Upgrade handlebars to version 4.3.0 or later

Description

As reported by GitHub:

Dependabot cannot create a pull request as one or more other dependencies require a version that is incompatible with this update.

Details

CVE-2019-19919

high severity

*Vulnerable versions:* < 4.3.0

*Patched version:* 4.3.0

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's *proto* and *defineGetter* properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Environment

None

Potential Workaround

None

Linked issues

relates to

UXPROD-2144

Q1 2020 | Spitfire Tech Debt

Checklist

hide

TestRail: Results

Activity

Show:

Igor Godlevskyi January 31, 2020 at 1:30 PM

The resolved version in yarn.json is 4.5.2 so closing this security alert as an inaccurate.

Done

Details

Assignee

Igor Godlevskyi(Deactivated)

Reporter

Peter Murray

Labels

epam-spitfirefront-endsecurity

Priority

TBD

Story Points

Sprint

None

Development Team

Spitfire

Fix versions

2.0.0

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created January 2, 2020 at 7:41 PM

Updated January 31, 2020 at 1:31 PM

Resolved January 31, 2020 at 1:31 PM

Configure

TestRail: Cases

TestRail: Runs