CVE-2021-23358
Arbitrary Code Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
4Exploited in Wild
-Decision
Descriptions
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
El paquete underscore desde la versión 1.13.0-0 y anterior a la versión 1.13.0-2, desde la versión 1.3.2 y anterior a la versión 1.12.1, son vulnerables a una ejecución de código arbitraria por medio de la función template, particularmente cuando una propiedad variable es pasada como un argumento ya que no es saneado
A flaw was found in nodejs-underscore. Arbitrary code execution via the template function is possible, particularly when a variable property is passed as an argument as it is not sanitized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2021-01-08 CVE Reserved
- 2021-03-29 CVE Published
- 2024-08-01 EPSS Updated
- 2024-09-17 CVE Updated
- 2024-09-17 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (17)
URL | Date | SRC |
---|---|---|
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504 | 2024-09-17 | |
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505 | 2024-09-17 | |
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503 | 2024-09-17 | |
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 | 2024-09-17 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Underscorejs Search vendor "Underscorejs" | Underscore Search vendor "Underscorejs" for product "Underscore" | >= 1.3.2 < 1.12.1 Search vendor "Underscorejs" for product "Underscore" and version " >= 1.3.2 < 1.12.1" | node.js |
Affected
| ||||||
Underscorejs Search vendor "Underscorejs" | Underscore Search vendor "Underscorejs" for product "Underscore" | >= 1.13.0-0 < 1.13.0-2 Search vendor "Underscorejs" for product "Underscore" and version " >= 1.13.0-0 < 1.13.0-2" | node.js |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
Tenable Search vendor "Tenable" | Tenable.sc Search vendor "Tenable" for product "Tenable.sc" | <= 5.18.0 Search vendor "Tenable" for product "Tenable.sc" and version " <= 5.18.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
|