underscore-1.9.1.tgz: 1 vulnerabilities (highest severity is: 1.2) [master] (reachable)

[mend-developer-platform-dev]

📂 Vulnerable Library - underscore-1.9.1.tgz

JavaScript's functional programming helper library.

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz

Path to dependency file: /package.json

Findings

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-2021-23358	🟡 Low	1.2	Proof of concept	1.4000001%	underscore-1.9.1.tgz	Direct	underscore.js - 1.12.1,underscore - 1.12.1	✅	Reachable

Details

🟡CVE-2021-23358

Vulnerable Library - underscore-1.9.1.tgz

JavaScript's functional programming helper library.

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

• ❌ underscore-1.9.1.tgz (Vulnerable Library)

---

Reachability Analysis

This vulnerability is potentially reachable:

- owasp-nodejs-goat-1.3.0/config/config.js (Application)
    -> ❌ underscore-1.9.1/underscore.js (Vulnerable Component)

---

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: Mar 29, 2021 01:15 PM

URL: CVE-2021-23358

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:1.4000001%

Score: 1.2

---

Suggested Fix

Type: Upgrade version

Origin: GHSA-cf4h-3jhx-xvhq

Release Date: Mar 29, 2021 01:15 PM

Fix Resolution : underscore.js - 1.12.1,underscore - 1.12.1