Bug 1184800 - (CVE-2021-23358) VUL-0: CVE-2021-23358: nodejs-underscore: Arbitrary code execution via the template function
(CVE-2021-23358)
VUL-0: CVE-2021-23358: nodejs-underscore: Arbitrary code execution via the te...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.2
Other Other
: P3 - Medium : Major (vote)
: ---
Assigned To: Hillwood Yang
Security Team bot
https://smash.suse.de/issue/280628/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-15 12:04 UTC by Alexandros Toptsoglou
Modified: 2021-06-22 01:53 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2021-04-15 12:04:45 UTC
CVE-2021-23358

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

References:

https://github.com/jashkenas/underscore/blob/master/modules/template.js#L71
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1944286
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23358
http://www.debian.org/security/-1/dsa-4883
https://access.redhat.com/security/cve/CVE-2021-23358
https://www.debian.org/security/2021/dsa-4883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71
https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986171
https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html
https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E
https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
Comment 1 OBSbugzilla Bot 2021-04-15 15:00:03 UTC
This is an autogenerated message for OBS integration:
This bug (1184800) was mentioned in
https://build.opensuse.org/request/show/885692 15.2 / nodejs-underscore
Comment 2 Swamp Workflow Management 2021-04-23 16:22:36 UTC
openSUSE-SU-2021:0601-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1184800
CVE References: CVE-2021-23358
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs-underscore-1.13.1-lp152.4.3.1
Comment 3 Hillwood Yang 2021-06-22 01:53:54 UTC
Fixed.