{"containers":{"cna":{"affected":[{"product":"underscore","vendor":"n/a","versions":[{"lessThan":"unspecified","status":"affected","version":"1.13.0-0","versionType":"custom"},{"lessThan":"1.13.0-2","status":"affected","version":"unspecified","versionType":"custom"},{"lessThan":"unspecified","status":"affected","version":"1.3.2","versionType":"custom"},{"lessThan":"1.12.1","status":"affected","version":"unspecified","versionType":"custom"}]}],"credits":[{"lang":"en","value":"Alessio Della Libera (@d3lla)"}],"datePublic":"2021-03-29T00:00:00.000Z","descriptions":[{"lang":"en","value":"The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.3,"baseSeverity":"LOW","confidentialityImpact":"LOW","exploitCodeMaturity":"PROOF_OF_CONCEPT","integrityImpact":"LOW","privilegesRequired":"HIGH","remediationLevel":"OFFICIAL_FIX","reportConfidence":"CONFIRMED","scope":"UNCHANGED","temporalScore":3,"temporalSeverity":"LOW","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C","version":"3.1"}}],"problemTypes":[{"descriptions":[{"description":"Arbitrary Code Injection","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2021-08-24T04:06:09.000Z","orgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","shortName":"snyk"},"references":[{"tags":["x_refsource_MISC"],"url":"https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984"},{"tags":["x_refsource_MISC"],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503"},{"tags":["x_refsource_MISC"],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504"},{"tags":["x_refsource_MISC"],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505"},{"tags":["x_refsource_MISC"],"url":"https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71"},{"name":"[debian-lts-announce] 20210331 [SECURITY] [DLA 2613-1] underscore security update","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html"},{"name":"DSA-4883","tags":["vendor-advisory","x_refsource_DEBIAN"],"url":"https://www.debian.org/security/2021/dsa-4883"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] breautek closed issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] breautek commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley opened a new issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley edited a comment on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E"},{"tags":["x_refsource_CONFIRM"],"url":"https://www.tenable.com/security/tns-2021-14"},{"name":"FEDORA-2021-e49f936d9f","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/"},{"name":"FEDORA-2021-f278299902","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/"}],"title":"Arbitrary Code Injection","x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"report@snyk.io","DATE_PUBLIC":"2021-03-29T13:13:50.579077Z","ID":"CVE-2021-23358","STATE":"PUBLIC","TITLE":"Arbitrary Code Injection"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"underscore","version":{"version_data":[{"version_affected":">=","version_value":"1.13.0-0"},{"version_affected":"<","version_value":"1.13.0-2"},{"version_affected":">=","version_value":"1.3.2"},{"version_affected":"<","version_value":"1.12.1"}]}}]},"vendor_name":"n/a"}]}},"credit":[{"lang":"eng","value":"Alessio Della Libera (@d3lla)"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized."}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.3,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Arbitrary Code Injection"}]}]},"references":{"reference_data":[{"name":"https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984","refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984"},{"name":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503","refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503"},{"name":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504","refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504"},{"name":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505","refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505"},{"name":"https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71","refsource":"MISC","url":"https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71"},{"name":"[debian-lts-announce] 20210331 [SECURITY] [DLA 2613-1] underscore security update","refsource":"MLIST","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html"},{"name":"DSA-4883","refsource":"DEBIAN","url":"https://www.debian.org/security/2021/dsa-4883"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] breautek closed issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","refsource":"MLIST","url":"https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] breautek commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley opened a new issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","refsource":"MLIST","url":"https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","refsource":"MLIST","url":"https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley edited a comment on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E"},{"name":"https://www.tenable.com/security/tns-2021-14","refsource":"CONFIRM","url":"https://www.tenable.com/security/tns-2021-14"},{"name":"FEDORA-2021-e49f936d9f","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/"},{"name":"FEDORA-2021-f278299902","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/"}]}}},"adp":[{"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71"},{"name":"[debian-lts-announce] 20210331 [SECURITY] [DLA 2613-1] underscore security update","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html"},{"name":"DSA-4883","tags":["vendor-advisory","x_refsource_DEBIAN","x_transferred"],"url":"https://www.debian.org/security/2021/dsa-4883"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] breautek closed issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] breautek commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley opened a new issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley commented on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E"},{"name":"[cordova-issues] 20210414 [GitHub] [cordova-common] RichardMcSorley edited a comment on issue #163: Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://www.tenable.com/security/tns-2021-14"},{"name":"FEDORA-2021-e49f936d9f","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/"},{"name":"FEDORA-2021-f278299902","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/"},{"url":"https://security.netapp.com/advisory/ntap-20240808-0003/"},{"url":"http://seclists.org/fulldisclosure/2025/Apr/14"},{"url":"https://security.netapp.com/advisory/ntap-20241108-0002/"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T21:44:35.654Z"}},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-08-29T15:48:41.938375Z","id":"CVE-2021-23358","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-08-29T15:48:53.476Z"}}]},"cveMetadata":{"assignerOrgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","assignerShortName":"snyk","cveId":"CVE-2021-23358","datePublished":"2021-03-29T13:15:34.770Z","dateReserved":"2021-01-08T00:00:00.000Z","dateUpdated":"2025-11-03T21:44:35.654Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"}