CVE-2021-23358

Published: 29 March 2021

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Priority

CVSS 3 base score: 7.2

Status

Package	Release	Status
underscore Launchpad, Ubuntu, Debian	bionic	Released (1.8.3~dfsg-1ubuntu0.1)
	focal	Released (1.9.1~dfsg-1ubuntu0.20.04.1)
	groovy	Released (1.9.1~dfsg-1ubuntu0.20.10.1)
	hirsute	Released (1.9.1~dfsg-1ubuntu0.21.04.1)
	precise	Ignored
	trusty	Released (1.4.4-2ubuntu1+esm1)
	upstream	Released (1.9.1~dfsg-2)
	xenial	Released (1.7.0~dfsg-1ubuntu1.1)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
https://ubuntu.com/security/notices/USN-4913-1
https://ubuntu.com/security/notices/USN-4913-2
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986171

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›