Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-70496

Upgrade Handlebars to >= 4.7.7 to fix CVE-2021-23369

XMLWordPrintable

      We require a newer version of Handlebars for this plugin as this has a critical vulnerability which blocks us from using this on our Jenkins Cluster.

      The CVE is detailed here where the fix requires updating from 2.0.0 to >= 4.7.7.

      https://nvd.nist.gov/vuln/detail/CVE-2021-23369

      The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

      The script can be found here:

      https://github.com/jenkinsci/test-results-analyzer-plugin/blob/test-results-analyzer-0.3.5/src/main/webapp/js/handlebars-v2.0.0.js

       

       

      Thank you for your attention to this matter.

       

            Unassigned Unassigned
            tomdevops Tom Lorentsen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: