CVE-2021-23358 in Ubuntu

CVE-2021-23358

Priority

Description

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and
before 1.12.1 are vulnerable to Arbitrary Code Injection via the template
function, particularly when a variable property is passed as an argument as
it is not sanitized.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
https://ubuntu.com/security/notices/USN-4913-1
https://ubuntu.com/security/notices/USN-4913-2

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986171

Assigned-to

leosilva

Notes

Package

Source: underscore (LP Ubuntu Debian)

Upstream:	released (1.9.1~dfsg-2)
Ubuntu 18.04 LTS:	released (1.8.3~dfsg-1ubuntu0.1)
Ubuntu 20.04 LTS:	released (1.9.1~dfsg-1ubuntu0.20.04.1)
Ubuntu 16.04 ESM:	released (1.7.0~dfsg-1ubuntu1.1)
Ubuntu 14.04 ESM:	released (1.4.4-2ubuntu1+esm1)

Patches:

More Information

Mitre
NVD
Launchpad
Debian

Updated: 2022-04-13 14:29:07 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)