search

cypress-io / cypress

Fast, easy and reliable testing for anything that runs in a browser.
https://cypress.io
MIT License
46.8k stars 3.17k forks source link

CVE-2021-23358 found on trivy scan cypress version is 13.3.3 #28207

Closed eagle-txec closed 2 months ago

eagle-txec commented 11 months ago

Current behavior

installed version is 1.6.0

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

Desired behavior

Upgrade fix version is 1.13.1

Test code to reproduce

-

Cypress Version

13.3.3

Node version

16.20.2

Operating System

-

Debug Logs

"VulnerabilityID": "CVE-2021-23358",
          "InstalledVersion": "1.6.0",
          "LastModifiedDate": "2021-09-22T19:49:00Z"
        },
        {
          "CVSS": {
            "nvd": {
              "V2Score": 6.5,
              "V3Score": 7.2,
              "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
            },
            "ghsa": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "redhat": {
              "V3Score": 7.2,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
            }
          },
          "Layer": {
            "DiffID": "sha256:e2ddedde812d03ee158150d58a19d4458068fc655e610b0b0e3e95b10b30c6af"
          },
          "PkgID": "underscore@1.6.0",
          "Title": "nodejs-underscore: Arbitrary code execution via the template function",
          "CweIDs": [
            "CWE-94"
          ],
          "Status": "fixed",
          "PkgName": "underscore",
          "PkgPath": "src/.artifacts/.cache/Cypress/13.3.3/Cypress/resources/app/node_modules/underscore/package.json",
          "Severity": "CRITICAL",
          "DataSource": {
            "ID": "ghsa",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm",
            "Name": "GitHub Security Advisory npm"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23358",
          "References": [
            "https://access.redhat.com/security/cve/CVE-2021-23358",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358",
            "https://github.com/jashkenas/underscore",
            "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71",
            "https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66",
            "https://github.com/jashkenas/underscore/pull/2917",
            "https://github.com/jashkenas/underscore/releases/tag/1.12.1",
            "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E",
            "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-23358",
            "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504",
            "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505",
            "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503",
            "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984",
            "https://ubuntu.com/security/notices/USN-4913-1",
            "https://ubuntu.com/security/notices/USN-4913-2",
            "https://www.cve.org/CVERecord?id=CVE-2021-23358",
            "https://www.debian.org/security/2021/dsa-4883",
            "https://www.npmjs.com/package/underscore",
            "https://www.tenable.com/security/tns-2021-14"
          ],
          "Description": "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.",
          "FixedVersion": "1.12.1",
          "PublishedDate": "2021-03-29T14:15:00Z",

Other

-

cypress-app-bot commented 5 months ago

This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.

cypress-app-bot commented 4 months ago

This issue has been closed due to inactivity.

shank1290 commented 4 months ago

@cypress-app-bot This issue still exists with cypress version 13.7.3

MikeMcC399 commented 3 months ago

To reproduce report, use for example:

trivy image --ignore-unfixed --vuln-type library --severity CRITICAL cypress/included:13.11.0
cypress-bot[bot] commented 2 months ago

Released in 13.13.1.

This comment thread has been locked. If you are still experiencing this issue after upgrading to Cypress v13.13.1, please open a new issue.