PublicDateAtUSN: 2021-03-29 14:15:00 UTC
Candidate: CVE-2021-23358
PublicDate: 2021-03-29 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
 https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
 https://ubuntu.com/security/notices/USN-4913-1
 https://ubuntu.com/security/notices/USN-4913-2
Description:
 The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and
 before 1.12.1 are vulnerable to Arbitrary Code Injection via the template
 function, particularly when a variable property is passed as an argument as
 it is not sanitized.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986171
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H [7.2 HIGH]


Patches_underscore:
upstream_underscore: released (1.9.1~dfsg-2)
precise/esm_underscore: ignored
trusty_underscore: ignored (out of standard support)
trusty/esm_underscore: released (1.4.4-2ubuntu1+esm1)
xenial_underscore: released (1.7.0~dfsg-1ubuntu1.1)
esm-infra/xenial_underscore: released (1.7.0~dfsg-1ubuntu1.1)
bionic_underscore: released (1.8.3~dfsg-1ubuntu0.1)
focal_underscore: released (1.9.1~dfsg-1ubuntu0.20.04.1)
groovy_underscore: released (1.9.1~dfsg-1ubuntu0.20.10.1)
hirsute_underscore: released (1.9.1~dfsg-1ubuntu0.21.04.1)
devel_underscore: released (1.9.1~dfsg-2)