The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

The versions of Primavera Unifier installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2023 CPU advisory.

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: User     Interface (UnderscoreJS)). Supported versions that are affected are 18.8, 19.12, 20.12, 21.12 and 22.12.
    Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to     compromise Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized update,     insert or delete access to some of Primavera Unifier accessible data as well as unauthorized read access     to a subset of Primavera Unifier accessible data. (CVE-2021-23358)     
  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Event     Streams and Communications (Apache Kafka)). Supported versions that are affected are 18.8, 19.12, 20.12,     21.12 and 22.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Unifier.
    (CVE-2022-34917)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Document     Management (jackson-databind)). Supported versions that are affected are 18.8, 19.12, 20.12, 21.12 and     22.12. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to     compromise Primavera Unifier. Successful attacks require human interaction from a person other than the     attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of Primavera Unifier. (CVE-2022-42003)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6393 advisory.

  - jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)

  - jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods     (CVE-2020-11023)

  - springframework: malicious input leads to insertion of additional log entries (CVE-2021-22096)

  - nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)

  - ovirt-log-collector: RHVM admin password is logged unfiltered (CVE-2022-2806)

  - moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable Nessus application running on the remote host is 10.x prior to 10.1.0, or 8.x prior to 8.15.3. It is, therefore, affected by a vulnerability in a third-party library:

  - The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary     Code Injection via the template function, particularly when a variable property is passed as an argument as it is     not sanitized. (CVE-2021-23358)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

According to its self-reported version number, Underscore.js is 1.3.2 prior to 1.12.1 or 1.13.x prior to 1.13.0-2. Therefore, it may be affected by an arbitrary code injection via the template function when the variable option is taken from _.templateSettings.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is less than 5.19.0 and is therefore affected by multiple vulnerabilities in the following components: 
  - Apache FOP
  - Underscore
  - Handlebars
  - PHP
  - sqlite

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:2865 advisory.

  - nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  - nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733)

  - nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

  - nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for nodejs-underscore fixes the following issues :

Update version to 1.13.1

  - Fix security issue (boo#1184800, CVE-2021-23358)

  - Fix bugs

  - Many new features

The remote Ubuntu 21.04 host has packages installed that are affected by a vulnerability as referenced in the USN-4913-2 advisory.

  - The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to     Arbitrary Code Injection via the template function, particularly when a variable property is passed as an     argument as it is not sanitized. (CVE-2021-23358)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by a vulnerability as referenced in the USN-4913-1 advisory.

  - The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to     Arbitrary Code Injection via the template function, particularly when a variable property is passed as an     argument as it is not sanitized. (CVE-2021-23358)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code.

node-underscore and libjs-underscore are vulnerable to Arbitrary Code Execution via the template function, particulary when a variable property is passed as an argument as it is not sanitized.

For Debian 9 stretch, this problem has been fixed in version 1.8.3~dfsg-1+deb9u1.

We recommend that you upgrade your underscore packages.

For the detailed security status of underscore please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/underscore

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
170193	Oracle Primavera Unifier (Jan 2023 CPU)	Nessus	CGI abuses	high
164843	RHEL 8 : RHV Manager (ovirt-engine) [ovirt-4.5.2] bug fix and (RHSA-2022:6393)	Nessus	Red Hat Local Security Checks	high
157339	Tenable Nessus 10.x < 10.1.0 / 8.x < 8.15.3 Third-Party Vulnerability (TNS-2022-04)	Nessus	Misc.	high
112983	Underscore.js 1.13.x < 1.13.0-2 Arbitrary Code Injection	Web App Scanning	Component Vulnerability	high
112982	Underscore.js 1.3.2 < 1.12.1 Arbitrary Code Injection	Web App Scanning	Component Vulnerability	high
152986	Tenable SecurityCenter < 5.19.0 Multiple Vulnerabilities (TNS-2021-14)	Nessus	Misc.	critical
152005	RHEL 8 : RHV Manager (ovirt-engine) security update [ovirt-4.4.7] (Moderate) (RHSA-2021:2865)	Nessus	Red Hat Local Security Checks	high
149613	openSUSE Security Update : nodejs-underscore (openSUSE-2021-601)	Nessus	SuSE Local Security Checks	high
149044	Ubuntu 21.04 : Underscore vulnerability (USN-4913-2)	Nessus	Ubuntu Local Security Checks	high
148555	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Underscore vulnerability (USN-4913-1)	Nessus	Ubuntu Local Security Checks	high
148300	Debian DSA-4883-1 : underscore - security update	Nessus	Debian Local Security Checks	high
148275	Debian DLA-2613-1 : underscore security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2021-23358

high

Tenable Plugins

high

high

high

high

high

critical

high

high

high

high

high

high