlab-rails-ce-doc-18.4pkg:apk/chainguard/gitlab-rails-ce-doc-18.5pkg:apk/chainguard/gitlab-rails-ce-doc-18.6pkg:apk/chainguard/gitlab-rails-ce-doc-18.7pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.1pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.2pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.3pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.4pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.5pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.6pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.7pkg:apk/chainguard/gitlab-rails-ce-fips-18.1pkg:apk/chainguard/gitlab-rails-ce-fips-18.2pkg:apk/chainguard/gitlab-rails-ce-fips-18.3pkg:apk/chainguard/gitlab-rails-ce-fips-18.4pkg:apk/chainguard/gitlab-rails-ce-fips-18.5pkg:apk/chainguard/gitlab-rails-ce-fips-18.6pkg:apk/chainguard/gitlab-rails-ce-fips-18.7pkg:apk/chainguard/gitlab-rails-ee-17.0pkg:apk/chainguard/gitlab-rails-ee-17.1pkg:apk/chainguard/gitlab-rails-ee-17.10pkg:apk/chainguard/gitlab-rails-ee-17.11pkg:apk/chainguard/gitlab-rails-ee-17.2pkg:apk/chainguard/gitlab-rails-ee-17.3pkg:apk/chainguard/gitlab-rails-ee-17.4pkg:apk/chainguard/gitlab-rails-ee-17.6pkg:apk/chainguard/gitlab-rails-ee-17.7pkg:apk/chainguard/gitlab-rails-ee-17.8pkg:apk/chainguard/gitlab-rails-ee-17.9pkg:apk/chainguard/gitlab-rails-ee-assets-17.10pkg:apk/chainguard/gitlab-rails-ee-assets-17.11pkg:apk/chainguard/gitlab-rails-ee-assets-17.2pkg:apk/chainguard/gitlab-rails-ee-assets-17.3pkg:apk/chainguard/gitlab-rails-ee-assets-17.4pkg:apk/chainguard/gitlab-rails-ee-assets-17.6pkg:apk/chainguard/gitlab-rails-ee-assets-17.7pkg:apk/chainguard/gitlab-rails-ee-assets-17.8pkg:apk/chainguard/gitlab-rails-ee-assets-17.9pkg:apk/chainguard/gitlab-rails-ee-assets-fips-17.10pkg:apk/chainguard/gitlab-rails-ee-assets-fips-17.11pkg:apk/chainguard/gitlab-rails-ee-assets-fips-17.2pkg:apk/chainguard/gitlab-rails-ee-assets-fips-17.3pkg:apk/chainguard/gitlab-rails-ee-assets-fips-17.4pkg:apk/chainguard/gitlab-rails-ee-assets-fips-17.6pkg:apk/chainguard/gitlab-rails-ee-assets-fips-17.7pkg:apk/chainguard/gitlab-rails-ee-assets-fips-17.8pkg:apk/chainguard/gitlab-rails-ee-assets-fips-17.9pkg:apk/chainguard/gitlab-rails-ee-doc-17.10pkg:apk/chainguard/gitlab-rails-ee-doc-17.11pkg:apk/chainguard/gitlab-rails-ee-doc-17.2pkg:apk/chainguard/gitlab-rails-ee-doc-17.3pkg:apk/chainguard/gitlab-rails-ee-doc-17.4pkg:apk/chainguard/gitlab-rails-ee-doc-17.6pkg:apk/chainguard/gitlab-rails-ee-doc-17.7pkg:apk/chainguard/gitlab-rails-ee-doc-17.8pkg:apk/chainguard/gitlab-rails-ee-doc-17.9pkg:apk/chainguard/gitlab-rails-ee-doc-fips-17.10pkg:apk/chainguard/gitlab-rails-ee-doc-fips-17.11pkg:apk/chainguard/gitlab-rails-ee-doc-fips-17.2pkg:apk/chainguard/gitlab-rails-ee-doc-fips-17.3pkg:apk/chainguard/gitlab-rails-ee-doc-fips-17.4pkg:apk/chainguard/gitlab-rails-ee-doc-fips-17.6pkg:apk/chainguard/gitlab-rails-ee-doc-fips-17.7pkg:apk/chainguard/gitlab-rails-ee-doc-fips-17.8pkg:apk/chainguard/gitlab-rails-ee-doc-fips-17.9pkg:apk/chainguard/gitlab-rails-ee-fips-17.0pkg:apk/chainguard/gitlab-rails-ee-fips-17.1pkg:apk/chainguard/gitlab-rails-ee-fips-17.10pkg:apk/chainguard/gitlab-rails-ee-fips-17.11pkg:apk/chainguard/gitlab-rails-ee-fips-17.2pkg:apk/chainguard/gitlab-rails-ee-fips-17.3pkg:apk/chainguard/gitlab-rails-ee-fips-17.4pkg:apk/chainguard/gitlab-rails-ee-fips-17.6pkg:apk/chainguard/gitlab-rails-ee-fips-17.7pkg:apk/chainguard/gitlab-rails-ee-fips-17.8pkg:apk/chainguard/gitlab-rails-ee-fips-17.9pkg:apk/wolfi/code-serverpkg:apk/wolfi/code-server-compatpkg:gem/bootstrap-wysihtml5-railspkg:npm/handlebars
< 0+ 111 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 0.3.3.5, <= 0.3.3.8
- (no CPE)range: >= 4.0.0, < 4.3.0
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-w457-6q6x-cgp9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-19919ghsaADVISORY
- cve.mitre.org/cgi-bin/cvename.cgighsaWEB
- github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.jsghsaWEB
- github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5ghsaWEB
- github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029eeghsaWEB
- github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094dbghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.ymlghsaWEB
- github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bcghsaWEB
- github.com/wycats/handlebars.js/issues/1558ghsaWEB
- www.npmjs.com/advisories/1164mitrex_refsource_MISC
- www.tenable.com/security/tns-2021-14ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.