SNYK-JS-UNDERSCORE-1080984
## Overview [underscore](https://www.npmjs.org/package/underscore) is a JavaScript's functional programming helper library. Affected versions of this package are vulnerable to Arbitrary Code Injection via the `template` function, particularly when the `variable` option is taken from `_.templateSettings` as it is not sanitized. ### PoC ``` const _ = require('underscore'); _.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')"; const t = _.template("")(); ``` ## Remediation Upgrade `underscore` to version 1.13.0-2, 1.12.1 or higher. ## References - [GitHub Additional Information](https://github.com/jashkenas/underscore/blob/cb5f6fc6c2400649d942f1e36f9e5191fb7a1bf1/modules/template.js#L71) - [GitHub Commit](https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
Exploit Intelligence
- Detection script for cve-2021-23358 (github-poc-repo)
- MehdiBoukhobza/SandBox_CVE-2021-23358 (github-poc)
- Detection script for cve-2021-23358 (github-poc)
- index.html (github-poc)
- underscore-node-f.cjs (github-poc)
Timeline
- Mar 2, 2021 CVE Updated
- Mar 29, 2021 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://www.npmjs.org/package/underscore technical
- https://github.com/jashkenas/underscore/blob/cb5f6fc6c2400649d942f1e36f9e5191fb7a1bf1/modules/template.js#L71 technical
- https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66 patch