Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358

[RichardMcSorley]

A security vulnerability was detected for underscore <= 1.12.0 according to my code scanner.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

My applications do not use underscore and seems this only came as a potential risk because I'm using this library via cordova.

Any suggestions are appreciated, Thanks!

Apache Cordova uses GitHub Issues as a feature request and bug tracker only. For usage and support questions, please check out the resources below. Thanks!

---

You can get answers to your usage and support questions about Apache Cordova on:

• Slack Community Chat: https://cordova.slack.com (you can sign-up at http://slack.cordova.io/)
• StackOverflow: https://stackoverflow.com/questions/tagged/cordova using the tag cordova

---

If you are using a tool that uses Cordova internally, like e.g. Ionic, check their support channels:

• Ionic Framework
  • Ionic Community Forum
  • Ionic Worldwide Slack
• PhoneGap
  • PhoneGap Developer Community

[breautek]

Security issues should be reported via https://www.apache.org/security/

This package declares a dependency on "underscore": "^1.9.2"

This means the latest version of underscore 1.x will be installed when you install cordova. Because the patch is landed in 1.13.0, NPM will install this version for Cordova as it satisfies the declared version, therefore Cordova is not affected by this vulnerability. You however may need to reinstall Cordova so that NPM will install the latest versions of each dependency and sub-dependencies.

[RichardMcSorley]

@breautek Thanks for the prompt reply.

Thought that was the case and had some trouble with my local npm but now all is as expected.

For those affected by this simply run

npm uninstall cordova-android
npm install cordova-android

Run for cordova-ios if you are using that dependency also.