Github仓库收到一个“Arbitrary Code Execution in underscore”高危漏洞警告
source link: https://qq.md/posts/126
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Github仓库收到一个“Arbitrary Code Execution in underscore”高危漏洞警告
本来是为了调整博客手机模式下图片显示太大去github寻找参考代码的,登录以后就看到一条信息提示,说我仓库https://github.com/xiamuguizhi/Chronicle
有高危漏洞。
我看了下这个仓库,是我易语言开发的“Chronicle静态博客生成器”,我就那么这个exe
运行文件能有啥漏洞,在仔细看下说明,是我使用的"Editor.md"编辑器一个js文件underscore.min.js
被被爆出Arbitrary Code Execution in underscore
,我也不懂是什么,就没想管毕竟不是在服务器运行的!
但是我突然想到,我前段时间折腾的“一个编辑器折腾了我一天”文件就是从这个编辑器复制出来的,为了安全第一感觉修复一下吧,不管三七二十一修复就对了!
漏洞影响版本: >= 1.3.2
, < 1.12.1
Patched versions
修补版本: 1.12.1
漏洞说明如下:
Arbitrary Code Execution in underscore
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
漏洞说明地址:https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
上面很详细了说明修复版本 1.12.1
以上,那我下载个最新的版本替换下不就好了哈哈。
我从服务器下载下来underscore.min.js
看了下版本Underscore.js 1.8.2
还真是受影响。
一 : 先打开官网 http://underscorejs.org/
选择下载 v1.13.1 Downloads 8.59 KB, Minified and Gzipped
生产环压缩版本。
ps:当然也可以使用CDN,国内CDN推荐https://www.bootcdn.cn/underscore.js/
,我个人是喜欢下载到服务器。
二 : 上传服务器,清除游览器缓存,基本就ok啦~
不得不说Github的Dependabot
还是Nice的!我百度了一下这个原来19年
就推出了,不是开发者不了解,也是今天提示有漏洞,不然估计碰不到这个问题吧,哈哈哈哈!!!
Dependabot 现在还集成了 GitHub 的Security Advisory API,使用户可以访问其“精心构造的”漏洞数据库。GitHub 指出,Security Advisory 服务在去年使用了超过1000万个和1000多个缺陷相关的警报。
Recommend
-
74
Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution
-
35
by Arminius ( @rawsec ) Vim/Neovim Arbitrary Code Execution via Modelines Product: Vim < 8.1.1365, Neovim < 0.3.6 Type: Arbitrary Code Execution CV...
-
59
README.md PS2-Yabasic-Exploit PS2 exploit for demo discs containing Yabasic that allows arbitrary code execution. How does it work?
-
11
One day short of a full chain: Part 1 — Android Kernel arbitrary code execution Original text by Man Yue M...
-
7
Allow arbitrary URLs, expect arbitrary code executionApril 15, 2021We found and reported 1-click code execution vulnerabilities in popular software including Telegram, Nextcloud
-
4
ldd arbitrary code execution Last updated 6 weeks ago The...
-
8
Dmitry Gutsko September 4, 2021 4 minute read
-
11
Security Research CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution ...
-
6
introduction Recently, I came across a code execution vulnerability that affected pfSense firewalls running the community edition software version 2.2.6 or earlier. When I was working on exploiting the firewall, I found a
-
3
Reviewing CVE-2022-42889: The Arbitrary Code Execution Vulnerability in Apache Commons TextBrian VermeerOctober 18, 2022First things first, let’s be clear that this is NOT a new Log4Shell or Spring4Shell vuln...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK