CVE-2021-23358 found on trivy scan cypress version is 13.3.3

[eagle-txec]

Current behavior

installed version is 1.6.0

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

Desired behavior

Upgrade fix version is 1.13.1

Test code to reproduce

Cypress Version

13.3.3

Node version

16.20.2

Operating System

Debug Logs

"VulnerabilityID": "CVE-2021-23358",
          "InstalledVersion": "1.6.0",
          "LastModifiedDate": "2021-09-22T19:49:00Z"
        },
        {
          "CVSS": {
            "nvd": {
              "V2Score": 6.5,
              "V3Score": 7.2,
              "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
            },
            "ghsa": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "redhat": {
              "V3Score": 7.2,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
            }
          },
          "Layer": {
            "DiffID": "sha256:e2ddedde812d03ee158150d58a19d4458068fc655e610b0b0e3e95b10b30c6af"
          },
          "PkgID": "underscore@1.6.0",
          "Title": "nodejs-underscore: Arbitrary code execution via the template function",
          "CweIDs": [
            "CWE-94"
          ],
          "Status": "fixed",
          "PkgName": "underscore",
          "PkgPath": "src/.artifacts/.cache/Cypress/13.3.3/Cypress/resources/app/node_modules/underscore/package.json",
          "Severity": "CRITICAL",
          "DataSource": {
            "ID": "ghsa",
            "URL": "/~https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm",
            "Name": "GitHub Security Advisory npm"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23358",
          "References": [
            "https://access.redhat.com/security/cve/CVE-2021-23358",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358",
            "/~https://github.com/jashkenas/underscore",
            "/~https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71",
            "/~https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66",
            "/~https://github.com/jashkenas/underscore/pull/2917",
            "/~https://github.com/jashkenas/underscore/releases/tag/1.12.1",
            "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E",
            "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E",
            "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-23358",
            "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504",
            "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505",
            "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503",
            "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984",
            "https://ubuntu.com/security/notices/USN-4913-1",
            "https://ubuntu.com/security/notices/USN-4913-2",
            "https://www.cve.org/CVERecord?id=CVE-2021-23358",
            "https://www.debian.org/security/2021/dsa-4883",
            "https://www.npmjs.com/package/underscore",
            "https://www.tenable.com/security/tns-2021-14"
          ],
          "Description": "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.",
          "FixedVersion": "1.12.1",
          "PublishedDate": "2021-03-29T14:15:00Z",

Other

[cypress-app-bot]

This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.

[cypress-app-bot]

This issue has been closed due to inactivity.

[shank1290]

@cypress-app-bot This issue still exists with cypress version 13.7.3

[MikeMcC399]

• It's good to see there is a new PR dependency: Replace jsonlint with json-parse-even-better-errors #29673 to mitigate this vulnerability!

• This CRITICAL security vulnerability was also reported in Critical vulnerabilities reported for cypress/factory cypress-docker-images#1115 for cypress/included:13.11.0

To reproduce report, use for example:

trivy image --ignore-unfixed --vuln-type library --severity CRITICAL cypress/included:13.11.0

[cypress-bot]

Released in 13.13.1.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v13.13.1, please open a new issue.