Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security leak in _.template, please update #2915

Closed
jgonggrijp opened this issue Mar 15, 2021 · 4 comments · Fixed by #2917
Closed

Security leak in _.template, please update #2915

jgonggrijp opened this issue Mar 15, 2021 · 4 comments · Fixed by #2917
Labels
bug fixed

Comments

@jgonggrijp
Copy link
Collaborator

We were notified of a security issue in _.template, which appears to have existed since Underscore version 1.3.2. The bug was fixed in version 1.12.1 and 1.13.0-2, which I just published. If using NPM, please upgrade to underscore@latest or underscore@preview.
@jgonggrijp jgonggrijp mentioned this issue Mar 15, 2021
Closed
@eviljeff eviljeff mentioned this issue Mar 16, 2021
Merged
1 task
@willdurand
Copy link

@jgonggrijp where is the 1.12.1 tag?

@jgonggrijp
Copy link
Collaborator Author

@willdurand I intentionally postponed pushing that in order to give people who want to exploit the leak less to go on. I'll let you know when I push it.

@willdurand
Copy link

thanks

@richardlau richardlau mentioned this issue Mar 22, 2021
Merged
@jgonggrijp jgonggrijp mentioned this issue Mar 29, 2021
Merged
@jgonggrijp jgonggrijp linked a pull request Mar 29, 2021 that will close this issue
Security fix for _.template variable parameter (CVE-2021-23358) #2917
Merged
@jgonggrijp
Copy link
Collaborator Author

@willdurand The tag is online now.

@wickedest wickedest mentioned this issue Mar 31, 2021
Closed
This was referenced Apr 23, 2021
Closed
Merged
@mcab mcab mentioned this issue Jun 14, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug fixed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Security fix for _.template variable parameter (CVE-2021-23358) jgonggrijp/underscore
2 participants
@willdurand @jgonggrijp