CVE-2021-23358 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2021-23358

CVE-2021-23358

March 29, 2021

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Affected Packages

underscore.js (CDN_JS):

Affected version(s) >=1.3.2 <1.12.1

Fix Suggestion:

Update to version 1.12.1

underscore (NPM):

Affected version(s) >=1.3.2 <1.12.1

Fix Suggestion:

Update to version 1.12.1

Related Resources (33)

https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E

https://www.debian.org/security/2021/dsa-4883

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV

https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html

https://github.com/jashkenas/underscore/releases/tag/1.12.1

http://seclists.org/fulldisclosure/2025/Apr/14

https://security.netapp.com/advisory/ntap-20240808-0003

https://access.redhat.com/security/cve/CVE-2021-23358

https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E

https://www.tenable.com/security/tns-2021-14

https://github.com/jashkenas/underscore

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/

https://security.netapp.com/advisory/ntap-20240808-0003/

https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E

https://security-tracker.debian.org/tracker/CVE-2021-23358

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z

https://security.netapp.com/advisory/ntap-20241108-0002

https://security.netapp.com/advisory/ntap-20241108-0002/

https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E

https://www.npmjs.com/package/underscore

https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV

https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71

https://github.com/jashkenas/underscore/pull/2917

https://nvd.nist.gov/vuln/detail/CVE-2021-23358

https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E

https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/

https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E

https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z

https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E

https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E

Do you need more information?

CVSS v4

Base Score:

1.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

HIGH

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

Exploit Maturity

POC

CVSS v3

Base Score:

3.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Exploit Maturity

PROOF-OF-CONCEPT

CVSS v2

Base Score:

6.5

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

EPSS

Base Score:

1.1

Products

Solutions

Resources

Company

Compare

Developer Tools