The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)

  - node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor (CVE-2022-0235)

  - All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via     the loadAnnotation() function, due to the usage of insecure regex. (CVE-2022-25758)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)

  - node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor (CVE-2022-0235)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The versions of Primavera Unifier installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2023 CPU advisory.

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: User     Interface (UnderscoreJS)). Supported versions that are affected are 18.8, 19.12, 20.12, 21.12 and 22.12.
    Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to     compromise Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized update,     insert or delete access to some of Primavera Unifier accessible data as well as unauthorized read access     to a subset of Primavera Unifier accessible data. (CVE-2021-23358)     
  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Event     Streams and Communications (Apache Kafka)). Supported versions that are affected are 18.8, 19.12, 20.12,     21.12 and 22.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Unifier.
    (CVE-2022-34917)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Document     Management (jackson-databind)). Supported versions that are affected are 18.8, 19.12, 20.12, 21.12 and     22.12. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to     compromise Primavera Unifier. Successful attacks require human interaction from a person other than the     attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of Primavera Unifier. (CVE-2022-42003)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6393 advisory.

    The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform     that allows system administrators to view and manage virtual machines. The Manager provides a     comprehensive range of features including search capabilities, resource management, live migrations, and     virtual infrastructure provisioning.

    Security Fix(es):

    * nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)

    * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

    * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)

    * jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods     (CVE-2020-11023)

    * ovirt-log-collector: RHVM admin password is logged unfiltered (CVE-2022-2806)

    * springframework: malicious input leads to insertion of additional log entries (CVE-2021-22096)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * Previously, running engine-setup did not always renew OVN certificates close to expiration or expired.
    With this release, OVN certificates are always renewed by engine-setup when needed. (BZ#2097558)

    * Previously, the Manager issued warnings of approaching certificate expiration before engine-setup could     update certificates. In this release expiration warnings and certificate update periods are aligned, and     certificates are updated as soon as expiration warnings occur. (BZ#2097725)

    * With this release, OVA export or import work on hosts with a non-standard SSH port. (BZ#2104939)

    * With this release, the certificate validity test is compatible with RHEL 8 and RHEL 7 based hypervisors.
    (BZ#2107250)

    * RHV 4.4 SP1 and later are only supported on RHEL 8.6, customers cannot use RHEL 8.7 or later, and must     stay with RHEL 8.6 EUS. (BZ#2108985)

    * Previously, importing templates from the Administration Portal did not work. With this release,     importing templates from the Administration Portal is possible. (BZ#2109923)

    * ovirt-provider-ovn certificate expiration is checked along with other RHV certificates. If ovirt-     provider-ovn is about to expire or already expired, a warning or alert is raised in the audit log. To     renew the ovirt-provider-ovn certificate, administators must run engine-setup. If your ovirt-provider-ovn     certificate expires on a previous RHV version, upgrade to RHV 4.4 SP1 batch 2 or later, and ovirt-     provider-ovn certificate will be renewed automatically in the engine-setup. (BZ#2097560)

    * Previously, when importing a virtual machine with manual CPU pinning, the manual pinning string was     cleared, but the CPU pinning policy was not set to NONE. As a result, importing failed. In this release,     the CPU pinning policy is set to NONE if the CPU pinning string is cleared, and importing succeeds.
    (BZ#2104115)

    * Previously, the Manager could start a virtual machine with a Resize and Pin NUMA policy on a host     without an equal number of physical sockets to NUMA nodes. As a result, wrong pinning was assigned to the     policy. With this release, the Manager does not allow the virtual machine to be scheduled on such a     virtual machine, and the pinning is correct based on the algorithm. (BZ#1955388)

    * Rebase package(s) to version: 4.4.7.
    Highlights, important fixes, or notable enhancements: fixed BZ#2081676 (BZ#2104831)

    * In this release, rhv-log-collector-analyzer provides detailed output for each problematic image,     including disk names, associated virtual machine, the host running the virtual machine, snapshots, and     current SPM. The detailed view is now the default. The compact option can be set by using the --compact     switch in the command line. (BZ#2097536)

    * UnboundID LDAP SDK has been rebased on upstream version 6.0.4. See     https://github.com/pingidentity/ldapsdk/releases for changes since version 4.0.14 (BZ#2092478)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable Nessus application running on the remote host is 10.x prior to 10.1.0, or 8.x prior to 8.15.3. It is, therefore, affected by a vulnerability in a third-party library:

  - The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary     Code Injection via the template function, particularly when a variable property is passed as an argument as it is     not sanitized. (CVE-2021-23358)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

According to its self-reported version number, Underscore.js is 1.3.2 prior to 1.12.1 or 1.13.x prior to 1.13.0-2. Therefore, it may be affected by an arbitrary code injection via the template function when the variable option is taken from _.templateSettings.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is less than 5.19.0 and is therefore affected by multiple vulnerabilities in the following components: 
  - Apache FOP
  - Underscore
  - Handlebars
  - PHP
  - sqlite

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:2865 advisory.

    The ovirt-engine package provides the manager for virtualization environments.
    This manager enables admins to define hosts and networks, as well as to add     storage, create VMs and manage user permissions.

    Security Fix(es):

    * nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)

    * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

    * nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733)

    * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * Foreman integration, which allows you to provision bare metal hosts from the Administration Portal     using Foreman and then added to the Manager, was deprecated in oVirt 4.4.6 / RHV 4.4.6 and removed     completely in oVirt 4.4.7 / RHV 4.4.7.

    Similar functionality to provision bare metal hosts can be achieved using Foreman directly and adding an     already provisioned host using the Administration Portal or the REST API. (BZ#1901011)

    * Adding a message banner to the web administration welcome page is straight forward using custom branding     that only contains a preamble section.
    An example of preamble branding is given here: https://bugzilla.redhat.com/attachment.cgi?id=1783329.

    In an engine upgrade, the custom preamble brand remains in place and will work without issue.

    During engine backup and subsequent restore, on engine restore the custom preamble branding needs to be     manually restored/reinstalled and verified. (BZ#1804774)

    * The column name threads_per_core in the Red hat Virtualization manager Dashboard is being deprecated,     and will be removed in a future release.
    In version 4.4.7.2 the column name for threads_per_core will be changed to number_of_threads.
    In the Data Warehouse, the old name will be retained as an additional alias, resulting in 2 columns     providing the same data: number_of_threads and threads_per_core, and threads_per_core will be removed in a     future version. (BZ#1896359)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for nodejs-underscore fixes the following issues :

Update version to 1.13.1

  - Fix security issue (boo#1184800, CVE-2021-23358)

  - Fix bugs

  - Many new features

The remote Ubuntu 21.04 host has packages installed that are affected by a vulnerability as referenced in the USN-4913-2 advisory.

    USN-4913-1 fixed vulnerabilities in Underscore. This update provides the corresponding updates for Ubuntu     21.04.



Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4913-1 advisory.

    It was discovered that Underscore incorrectly handled certain inputs. An attacker could possibly use this     issue to inject arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code.

node-underscore and libjs-underscore are vulnerable to Arbitrary Code Execution via the template function, particulary when a variable property is passed as an argument as it is not sanitized.

For Debian 9 stretch, this problem has been fixed in version 1.8.3~dfsg-1+deb9u1.

We recommend that you upgrade your underscore packages.

For the detailed security status of underscore please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/underscore

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
202308	RHEL 8 : grafana (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
199059	RHEL 7 : grafana (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
170193	Oracle Primavera Unifier (Jan 2023 CPU)	Nessus	CGI abuses	high
164843	RHEL 8 : RHV Manager (ovirt-engine) [ovirt-4.5.2] (RHSA-2022:6393)	Nessus	Red Hat Local Security Checks	high
157339	Tenable Nessus 10.x < 10.1.0 / 8.x < 8.15.3 Third-Party Vulnerability (TNS-2022-04)	Nessus	Misc.	high
112983	Underscore.js 1.13.x < 1.13.0-2 Arbitrary Code Injection	Web App Scanning	Component Vulnerability	high
112982	Underscore.js 1.3.2 < 1.12.1 Arbitrary Code Injection	Web App Scanning	Component Vulnerability	high
152986	Tenable SecurityCenter < 5.19.0 Multiple Vulnerabilities (TNS-2021-14)	Nessus	Misc.	critical
152005	RHEL 8 : RHV Manager (ovirt-engine) security update [ovirt-4.4.7] (Moderate) (RHSA-2021:2865)	Nessus	Red Hat Local Security Checks	high
149613	openSUSE Security Update : nodejs-underscore (openSUSE-2021-601)	Nessus	SuSE Local Security Checks	high
149044	Ubuntu 21.04 : Underscore vulnerability (USN-4913-2)	Nessus	Ubuntu Local Security Checks	high
148555	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Underscore vulnerability (USN-4913-1)	Nessus	Ubuntu Local Security Checks	high
148300	Debian DSA-4883-1 : underscore - security update	Nessus	Debian Local Security Checks	high
148275	Debian DLA-2613-1 : underscore security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2021-23358

high

Tenable Plugins

high

high

high

high

high

high

high

critical

high

high

high

high

high

high