Описание
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
A flaw was found in nodejs-underscore. Arbitrary code execution via the template function is possible, particularly when a variable property is passed as an argument as it is not sanitized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
Whilst the OpenShift Container Platform (OCP) openshift4/ose-grafana and openshift3/grafana as well as console, grc-ui and search-ui containers for Red Hat Advanced Management for Kubernetes (RHACM) include the vulnerable underscore library, the access to it is protected by OpenShift OAuth. Additionally this library is used in openshift4/ose-grafana container only in Grafana End-to-End Test package. Therefore the impact by this flaw is reduced to Low and the affected OCP components are marked as "will not fix" at this time and to Moderate for the affected RHACM components. This might be fixed in a future release. Red Hat Enterprise Virtualization includes the vulnerable underscore library, however it is not parsing any untrusted data, therefore impact is reduced to Low. Below Red Hat products include the underscore dependency, but it is not used by the product and hence this issue has been rated as having a security impact of Low.
- Red Hat Quay
- Red Hat Gluster Storage 3
- Red Hat OpenShift Container Storage 4
- Red Hat Ceph Storage 3 and 4
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/grc-ui-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-ui-rhel8 | Affected | ||
| Red Hat Ceph Storage 3 | grafana | Affected | ||
| Red Hat Ceph Storage 4 | rhceph/rhceph-4-dashboard-rhel8 | Affected | ||
| Red Hat Enterprise Linux 7 | pki-core | Will not fix | ||
| Red Hat Enterprise Linux 8 | pki-core:10.6/pki-core | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/grafana | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-grafana | Fix deferred | ||
| Red Hat Openshift Container Storage 4 | ocs4/mcg-core-rhel8 | Affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
7.2 High
CVSS3
Связанные уязвимости
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 a ...
EPSS
7.2 High
CVSS3