Bug 1944286 (CVE-2021-23358) - CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template function
Summary: CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template f...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-23358
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1944288 1945624 1945625 1972645 1944287 1944399 1944400 1944401 1944525 1944739 1944741 1944904 1944905 1945003 1945004 1945323 1951619 1972646
Blocks: 1944289
TreeView+ depends on / blocked
 
Reported: 2021-03-29 17:15 UTC by Pedro Sampaio
Modified: 2021-10-04 11:07 UTC (History)
48 users (show)

Fixed In Version: underscore 1.13.0-2, underscore 1.12.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-underscore. Arbitrary code execution via the template function is possible, particularly when a variable property is passed as an argument as it is not sanitized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-04-28 22:46:44 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2865 0 None None None 2021-07-22 15:11:56 UTC

Description Pedro Sampaio 2021-03-29 17:15:30 UTC
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

References:

https://github.com/jashkenas/underscore/blob/master/modules/template.js#L71
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984

Comment 1 Pedro Sampaio 2021-03-29 17:16:07 UTC
Created nodejs-underscore tracking bugs for this issue:

Affects: epel-7 [bug 1944288]
Affects: fedora-all [bug 1944287]

Comment 18 Borja Tarraso 2021-04-27 09:11:17 UTC
Statement:

Whilst the OpenShift Container Platform (OCP) openshift4/ose-grafana and openshift3/grafana as well as console, grc-ui and search-ui containers for Red Hat Advanced Management for Kubernetes (RHACM) include the vulnerable underscore library, the access to it is protected by OpenShift OAuth. Additionally this library is used in openshift4/ose-grafana container only in Grafana End-to-End Test package. Therefore the impact by this flaw is reduced to Low and the affected OCP components are marked as "will not fix" at this time and to Moderate for the affected RHACM components. This might be fixed in a future release.

Below Red Hat products include the underscore dependency, but it is not used by the product and hence this issue has been rated as having a security impact of Low.

* Red Hat Quay
* Red Hat Gluster Storage 3
* Red Hat OpenShift Container Storage 4
* Red Hat Ceph Storage 3 and 4

Comment 19 errata-xmlrpc 2021-04-28 17:00:31 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 7

Via RHSA-2021:1448 https://access.redhat.com/errata/RHSA-2021:1448

Comment 20 Product Security DevOps Team 2021-04-28 22:46:44 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23358

Comment 21 errata-xmlrpc 2021-05-04 20:14:42 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1499 https://access.redhat.com/errata/RHSA-2021:1499

Comment 23 errata-xmlrpc 2021-07-22 15:11:50 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:2865 https://access.redhat.com/errata/RHSA-2021:2865


Note You need to log in before you can comment on or make changes to this bug.