NVD Vulnerability Detail

CVE-2021-23358

Summary	The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publication Date	March 29, 2021, 11:15 p.m.
Registration Date	March 30, 2021, 10:02 a.m.
Last Update	Nov. 21, 2024, 2:51 p.m.

CVSS3.1 : HIGH
スコア	7.2
Vector	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	高
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

CVSS2.0 : MEDIUM
Score	6.5
Vector	AV:N/AC:L/Au:S/C:P/I:P/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	単一
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:underscorejs:underscore::::::node.js::*	1.3.2			1.12.1
cpe:2.3:a:underscorejs:underscore::::::node.js::*	1.13.0-0			1.13.0-2

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*
cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:a:tenable:tenable.sc::::::::			5.18.0

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:33:::::::*
cpe:2.3:o:fedoraproject:fedora:34:::::::*

Related information, measures and tools

No	URL	タグ
1	https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71	Broken Link
2	https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71	Broken Link
3	https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E
4	https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E
5	https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E
6	https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E
7	https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E
8	https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E
9	https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E
10	https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E
11	https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E
12	https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E
13	https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html	Mailing List Third Party Advisory
14	https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html	Mailing List Third Party Advisory
15	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/
16	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/
17	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/
18	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/
19	https://security.netapp.com/advisory/ntap-20240808-0003/
20	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504	Exploit Third Party Advisory
21	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504	Exploit Third Party Advisory
22	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505	Exploit Third Party Advisory
23	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505	Exploit Third Party Advisory
24	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503	Exploit Third Party Advisory
25	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503	Exploit Third Party Advisory
26	https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984	Exploit Third Party Advisory
27	https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984	Exploit Third Party Advisory
28	https://www.debian.org/security/2021/dsa-4883	Third Party Advisory
29	https://www.debian.org/security/2021/dsa-4883	Third Party Advisory
30	https://www.tenable.com/security/tns-2021-14	Third Party Advisory
31	https://www.tenable.com/security/tns-2021-14	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-94	コード・インジェクション	https://cwe.mitre.org/data/definitions/94.html

JVN Vulnerability Information

underscore パッケージにおけるコードインジェクションの脆弱性

Title	underscore パッケージにおけるコードインジェクションの脆弱性
Summary	underscore パッケージには、コードインジェクションの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	April 1, 2021, midnight
Registration Date	Dec. 6, 2021, 4:04 p.m.
Last Update	Dec. 6, 2021, 4:04 p.m.

Affected System

Underscore.js

Underscore 1.13.0-0 以上 1.13.0-2 未満

Underscore 1.3.2 以上 1.12.1 未満

Debian

Debian GNU/Linux

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-23358	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
National Vulnerability Database (NVD)
2	CVE-2021-23358	https://nvd.nist.gov/vuln/detail/CVE-2021-23358

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-94	https://jvndb.jvn.jp/ja/cwe/CWE-94.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-4883-1	https://www.debian.org/security/2021/dsa-4883
Underscore.js
2	Top Page	https://underscorejs.org/

Change Log

No	Changed Details	Date of change
1	[2021年12月06日] 掲載	Dec. 6, 2021, 4:04 p.m.