// For flags

CVE-2021-23358

Arbitrary Code Injection

Severity Score

7.2
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

6
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

El paquete underscore desde la versión 1.13.0-0 y anterior a la versión 1.13.0-2, desde la versión 1.3.2 y anterior a la versión 1.12.1, son vulnerables a una ejecución de código arbitraria por medio de la función template, particularmente cuando una propiedad variable es pasada como un argumento ya que no es saneado

A flaw was found in nodejs-underscore. Arbitrary code execution via the template function is possible, particularly when a variable property is passed as an argument as it is not sanitized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Red Hat Advanced Cluster Management for Kubernetes 2.0.10 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which resolve some security issues and bugs. Issues addressed include a code execution vulnerability.

*Credits: Alessio Della Libera (@d3lla)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2021-01-08 CVE Reserved
  • 2021-03-29 CVE Published
  • 2024-07-12 First Exploit
  • 2024-09-17 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (19)
URL Tag Source
https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71 Broken Link
https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E Mailing List
https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E Mailing List
https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E Mailing List
https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html Mailing List
https://www.tenable.com/security/tns-2021-14 Third Party Advisory
URL Date SRC
https://github.com/EkamSinghWalia/Detection-script-for-cve-2021-23358 2024-11-10
https://github.com/MehdiBoukhobza/SandBox_CVE-2021-23358 2024-07-12
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504 2024-09-17
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505 2024-09-17
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503 2024-09-17
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 2024-09-17
URL Date SRC
URL Date SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV 2023-11-07
https://www.debian.org/security/2021/dsa-4883 2023-11-07
https://access.redhat.com/security/cve/CVE-2021-23358 2022-09-08
https://bugzilla.redhat.com/show_bug.cgi?id=1944286 2022-09-08
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Underscorejs
Search vendor "Underscorejs"
 Underscore
Search vendor "Underscorejs" for product "Underscore"
 >= 1.3.2 < 1.12.1
Search vendor "Underscorejs" for product "Underscore" and version " >= 1.3.2 < 1.12.1"
node.js
Affected
Underscorejs
Search vendor "Underscorejs"
 Underscore
Search vendor "Underscorejs" for product "Underscore"
 >= 1.13.0-0 < 1.13.0-2
Search vendor "Underscorejs" for product "Underscore" and version " >= 1.13.0-0 < 1.13.0-2"
node.js
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Tenable
Search vendor "Tenable"
 Tenable.sc
Search vendor "Tenable" for product "Tenable.sc"
 <= 5.18.0
Search vendor "Tenable" for product "Tenable.sc" and version " <= 5.18.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 33
Search vendor "Fedoraproject" for product "Fedora" and version "33"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected