Published: 29/03/2021 Updated: 07/11/2023

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2

VMScore: 580

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

The package underscore from 1.13.0-0 and prior to 1.13.0-2, from 1.3.2 and prior to 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Vulnerable Product	Search on Vulmon	Subscribe to Product
underscorejs underscore
debian debian linux 9.0
debian debian linux 10.0
tenable tenable.sc
fedoraproject fedora 33
fedoraproject fedora 34

Debian Bug report logs - #986171 underscore: CVE-2021-23358 Package: src:underscore; Maintainer for src:underscore is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 30 Mar 2021 19:45:02 UTC Severity: grave Tags: security, ...

Synopsis Important: RHV Manager (ovirt-engine) [ovirt-452] bug fix and security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic Updated ovirt-engine packages that fix several bugs and add various enhancements are ...

It was discovered that missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code For the stable distribution (buster), this problem has been fixed in version 191~dfsg-1+deb10u1 We recommend that you upgrade your underscore packages For the detailed security status o ...

Nessus leverages third-party software to help provide underlying functionality One of the third-party components (Underscorejs) was found to contain a vulnerability, and an updated version has been made available by the provider Out of caution and in line with good practice, Tenable has opted to upgrade the Underscorejs component to address t ...

Tenablesc leverages third-party software to help provide underlying functionality Multiple third-party components were found to contain vulnerabilities, and updated versions have been made available by the providers Out of caution, and in line with best practice, Tenable has upgraded the bundled components to address the potential impact of the ...

launchqtcreator README QtCreator is very useful for certain tasks! When working on Qt projects, there are things I find Qt Creator invaluable for -just too convenient to use anything else (almost) I often use Visual Studio Code and QtCreator together when working on c++/gui projects

Default landing pages

Splash Default landing pages Contributing Ensure that NodeJS is installed If not, you can download it here Ensure that Git is installed Preparing the dev environment Clone the repository and enter the directory git clone githubcom/ghifari160/splash cd splash Install all dependencies for this project npm i

CVEcrystalyer CVE tool to help with getting CVE details needed for reporting Tool uses reitre-jshtml as input, it will parse all of the CVE-s and grab the details from NVD and print them in terminal for copy/paste /CVEcrystalyer -h -c NAME Single CVE | Multiple CVE-s separated with ',' -> -c CVE-XXX-XXXX,CV

Detection script for cve-2021-23358

Detection-script-for-cve-2021-23358 Detection script for cve-2021-23358 I have created a Detection script for CVE-2021-23358 , which will detect the vulnerable version of node underscore be it installed as an open-source tool or just the libraries are being used This script has three features, It will detect the versions of underscore from Using the direct npm command Version

Demonstrating the Arbitrary Code Injection vulnerability in Underscore v1.8.3

csec302-demo Demonstrating the Arbitrary Code Injection vulnerability in Underscore v183 Installation and running Clone repo: git clone Open repo and cd into /broken/underscore-183 Install required packages: npm i Run mainjs: node mainjs Testing Underscore 183 is vulnerable to arbitrary code injection via its template function, similarly to lodash The difference betwee

CWE-94 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505 https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71 https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503 https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html https://www.debian.org/security/2021/dsa-4883 https://www.tenable.com/security/tns-2021-14 https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986171 https://nvd.nist.gov https://github.com/Ghifari160/splash https://www.debian.org/security/2021/dsa-4883

CVE-2021-23358

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect