Skip to content

CVE-2021-23358 found on trivy scan cypress version is 13.3.3 #28207

Closed
#29673
Closed
CVE-2021-23358 found on trivy scan cypress version is 13.3.3#28207
#29673
Labels
type: security 🔐Security related
@eagle-txec

Description

@eagle-txec
eagle-txec
opened on Nov 1, 2023

Current behavior

installed version is 1.6.0

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

Desired behavior

Upgrade fix version is 1.13.1

Test code to reproduce

Cypress Version

13.3.3

Node version

16.20.2

Operating System

Debug Logs

"VulnerabilityID": "CVE-2021-23358",
          "InstalledVersion": "1.6.0",
          "LastModifiedDate": "2021-09-22T19:49:00Z"
        },
        {
          "CVSS": {
            "nvd": {
              "V2Score": 6.5,
              "V3Score": 7.2,
              "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
            },
            "ghsa": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "redhat": {
              "V3Score": 7.2,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
            }
          },
          "Layer": {
            "DiffID": "sha256:e2ddedde812d03ee158150d58a19d4458068fc655e610b0b0e3e95b10b30c6af"
          },
          "PkgID": "underscore@1.6.0",
          "Title": "nodejs-underscore: Arbitrary code execution via the template function",
          "CweIDs": [
            "CWE-94"
          ],
          "Status": "fixed",
          "PkgName": "underscore",
          "PkgPath": "src/.artifacts/.cache/Cypress/13.3.3/Cypress/resources/app/node_modules/underscore/package.json",
          "Severity": "CRITICAL",
          "DataSource": {
            "ID": "ghsa",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm",
            "Name": "GitHub Security Advisory npm"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23358",
          "References": [
            "https://access.redhat.com/security/cve/CVE-2021-23358",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358",
            "https://github.com/jashkenas/underscore",
            "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71",
            "https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66",
            "https://github.com/jashkenas/underscore/pull/2917",
            "https://github.com/jashkenas/underscore/releases/tag/1.12.1",
            "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E",
            "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-23358",
            "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504",
            "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505",
            "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503",
            "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984",
            "https://ubuntu.com/security/notices/USN-4913-1",
            "https://ubuntu.com/security/notices/USN-4913-2",
            "https://www.cve.org/CVERecord?id=CVE-2021-23358",
            "https://www.debian.org/security/2021/dsa-4883",
            "https://www.npmjs.com/package/underscore",
            "https://www.tenable.com/security/tns-2021-14"
          ],
          "Description": "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.",
          "FixedVersion": "1.12.1",
          "PublishedDate": "2021-03-29T14:15:00Z",

Other

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: security 🔐Security related

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions