Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#986171: underscore: CVE-2021-23358

127 views
Skip to first unread message

Salvatore Bonaccorso

unread,
Mar 30, 2021, 3:50:03 PM3/30/21
to
Source: underscore
Version: 1.9.1~dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>,ya...@debian.org

Hi,

The following vulnerability was published for underscore.

CVE-2021-23358[0]:
| The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2
| and before 1.12.1 are vulnerable to Arbitrary Code Execution via the
| template function, particularly when a variable property is passed as
| an argument as it is not sanitized.

[1] provides a POC to verify the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-23358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
[1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984

Regards,
Salvatore

Yadd

unread,
Mar 30, 2021, 5:40:03 PM3/30/21
to
Hi,

here is a debdiff for buster including:
* backport of upstream patch
* autopkgtest file (tested)

Cheers,
Yadd
underscore_1.9.1_dfsg-1+deb10u1.debdiff
0 new messages