CVE-2021-23358
Arbitrary Code Execution vulnerability in underscore
What is CVE-2021-23358 About?
The 'underscore' package from versions 1.3.2 up to 1.12.1 and from 1.13.0-0 before 1.13.0-2 is vulnerable to arbitrary code execution through its template function. This occurs because variable properties passed as arguments are not sanitized, allowing attackers to inject and execute their own code. Exploitation may be relatively straightforward if user input directly influences template variables.
Affected Software
Technical Details
This vulnerability in the 'underscore' package stems from improper sanitization of variable properties passed as arguments to the `template` function. Specifically, when a variable's property is dynamically generated or controlled by an attacker and then used within an underscore template, the lack of sanitization allows the attacker to inject and execute arbitrary code. The templating engine processes this unsanitized input as part of the template logic, leading to arbitrary code execution in the context of the application using the template.
What is the Impact of CVE-2021-23358?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, potentially leading to full system compromise, data manipulation, or denial of service.
What is the Exploitability of CVE-2021-23358?
Exploitation relies on the application using the vulnerable 'underscore' template function with attacker-controlled input. The complexity can vary from moderate to low, depending on how easily an attacker can supply input that influences template variable properties. Authentication requirements depend on whether the templating process is accessible before authentication. Privilege requirements are typically those of the application itself. This can be a remote vulnerability if the application renders templates from remote input, or local if templates are processed locally from user-controlled files. The primary risk factor is applications that use 'underscore' templates to render user-supplied or partially user-controlled data without proper input sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| EkamSinghWalia | Link | Detection script for cve-2021-23358 |
| MehdiBoukhobza | Link | PoC for CVE-2021-23358 |
What are the Available Fixes for CVE-2021-23358?
About the Fix from Resolved Security
The patch prevents code injection through CVE-2021-23358 by ensuring that the argument passed as _.templateSettings.variable is a simple, valid identifier and not an arbitrary string that could contain malicious code. This is done by checking the variable name against a regular expression and throwing an error if it doesn't match, thereby stopping attackers from injecting executable JavaScript via crafted variable names.
Available Upgrade Options
- underscore
- >1.3.2, <1.12.1 → Upgrade to 1.12.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
- https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E
- https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66
- https://www.debian.org/security/2021/dsa-4883
- https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html
- https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E
- https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71
- https://github.com/jashkenas/underscore/releases/tag/1.12.1
What are Similar Vulnerabilities to CVE-2021-23358?
Similar Vulnerabilities: CVE-2021-23383 , CVE-2020-15256 , CVE-2016-9013 , CVE-2019-15598 , CVE-2016-0761
