CVE-2021-23358 PoC — Npm underscore 代码注入漏洞

Source

https://github.com/EkamSinghWalia/Detection-script-for-cve-2021-23358

Associated Vulnerability

Title:Npm underscore 代码注入漏洞 (CVE-2021-23358)
Description:Npm underscore是美国Npm公司的一个应用程序。一个JavaScript的实用程序带库，可为常见的可疑功能提供支持，而无需扩展任何核心JavaScript对象。 underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1存在代码注入漏洞，攻击者可利用该漏洞容易通过模板函数执行任意代码。

Description

Detection script for cve-2021-23358

Readme

# Detection-script-for-cve-2021-23358
Detection script for cve-2021-23358
I have created a Detection script for CVE-2021-23358 , which will detect the vulnerable version of node underscore be it installed as an open-source tool or just the libraries are being used.
This script has three features, It will detect the versions of underscore from
1)	Using the direct npm command 
2)	Version written in the PATH of the libraries 
3)	Inside the library itself 

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
And the library’s underscore uses are 
1)	Node-underscore
2)	Libjs-underscore
3)	Underscore 


![image](https://user-images.githubusercontent.com/106553324/221375496-deb9ff2c-63a7-4b70-b8c8-5edd6824cc5e.png)

File Snapshot


 [4.0K]  /data/pocs/499026dc9b0150ba58f1ee5d88de5cff7adff9f6
├── [6.7K]  cve-2021-23358.sh
├── [1.0K]  LICENSE
└── [ 915]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!