GitHub Advisory DatabaseGHSA-CF4H-3JHX-XVHQArbitrary Code Execution in underscore
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.8%
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
| CPE | Name | Operator | Version |
|---|---|---|---|
| underscore | lt | 1.12.1 |
References
github.com/advisories/GHSA-cf4h-3jhx-xvhq
github.com/jashkenas/underscore/blob/master/modules/template.js%23L71
github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66
github.com/jashkenas/underscore/pull/2917
github.com/jashkenas/underscore/releases/tag/1.12.1
lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E
lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E
lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E
lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E
lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E
lists.debian.org/debian-lts-announce/2021/03/msg00038.html
lists.fedoraproject.org/archives/list/[email protected]/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/
lists.fedoraproject.org/archives/list/[email protected]/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/
nvd.nist.gov/vuln/detail/CVE-2021-23358
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
www.debian.org/security/2021/dsa-4883
www.npmjs.com/package/underscore
www.tenable.com/security/tns-2021-14
Related
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.8%