CVE-2020-28500

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
snykCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
VendorProductVersion
lodashlodash
𝑥
< 4.17.21
oraclebanking_corporate_lending_process_management
14.2.0
oraclebanking_corporate_lending_process_management
14.3.0
oraclebanking_corporate_lending_process_management
14.5.0
oraclebanking_credit_facilities_process_management
14.2.0
oraclebanking_credit_facilities_process_management
14.3.0
oraclebanking_credit_facilities_process_management
14.5.0
oraclebanking_extensibility_workbench
14.2.0
oraclebanking_extensibility_workbench
14.3.0
oraclebanking_extensibility_workbench
14.5.0
oraclebanking_supply_chain_finance
14.2.0
oraclebanking_supply_chain_finance
14.3.0
oraclebanking_supply_chain_finance
14.5.0
oraclebanking_trade_finance_process_management
14.2.0
oraclebanking_trade_finance_process_management
14.3.0
oraclebanking_trade_finance_process_management
14.5.0
oraclecommunications_cloud_native_core_policy
1.11.0
oraclecommunications_design_studio
7.4.2
oraclecommunications_services_gatekeeper
7.0
oraclecommunications_session_border_controller
8.4
oraclecommunications_session_border_controller
9.0
oracleenterprise_communications_broker
3.2.0
oracleenterprise_communications_broker
3.3.0
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.2.0
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.3.0
oraclehealth_sciences_data_management_workbench
2.5.2.1
oraclehealth_sciences_data_management_workbench
3.0.0.0
oraclejd_edwards_enterpriseone_tools
𝑥
< 9.2.6.1
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepeoplesoft_enterprise_peopletools
8.59
oracleprimavera_gateway
17.12.0 ≤
𝑥
≤ 17.12.11
oracleprimavera_gateway
18.8.0 ≤
𝑥
≤ 18.8.12
oracleprimavera_gateway
19.12.0 ≤
𝑥
≤ 19.12.11
oracleprimavera_gateway
20.12.0 ≤
𝑥
≤ 20.12.7
oracleprimavera_unifier
17.7 ≤
𝑥
≤ 17.12
oracleprimavera_unifier
18.8
oracleprimavera_unifier
19.12
oracleprimavera_unifier
20.12
oracleretail_customer_management_and_segmentation_foundation
19.0
siemenssinec_ins
𝑥
< 1.0
siemenssinec_ins
1.0
siemenssinec_ins
1.0:sp1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-lodash
bullseye
4.17.21+dfsg+~cs8.31.173-1
fixed
buster
no-dsa
sid
4.17.21+dfsg+~cs8.31.198.20210220-9
fixed
trixie
4.17.21+dfsg+~cs8.31.198.20210220-9
fixed
bookworm
4.17.21+dfsg+~cs8.31.198.20210220-9
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-lodash
noble
needed
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
groovy
ignored
focal
needed
bionic
needed
xenial
needs-triage
trusty
dne
References
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
https://github.com/lodash/lodash/pull/5065
https://security.netapp.com/advisory/ntap-20210312-0006/
https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
https://snyk.io/vuln/SNYK-JS-LODASH-1018905
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
https://github.com/lodash/lodash/pull/5065
https://security.netapp.com/advisory/ntap-20210312-0006/
https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
https://snyk.io/vuln/SNYK-JS-LODASH-1018905
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html