NodeJS/underscore/1.4.0
JavaScript's functional programming helper library.
https://www.npmjs.com/package/underscore
MIT
1 Security Vulnerabilities
Arbitrary Code Execution in underscore
Published date: 2021-05-06T16:09:43Z
CVE: CVE-2021-23358
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23358
- https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
- https://github.com/jashkenas/underscore/pull/2917
- https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66
- https://github.com/jashkenas/underscore/releases/tag/1.12.1
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://www.npmjs.com/package/underscore
- https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71
- https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html
- https://www.debian.org/security/2021/dsa-4883
- https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E
- https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E
- https://www.tenable.com/security/tns-2021-14
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
The package underscore
from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Affected versions:
["1.3.2", "1.3.3", "1.4.0", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.5.0", "1.5.1", "1.5.2", "1.6.0", "1.7.0", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.10.0", "1.10.1", "1.10.2", "1.11.0", "1.12.0"]
Secure versions:
[1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.13.0-0, 1.13.0-1, 1.12.1, 1.13.0-2, 1.13.0-3, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6]
Recommendation:
Update to version 1.13.6.
53 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.0.3 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.0.4 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.1.0 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.1.1 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.1.2 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.1.3 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.1.4 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.1.5 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.1.6 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.1.7 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.2.0 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.2.1 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.2.2 | MIT | 2011-11-14 - 20:28 | over 12 years | |
1.2.3 | MIT | 2011-12-07 - 15:12 | over 12 years | |
1.2.4 | MIT | 2012-01-09 - 17:23 | over 12 years | |
1.3.0 | MIT | 2012-01-11 - 16:41 | over 12 years | |
1.3.1 | MIT | 2012-01-23 - 22:57 | over 12 years | |
1.3.2 | MIT | 1 | 2012-04-09 - 18:38 | about 12 years |
1.3.3 | MIT | 1 | 2012-04-10 - 14:43 | about 12 years |
1.4.0 | MIT | 1 | 2012-09-27 - 22:02 | over 11 years |
1.4.1 | MIT | 1 | 2012-10-01 - 17:20 | over 11 years |
1.4.2 | MIT | 1 | 2012-10-07 - 03:05 | over 11 years |
1.4.3 | MIT | 1 | 2012-12-04 - 18:47 | over 11 years |
1.4.4 | MIT | 1 | 2013-01-30 - 02:12 | over 11 years |
1.5.0 | MIT | 1 | 2013-07-06 - 18:05 | almost 11 years |
1.5.1 | MIT | 1 | 2013-07-08 - 08:38 | almost 11 years |
1.5.2 | MIT | 1 | 2013-09-07 - 13:00 | over 10 years |
1.6.0 | MIT | 1 | 2014-02-10 - 21:14 | over 10 years |
1.7.0 | MIT | 1 | 2014-08-26 - 22:16 | over 9 years |
1.8.0 | MIT | 1 | 2015-02-20 - 00:14 | about 9 years |
1.8.1 | MIT | 1 | 2015-02-20 - 03:20 | about 9 years |
1.8.2 | MIT | 1 | 2015-02-22 - 14:14 | about 9 years |
1.8.3 | MIT | 1 | 2015-04-02 - 15:32 | about 9 years |
1.9.0 | MIT | 1 | 2018-04-18 - 18:40 | about 6 years |
1.9.1 | MIT | 1 | 2018-05-31 - 21:11 | almost 6 years |
1.9.2 | MIT | 1 | 2020-01-06 - 21:27 | over 4 years |
1.10.0 | MIT | 1 | 2020-03-30 - 17:30 | about 4 years |
1.10.1 | MIT | 1 | 2020-03-30 - 18:18 | about 4 years |
1.10.2 | MIT | 1 | 2020-03-30 - 21:28 | about 4 years |
1.11.0 | MIT | 1 | 2020-08-28 - 19:59 | over 3 years |
1.12.0 | MIT | 1 | 2020-11-24 - 01:01 | over 3 years |
1.13.0-0 | MIT | 2021-03-10 - 02:35 | about 3 years | |
1.13.0-1 | MIT | 2021-03-11 - 23:54 | about 3 years | |
1.12.1 | MIT | 2021-03-15 - 09:40 | about 3 years | |
1.13.0-2 | MIT | 2021-03-15 - 09:41 | about 3 years | |
1.13.0-3 | MIT | 2021-03-31 - 18:18 | about 3 years | |
1.13.0 | MIT | 2021-04-09 - 18:56 | about 3 years | |
1.13.1 | MIT | 2021-04-15 - 13:17 | about 3 years | |
1.13.2 | MIT | 2021-12-16 - 10:17 | over 2 years | |
1.13.3 | MIT | 2022-04-23 - 18:56 | about 2 years | |
1.13.4 | MIT | 2022-06-02 - 12:36 | almost 2 years | |
1.13.5 | MIT | 2022-09-23 - 19:16 | over 1 year | |
1.13.6 | MIT | 2022-09-23 - 22:21 | over 1 year |