apache / cordova-common

Apache Cordova Common Tooling Library
https://cordova.apache.org/
Apache License 2.0
39 stars 46 forks source link

Security Vulnerability in underscore <= 1.12.0 CVE-2021-23358 #163

Closed RichardMcSorley closed 3 years ago

RichardMcSorley commented 3 years ago

A security vulnerability was detected for underscore <= 1.12.0 according to my code scanner.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

My applications do not use underscore and seems this only came as a potential risk because I'm using this library via cordova.

Any suggestions are appreciated, Thanks!

Apache Cordova uses GitHub Issues as a feature request and bug tracker only. For usage and support questions, please check out the resources below. Thanks!


You can get answers to your usage and support questions about Apache Cordova on:


If you are using a tool that uses Cordova internally, like e.g. Ionic, check their support channels:

breautek commented 3 years ago

Security issues should be reported via https://www.apache.org/security/

This package declares a dependency on "underscore": "^1.9.2"

This means the latest version of underscore 1.x will be installed when you install cordova. Because the patch is landed in 1.13.0, NPM will install this version for Cordova as it satisfies the declared version, therefore Cordova is not affected by this vulnerability. You however may need to reinstall Cordova so that NPM will install the latest versions of each dependency and sub-dependencies.

RichardMcSorley commented 3 years ago

@breautek Thanks for the prompt reply.

Thought that was the case and had some trouble with my local npm but now all is as expected.

For those affected by this simply run

npm uninstall cordova-android
npm install cordova-android

Run for cordova-ios if you are using that dependency also.