CVE-2021-23358 — Code Injection in Underscore

CWE-94 — Code Injection12 documents9 sources

Severity

7.2HIGHNVD

CNA3.3

EPSS

1.1%

top 22.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Underscorejs Underscore Tenable Tenable.sc Debian Linux +1 more

Timeline

PublishedMar 29

Latest updateOct 15

Description

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5underscorejs/underscore1.13.0-0 — unspecified+3

▶NVDunderscorejs/underscore1.3.2 — 1.12.1+1

▶npmunderscorejs/underscore1.3.2 — 1.12.1

▶Debianunderscorejs/underscore< 1.9.1~dfsg-2+3

▶NVDtenable/tenable.sc5.18.0

Also affects: Debian Linux 10.0, 9.0, Fedora 33, 34

🔴Vulnerability Details

OSV

Arbitrary Code Execution in underscore↗2021-05-06

▶

GHSA

Arbitrary Code Execution in underscore↗2021-05-06

▶

OSV

CVE-2021-23358: The package underscore from 1↗2021-03-29

▶

CVEList

Arbitrary Code Injection↗2021-03-29

▶

📋Vendor Advisories

Oracle

Oracle Oracle Commerce Risk Matrix: Business Control Center (underscore) — CVE-2021-23358↗2024-10-15

▶

Oracle

Oracle Oracle Construction and Engineering Risk Matrix: User Interface (UnderscoreJS) — CVE-2021-23358↗2023-01-15

▶

Ubuntu

Underscore vulnerability↗2021-04-28

▶

Ubuntu

Underscore vulnerability↗2021-04-14

▶

Red Hat

nodejs-underscore: Arbitrary code execution via the template function↗2021-03-29

▶