CVE-2021-23358

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

References

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505

https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71

https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503

https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html

https://www.debian.org/security/2021/dsa-4883

https://lists.apache.org/thread.html/[email protected]%3Cissues.cordova.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.cordova.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.cordova.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.cordova.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.cordova.apache.org%3E

https://www.tenable.com/security/tns-2021-14

https://lists.fedoraproject.org/archives/list/[email protected]/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/

https://lists.fedoraproject.org/archives/list/[email protected]/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/

Details

Source: MITRE

Published: 2021-03-29

Updated: 2021-09-22

Type: CWE-94

Risk Information

CVSS v2

Base Score: 6.5

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8

Severity: MEDIUM

CVSS v3

Base Score: 7.2

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1.2

Severity: HIGH

Tenable Plugins

View all (10 total)

IDNameProductFamilySeverity
112983Underscore.js 1.13.x < 1.13.0-2 Arbitrary Code InjectionWeb Application ScanningComponent Vulnerability
high
112982Underscore.js 1.3.2 < 1.12.1 Arbitrary Code InjectionWeb Application ScanningComponent Vulnerability
high
152986Tenable SecurityCenter < 5.19.0 Multiple Vulnerabilities (TNS-2021-14)NessusMisc.
high
152005RHEL 8 : RHV Manager (ovirt-engine) security update [ovirt-4.4.7] (Moderate) (RHSA-2021:2865)NessusRed Hat Local Security Checks
high
151985Tenable.sc < 5.19.0 Multiple Vulnerabilities (TNS-2021-14) (deprecated)NessusMisc.
high
149613openSUSE Security Update : nodejs-underscore (openSUSE-2021-601)NessusSuSE Local Security Checks
high
149044Ubuntu 21.04 : Underscore vulnerability (USN-4913-2)NessusUbuntu Local Security Checks
high
148555Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : Underscore vulnerability (USN-4913-1)NessusUbuntu Local Security Checks
high
148300Debian DSA-4883-1 : underscore - security updateNessusDebian Local Security Checks
high
148275Debian DLA-2613-1 : underscore security updateNessusDebian Local Security Checks
high