关联漏洞
标题:
Npm underscore 代码注入漏洞
(CVE-2021-23358)
描述:Npm underscore是美国Npm公司的一个应用程序。一个JavaScript的实用程序带库,可为常见的可疑功能提供支持,而无需扩展任何核心JavaScript对象。 underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1存在代码注入漏洞,攻击者可利用该漏洞容易通过模板函数执行任意代码。
描述
Detection script for cve-2021-23358
介绍
# Detection-script-for-cve-2021-23358
Detection script for cve-2021-23358
I have created a Detection script for CVE-2021-23358 , which will detect the vulnerable version of node underscore be it installed as an open-source tool or just the libraries are being used.
This script has three features, It will detect the versions of underscore from
1) Using the direct npm command
2) Version written in the PATH of the libraries
3) Inside the library itself
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
And the library’s underscore uses are
1) Node-underscore
2) Libjs-underscore
3) Underscore
文件快照
[4.0K] /data/pocs/499026dc9b0150ba58f1ee5d88de5cff7adff9f6
├── [6.7K] cve-2021-23358.sh
├── [1.0K] LICENSE
└── [ 915] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。