CVE-2021-23358: Arbitrary Code Injection
First published: Mon Mar 29 2021(Updated: )
A flaw was found in nodejs-underscore. Arbitrary code execution via the template function is possible, particularly when a variable property is passed as an argument as it is not sanitized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ovirt-engine-ui-extensions | <0:1.2.7-1.el8e | 0:1.2.7-1.el8e |
| redhat/ovirt-web-ui | <0:1.9.1-1.el8e | 0:1.9.1-1.el8e |
| debian/underscore | 1.9.1~dfsg-1+deb10u1 1.9.1~dfsg-3 1.13.4~dfsg+~1.11.4-3 | |
| Underscorejs Underscore | >=1.3.2<1.12.1 | |
| Underscorejs Underscore | >=1.13.0-0<1.13.0-2 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Tenable Tenable.sc | <=5.18.0 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| npm/underscore | >=1.3.2<1.12.1 | 1.12.1 |
| redhat/underscore 1.13.0 | <2 | 2 |
| redhat/underscore | <1.12.1 | 1.12.1 |
| IBM Cognos Analytics | <=12.0.0-12.0.2 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-23358 https://nvd.nist.gov/vuln/detail/CVE-2021-23358
- https://bugzilla.redhat.com/show_bug.cgi?id=1944286
- https://access.redhat.com/errata/RHSA-2021:2865
- https://access.redhat.com/errata/RHSA-2022:6393
- https://access.redhat.com/security/cve/cve-2021-23358
- https://security-tracker.debian.org/tracker/CVE-2021-23358
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://salsa.debian.org/js-team/underscore/-/commit/32351ba38b7e69e0cee1010cbbea60446f57d4c8
- https://bugs.debian.org/986171
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986171
- https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71
- https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
- https://www.debian.org/security/2021/dsa-4883
- https://www.tenable.com/security/tns-2021-14
- https://nvd.nist.gov/vuln/detail/CVE-2021-23358
- https://github.com/jashkenas/underscore/pull/2917
- https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66
- https://github.com/jashkenas/underscore/releases/tag/1.12.1
- https://www.npmjs.com/package/underscore
- https://github.com/advisories/GHSA-cf4h-3jhx-xvhq (Advisory)
- https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/
- https://github.com/jashkenas/underscore/blob/master/modules/template.js#L71
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1944288
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1944287
- https://access.redhat.com/errata/RHSA-2021:1448
- https://access.redhat.com/errata/RHSA-2021:1499
- https://exchange.xforce.ibmcloud.com/vulnerabilities/198958
- https://www.ibm.com/support/pages/node/7156941 (Advisory)
Frequently Asked Questions
What is CVE-2021-23358?
CVE-2021-23358 is a vulnerability in the underscore package in versions 1.13.0-0 and before 1.13.0-2 and in versions 1.3.2 and before 1.12.1. It allows for arbitrary code execution via the template function.
How does CVE-2021-23358 impact data confidentiality and integrity?
CVE-2021-23358 has a high impact on data confidentiality and integrity as it allows for arbitrary code execution, which can potentially lead to unauthorized access and manipulation of data.
What is the severity of CVE-2021-23358?
CVE-2021-23358 has a severity rating of high with a score of 7 based on the Common Vulnerability Scoring System (CVSS).
How can I fix CVE-2021-23358?
To fix CVE-2021-23358, upgrade the underscore package to version 1.13.0-2 or higher if you are using versions 1.13.0-0 to 1.13.0-2. If you are using versions 1.3.2 to 1.12.1, upgrade to a version higher than 1.12.1.
Where can I find more information about CVE-2021-23358?
You can find more information about CVE-2021-23358 on the GitHub page for the underscore package (https://github.com/jashkenas/underscore/blob/master/modules/template.js#L71) and on Snyk (https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504 and https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505).
- collector/redhat-cve
- collector/debian-bugs
- alias/CVE-2021-23358
- collector/security-tracker-debian
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-cf4h-3jhx-xvhq
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/first-publish-date
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/ibm-support
- source/IBM
- agent/references
- agent/description
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/event
- package-manager/redhat
- package-manager/debian
- vendor/underscorejs
- canonical/underscorejs underscore
- version/underscorejs underscore/1.3.2
- version/underscorejs underscore/1.13.0-0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/tenable
- canonical/tenable tenable.sc
- version/tenable tenable.sc/5.18.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- package-manager/npm
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.2
- version/ibm cognos analytics/11.2.0-11.2.4 fp3