{"containers": {"cna": {"affected": [{"product": "underscore", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "1.13.0-0", "versionType": "custom"}, {"lessThan": "1.13.0-2", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "1.3.2", "versionType": "custom"}, {"lessThan": "1.12.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Alessio Della Libera (@d3lla)"}], "datePublic": "2021-03-29T00:00:00", "descriptions": [{"lang": "en", "value": "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 3, "temporalSeverity": "LOW", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Arbitrary Code Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-08-24T04:06:09", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71"}, {"name": "[debian-lts-announce] 20210331 [SECURITY] [DLA 2613-1] underscore security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html"}, {"name": "DSA-4883", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4883"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek closed issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley opened a new issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley edited a comment on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.tenable.com/security/tns-2021-14"}, {"name": "FEDORA-2021-e49f936d9f", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/"}, {"name": "FEDORA-2021-f278299902", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/"}], "title": "Arbitrary Code Injection", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-03-29T13:13:50.579077Z", "ID": "CVE-2021-23358", "STATE": "PUBLIC", "TITLE": "Arbitrary Code Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "underscore", "version": {"version_data": [{"version_affected": ">=", "version_value": "1.13.0-0"}, {"version_affected": "<", "version_value": "1.13.0-2"}, {"version_affected": ">=", "version_value": "1.3.2"}, {"version_affected": "<", "version_value": "1.12.1"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Alessio Della Libera (@d3lla)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Arbitrary Code Injection"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505"}, {"name": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71", "refsource": "MISC", "url": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71"}, {"name": "[debian-lts-announce] 20210331 [SECURITY] [DLA 2613-1] underscore security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html"}, {"name": "DSA-4883", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4883"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek closed issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley opened a new issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley edited a comment on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E"}, {"name": "https://www.tenable.com/security/tns-2021-14", "refsource": "CONFIRM", "url": "https://www.tenable.com/security/tns-2021-14"}, {"name": "FEDORA-2021-e49f936d9f", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/"}, {"name": "FEDORA-2021-f278299902", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/"}]}}}, "adp": [{"title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71"}, {"name": "[debian-lts-announce] 20210331 [SECURITY] [DLA 2613-1] underscore security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html"}, {"name": "DSA-4883", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4883"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek closed issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley opened a new issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E"}, {"name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley edited a comment on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.tenable.com/security/tns-2021-14"}, {"name": "FEDORA-2021-e49f936d9f", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/"}, {"name": "FEDORA-2021-f278299902", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/"}, {"url": "https://security.netapp.com/advisory/ntap-20240808-0003/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T13:05:14.728Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-29T15:48:41.938375Z", "id": "CVE-2021-23358", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T15:48:53.476Z"}}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2021-23358", "datePublished": "2021-03-29T13:15:34.770665Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-17T03:47:56.577Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html", "name": "[debian-lts-announce] 20210331 [SECURITY] [DLA 2613-1] underscore security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://www.debian.org/security/2021/dsa-4883", "name": "DSA-4883", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek closed issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley opened a new issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley edited a comment on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://www.tenable.com/security/tns-2021-14", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/", "name": "FEDORA-2021-e49f936d9f", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/", "name": "FEDORA-2021-f278299902", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240808-0003/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T13:05:14.728Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-23358", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-29T15:48:41.938375Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T15:48:49.607Z"}}], "cna": {"title": "Arbitrary Code Injection", "credits": [{"lang": "en", "value": "Alessio Della Libera (@d3lla)"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C", "temporalScore": 3, "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "temporalSeverity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "underscore", "versions": [{"status": "affected", "version": "1.13.0-0", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "lessThan": "1.13.0-2", "versionType": "custom"}, {"status": "affected", "version": "1.3.2", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "lessThan": "1.12.1", "versionType": "custom"}]}], "datePublic": "2021-03-29T00:00:00", "references": [{"url": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984", "tags": ["x_refsource_MISC"]}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503", "tags": ["x_refsource_MISC"]}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504", "tags": ["x_refsource_MISC"]}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html", "name": "[debian-lts-announce] 20210331 [SECURITY] [DLA 2613-1] underscore security update", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://www.debian.org/security/2021/dsa-4883", "name": "DSA-4883", "tags": ["vendor-advisory", "x_refsource_DEBIAN"]}, {"url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek closed issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley opened a new issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley edited a comment on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://www.tenable.com/security/tns-2021-14", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/", "name": "FEDORA-2021-e49f936d9f", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/", "name": "FEDORA-2021-f278299902", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}], "descriptions": [{"lang": "en", "value": "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Arbitrary Code Injection"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2021-08-24T04:06:09"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Alessio Della Libera (@d3lla)"}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.13.0-0", "version_affected": ">="}, {"version_value": "1.13.0-2", "version_affected": "<"}, {"version_value": "1.3.2", "version_affected": ">="}, {"version_value": "1.12.1", "version_affected": "<"}]}, "product_name": "underscore"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984", "name": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984", "refsource": "MISC"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503", "name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503", "refsource": "MISC"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504", "name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504", "refsource": "MISC"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505", "name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505", "refsource": "MISC"}, {"url": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71", "name": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71", "refsource": "MISC"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html", "name": "[debian-lts-announce] 20210331 [SECURITY] [DLA 2613-1] underscore security update", "refsource": "MLIST"}, {"url": "https://www.debian.org/security/2021/dsa-4883", "name": "DSA-4883", "refsource": "DEBIAN"}, {"url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek closed issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] breautek commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley opened a new issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E", "name": "[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley edited a comment on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358", "refsource": "MLIST"}, {"url": "https://www.tenable.com/security/tns-2021-14", "name": "https://www.tenable.com/security/tns-2021-14", "refsource": "CONFIRM"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/", "name": "FEDORA-2021-e49f936d9f", "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/", "name": "FEDORA-2021-f278299902", "refsource": "FEDORA"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Arbitrary Code Injection"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-23358", "STATE": "PUBLIC", "TITLE": "Arbitrary Code Injection", "ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-03-29T13:13:50.579077Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-23358", "state": "PUBLISHED", "dateUpdated": "2024-09-17T03:47:56.577Z", "dateReserved": "2021-01-08T00:00:00", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2021-03-29T13:15:34.770665Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:underscorejs:underscore:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D9AD5E3F-19FE-436D-9772-67697CF90FA2", "versionEndExcluding": "1.12.1", "versionStartIncluding": "1.3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:underscorejs:underscore:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "189D2A24-FEEA-4052-9EE3-DAA855476F24", "versionEndExcluding": "1.13.0-2", "versionStartIncluding": "1.13.0-0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*", "matchCriteriaId": "04CA4C0E-255A-4763-AC31-7FE81F720EA3", "versionEndIncluding": "5.18.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized."}, {"lang": "es", "value": "El paquete underscore desde la versi\u00f3n 1.13.0-0 y anterior a la versi\u00f3n 1.13.0-2, desde la versi\u00f3n 1.3.2 y anterior a la versi\u00f3n 1.12.1, son vulnerables a una ejecuci\u00f3n de c\u00f3digo arbitraria por medio de la funci\u00f3n template, particularmente cuando una propiedad variable es pasada como un argumento ya que no es saneado"}], "id": "CVE-2021-23358", "lastModified": "2023-11-07T03:30:52.523", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 2.5, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2021-03-29T14:15:18.047", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4883"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://www.tenable.com/security/tns-2021-14"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "acmesolver-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "acm-must-gather-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "acm-operator-bundle-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "application-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "cainjector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "cert-manager-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "cert-manager-webhook-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "cert-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "clusterlifecycle-state-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "configmap-watcher-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "config-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "console-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "console-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "console-header-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "endpoint-component-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "endpoint-monitoring-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "endpoint-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "governance-policy-propagator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "governance-policy-spec-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "governance-policy-status-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "governance-policy-template-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "grafana-dashboard-loader-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "grc-ui-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "grc-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "iam-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "klusterlet-addon-lease-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "klusterlet-operator-bundle-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "kui-web-terminal-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "management-ingress-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "mcm-topology-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "mcm-topology-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "memcached-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "memcached-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "metrics-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "multicloud-manager-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "multiclusterhub-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "multiclusterhub-repo-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "multicluster-observability-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "multicluster-operators-application-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "multicluster-operators-channel-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "multicluster-operators-deployable-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "multicluster-operators-placementrule-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "multicluster-operators-subscription-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "multicluster-operators-subscription-release-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "observatorium-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "observatorium-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "openshift-hive-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "rbac-query-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "rcm-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "redisgraph-tls-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "registration-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "registration-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "search-aggregator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "search-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "search-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "search-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "search-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "submariner-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "thanos-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "thanos-receive-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1499", "cpe": "cpe:/a:redhat:acm:2.2::el7", "package": "work-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-05-04T00:00:00Z"}, {"advisory": "RHSA-2021:1448", "cpe": "cpe:/a:redhat:acm:2.0::el8", "impact": "moderate", "package": "rhacm2/acm-operator-bundle:v2.0.10-8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 8", "release_date": "2021-04-28T00:00:00Z"}, {"advisory": "RHSA-2021:2865", "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8", "impact": "low", "package": "ovirt-engine-ui-extensions-0:1.2.7-1.el8ev", "product_name": "Red Hat Virtualization Engine 4.4", "release_date": "2021-07-22T00:00:00Z"}, {"advisory": "RHSA-2022:6393", "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8", "impact": "low", "package": "ovirt-web-ui-0:1.9.1-1.el8ev", "product_name": "Red Hat Virtualization Engine 4.4", "release_date": "2022-09-08T00:00:00Z"}], "bugzilla": {"description": "nodejs-underscore: Arbitrary code execution via the template function", "id": "1944286", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944286"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-94", "details": ["The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", "A flaw was found in nodejs-underscore. Arbitrary code execution via the template function is possible, particularly when a variable property is passed as an argument as it is not sanitized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2021-23358", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "moderate", "package_name": "rhacm2/grc-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "moderate", "package_name": "rhacm2/search-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "impact": "moderate", "package_name": "pki-core", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "impact": "moderate", "package_name": "pki-core:10.6/pki-core", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "ocs4/mcg-core-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "impact": "low", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2021-03-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-23358\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23358"], "statement": "Whilst the OpenShift Container Platform (OCP) openshift4/ose-grafana and openshift3/grafana as well as console, grc-ui and search-ui containers for Red Hat Advanced Management for Kubernetes (RHACM) include the vulnerable underscore library, the access to it is protected by OpenShift OAuth. Additionally this library is used in openshift4/ose-grafana container only in Grafana End-to-End Test package. Therefore the impact by this flaw is reduced to Low and the affected OCP components are marked as \"will not fix\" at this time and to Moderate for the affected RHACM components. This might be fixed in a future release.\nRed Hat Enterprise Virtualization includes the vulnerable underscore library, however it is not parsing any untrusted data, therefore impact is reduced to Low.\nBelow Red Hat products include the underscore dependency, but it is not used by the product and hence this issue has been rated as having a security impact of Low.\n* Red Hat Quay\n* Red Hat Gluster Storage 3\n* Red Hat OpenShift Container Storage 4\n* Red Hat Ceph Storage 3 and 4", "threat_severity": "Important", "upstream_fix": "underscore 1.13.0-2, underscore 1.12.1"}