Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-70496

Upgrade Handlebars to >= 4.7.7 to fix CVE-2021-23369

XMLWordPrintable

      We require a newer version of Handlebars for this plugin as this has a critical vulnerability which blocks us from using this on our Jenkins Cluster.

      The CVE is detailed here where the fix requires updating from 2.0.0 to >= 4.7.7.

      https://nvd.nist.gov/vuln/detail/CVE-2021-23369

      The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

      The script can be found here:

      https://github.com/jenkinsci/test-results-analyzer-plugin/blob/test-results-analyzer-0.3.5/src/main/webapp/js/handlebars-v2.0.0.js

       

       

      Thank you for your attention to this matter.

       

          [JENKINS-70496] Upgrade Handlebars to >= 4.7.7 to fix CVE-2021-23369

          Mark Waite added a comment -

          tomdevops the plugin is up for adoption. There is no active maintainer of the plugin.

          If the plugin is important to your organization, please ask your organization to let you adopt the plugin, modernize it, and release a new version (manually or automatically).

          You may want to consider replacing the internal dependency on handlebars with something different. Work has been done to remove handlebars in other locations. This may be a good place to consider its removal from this plugin.

          Mark Waite added a comment - tomdevops the plugin is up for adoption. There is no active maintainer of the plugin. If the plugin is important to your organization, please ask your organization to let you adopt the plugin , modernize it , and release a new version ( manually or automatically ). You may want to consider replacing the internal dependency on handlebars with something different. Work has been done to remove handlebars in other locations. This may be a good place to consider its removal from this plugin.

          Tom Lorentsen added a comment -

          Thanks for your response markewaite

          I'll raise these options to the team.

          Tom Lorentsen added a comment - Thanks for your response markewaite I'll raise these options to the team.

            Unassigned Unassigned
            tomdevops Tom Lorentsen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: