The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized. References: https://github.com/jashkenas/underscore/blob/master/modules/template.js#L71 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503 https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
Created nodejs-underscore tracking bugs for this issue: Affects: epel-7 [bug 1944288] Affects: fedora-all [bug 1944287]
Upstream fix : https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66
Statement: Whilst the OpenShift Container Platform (OCP) openshift4/ose-grafana and openshift3/grafana as well as console, grc-ui and search-ui containers for Red Hat Advanced Management for Kubernetes (RHACM) include the vulnerable underscore library, the access to it is protected by OpenShift OAuth. Additionally this library is used in openshift4/ose-grafana container only in Grafana End-to-End Test package. Therefore the impact by this flaw is reduced to Low and the affected OCP components are marked as "will not fix" at this time and to Moderate for the affected RHACM components. This might be fixed in a future release. Below Red Hat products include the underscore dependency, but it is not used by the product and hence this issue has been rated as having a security impact of Low. * Red Hat Quay * Red Hat Gluster Storage 3 * Red Hat OpenShift Container Storage 4 * Red Hat Ceph Storage 3 and 4
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 7 Via RHSA-2021:1448 https://access.redhat.com/errata/RHSA-2021:1448
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23358
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:1499 https://access.redhat.com/errata/RHSA-2021:1499
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:2865 https://access.redhat.com/errata/RHSA-2021:2865
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:6393 https://access.redhat.com/errata/RHSA-2022:6393