// For flags

CVE-2021-23358

Arbitrary Code Injection

Severity Score

7.2
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

4
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

El paquete underscore desde la versión 1.13.0-0 y anterior a la versión 1.13.0-2, desde la versión 1.3.2 y anterior a la versión 1.12.1, son vulnerables a una ejecución de código arbitraria por medio de la función template, particularmente cuando una propiedad variable es pasada como un argumento ya que no es saneado

A flaw was found in nodejs-underscore. Arbitrary code execution via the template function is possible, particularly when a variable property is passed as an argument as it is not sanitized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: Alessio Della Libera (@d3lla)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2021-01-08 CVE Reserved
  • 2021-03-29 CVE Published
  • 2024-08-01 EPSS Updated
  • 2024-09-17 CVE Updated
  • 2024-09-17 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (17)
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Underscorejs
Search vendor "Underscorejs"
Underscore
Search vendor "Underscorejs" for product "Underscore"
>= 1.3.2 < 1.12.1
Search vendor "Underscorejs" for product "Underscore" and version " >= 1.3.2 < 1.12.1"
node.js
Affected
Underscorejs
Search vendor "Underscorejs"
Underscore
Search vendor "Underscorejs" for product "Underscore"
>= 1.13.0-0 < 1.13.0-2
Search vendor "Underscorejs" for product "Underscore" and version " >= 1.13.0-0 < 1.13.0-2"
node.js
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Tenable
Search vendor "Tenable"
Tenable.sc
Search vendor "Tenable" for product "Tenable.sc"
<= 5.18.0
Search vendor "Tenable" for product "Tenable.sc" and version " <= 5.18.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
33
Search vendor "Fedoraproject" for product "Fedora" and version "33"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected