Lucene search

[email protected]NVD:CVE-2021-23358

HistoryMar 29, 2021 - 2:15 p.m.

CVE-2021-23358

2021-03-2914:15:18

CWE-94

[email protected]

web.nvd.nist.gov

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.013 Low

EPSS

Percentile

86.0%

JSON

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Affected configurations

NVD

Node

underscorejsunderscoreRange1.3.2–1.12.1node.js

underscorejsunderscoreRange1.13.0-0–1.13.0-2node.js

Node

debiandebian_linuxMatch9.0

debiandebian_linuxMatch10.0

Node

tenabletenable.scRange≤5.18.0

Node

fedoraprojectfedoraMatch33

fedoraprojectfedoraMatch34

References

github.com/jashkenas/underscore/blob/master/modules/template.js%23L71

lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E

lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E

lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E

lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E

lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E

lists.debian.org/debian-lts-announce/2021/03/msg00038.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503

snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984

www.debian.org/security/2021/dsa-4883

www.tenable.com/security/tns-2021-14

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.013 Low

EPSS

Percentile

86.0%

JSON

Related for NVD:CVE-2021-23358

fedora2 atlassian10 veracode1 ibm11 openvas9 debian2 nessus17 redhatcve1 osv5 suse1 ubuntu2 nodejs1 cve1 ubuntucve1 github1 debiancve1 mageia1 prion1 cvelist1 githubexploit1 tenable1 redhat4 oracle1