Critical and High Vulnerabilities in Shiny Server 1.5.16.958

[dvasilen]

Critical Vulnerabilities

1. CVE-2021-23369 /opt/shiny-server/node_modules/handlebars

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

High Vulnerabilities

2. CVE-2021-23358 /opt/shiny-server/node_modules/underscore

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

[johnstacy]

While you're at it...

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22883
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22884
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7754
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8265

Not to mention other less severe vulnerabilities:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7662
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8287
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23362
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788