VDB

SNYK-JS-UNDERSCORE-1080984

SNYK-JS-UNDERSCORE-1080984 PUBLISHED CVSS 5.5 MEDIUM

## Overview [underscore](https://www.npmjs.org/package/underscore) is a JavaScript's functional programming helper library. Affected versions of this package are vulnerable to Arbitrary Code Injection via the `template` function, particularly when the `variable` option is taken from `_.templateSettings` as it is not sanitized. ### PoC ``` const _ = require('underscore'); _.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')"; const t = _.template("")(); ``` ## Remediation Upgrade `underscore` to version 1.13.0-2, 1.12.1 or higher. ## References - [GitHub Additional Information](https://github.com/jashkenas/underscore/blob/cb5f6fc6c2400649d942f1e36f9e5191fb7a1bf1/modules/template.js#L71) - [GitHub Commit](https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66)

Risk Scores

CVSS 3.1
5.5
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L/E:P/RL:O/RC:C

Affected Products

VendorProductVersions

Exploit Intelligence

Timeline

  • Mar 2, 2021 CVE Updated
  • Mar 29, 2021 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›