CVE 2019-19919 for bootstrap-wysihtml5-rails (#719)

rubysec · Nov 23, 2023 · 09cecd9 · 09cecd9
1 parent b9dc219
commit 09cecd9
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml b/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml
@@ -0,0 +1,20 @@
+---
+gem: bootstrap-wysihtml5-rails
+cve: 2019-19919
+ghsa: w457-6q6x-cgp9
+url: https://github.com/advisories/GHSA-w457-6q6x-cgp9
+title: Prototype Pollution in handlebars
+date: 2019-12-26
+description: |
+  The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'.
+  Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0.
+
+  Versions Affected: 0.3.3.5-0.3.3.8
+  Not affected: < 0.3.3.5
+  Fixed Versions: None
+
+  Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution.
+  Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute
+  arbitrary code through crafted payloads.
+unaffected_versions:
+  - "< 0.3.3.5"