VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-mb2f-kmzq-aaad

Essentials
Severities (106)
References (21)
Severity details (21)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-mb2f-kmzq-aaad
Aliases	CVE-2021-23369 GHSA-f2jv-r9rf-7988
Summary	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-94	Improper Control of Generation of Code ('Code Injection')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:2500
rhas	Important	https://access.redhat.com/errata/RHSA-2021:3016
rhas	Low	https://access.redhat.com/errata/RHSA-2021:4032
rhas	Low	https://access.redhat.com/errata/RHSA-2021:4628
cvssv3	9.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.04324	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.0748	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.0748	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.0748	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.0748	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.0748	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.0748	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.0748	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.0748	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.0748	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.0748	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.08485	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.08485	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.08485	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.09660	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.13200	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.13200	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.13200	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.13200	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.13200	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.13200	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.14935	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.14935	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.14935	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.14935	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.14935	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
epss	0.22539	https://api.first.org/data/v1/epss?cve=CVE-2021-23369
rhbs	medium	https://bugzilla.redhat.com/show_bug.cgi?id=1948761
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-f2jv-r9rf-7988
cvssv3.1	9.8	https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
generic_textual	CRITICAL	https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
cvssv3.1	9.8	https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
generic_textual	CRITICAL	https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
cvssv3.1	9.8	https://github.com/wycats/handlebars.js
generic_textual	CRITICAL	https://github.com/wycats/handlebars.js
cvssv2	7.5	https://nvd.nist.gov/vuln/detail/CVE-2021-23369
cvssv3	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-23369
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-23369
cvssv3.1	9.8	https://security.netapp.com/advisory/ntap-20210604-0008
generic_textual	CRITICAL	https://security.netapp.com/advisory/ntap-20210604-0008
cvssv3.1	9.8	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
generic_textual	CRITICAL	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
cvssv3.1	9.8	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
generic_textual	CRITICAL	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
cvssv3.1	9.8	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
generic_textual	CRITICAL	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
cvssv3.1	9.8	https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
generic_textual	CRITICAL	https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json
		https://api.first.org/data/v1/epss?cve=CVE-2021-23369
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369
		https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
		https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
		https://github.com/wycats/handlebars.js
		https://security.netapp.com/advisory/ntap-20210604-0008
		https://security.netapp.com/advisory/ntap-20210604-0008/
		https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
		https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
		https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
		https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
1948761		https://bugzilla.redhat.com/show_bug.cgi?id=1948761
cpe:2.3:a:handlebarsjs:handlebars::::::node.js::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:handlebarsjs:handlebars::::::node.js::*
CVE-2021-23369		https://nvd.nist.gov/vuln/detail/CVE-2021-23369
GHSA-f2jv-r9rf-7988		https://github.com/advisories/GHSA-f2jv-r9rf-7988
RHSA-2021:2500		https://access.redhat.com/errata/RHSA-2021:2500
RHSA-2021:3016		https://access.redhat.com/errata/RHSA-2021:3016
RHSA-2021:4032		https://access.redhat.com/errata/RHSA-2021:4032
RHSA-2021:4628		https://access.redhat.com/errata/RHSA-2021:4628
RHSA-2023:1334		https://access.redhat.com/errata/RHSA-2023:1334

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/wycats/handlebars.js

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2021-23369

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-23369

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-23369

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20210604-0008

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.87837
EPSS Score	0.04324
Published At	March 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.