CVE-2021-23337

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
snykCNA
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
VendorProductVersion
lodashlodash
𝑥
< 4.17.21
oraclebanking_corporate_lending_process_management
14.2.0
oraclebanking_corporate_lending_process_management
14.3.0
oraclebanking_corporate_lending_process_management
14.5.0
oraclebanking_credit_facilities_process_management
14.2.0
oraclebanking_credit_facilities_process_management
14.3.0
oraclebanking_credit_facilities_process_management
14.5.0
oraclebanking_extensibility_workbench
14.2.0
oraclebanking_extensibility_workbench
14.3.0
oraclebanking_extensibility_workbench
14.5.0
oraclebanking_supply_chain_finance
14.2.0
oraclebanking_supply_chain_finance
14.3.0
oraclebanking_supply_chain_finance
14.5.0
oraclebanking_trade_finance_process_management
14.2.0
oraclebanking_trade_finance_process_management
14.3.0
oraclebanking_trade_finance_process_management
14.5.0
oraclecommunications_cloud_native_core_binding_support_function
1.9.0
oraclecommunications_cloud_native_core_policy
1.11.0
oraclecommunications_design_studio
7.4.2.0.0
oraclecommunications_services_gatekeeper
7.0
oraclecommunications_session_border_controller
8.4
oraclecommunications_session_border_controller
9.0
oracleenterprise_communications_broker
3.2.0
oracleenterprise_communications_broker
3.3.0
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.2.0
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.3.0
oraclehealth_sciences_data_management_workbench
2.5.2.1
oraclehealth_sciences_data_management_workbench
3.0.0.0
oraclejd_edwards_enterpriseone_tools
𝑥
< 9.2.6.1
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepeoplesoft_enterprise_peopletools
8.59
oracleprimavera_gateway
17.12.0 ≤
𝑥
≤ 17.12.11
oracleprimavera_gateway
18.8.0 ≤
𝑥
≤ 18.8.12
oracleprimavera_gateway
19.12.0 ≤
𝑥
≤ 19.12.11
oracleprimavera_gateway
20.12.0 ≤
𝑥
≤ 20.12.7
oracleprimavera_unifier
17.7 ≤
𝑥
≤ 17.12
oracleprimavera_unifier
18.8
oracleprimavera_unifier
19.12
oracleprimavera_unifier
20.12
oracleretail_customer_management_and_segmentation_foundation
19.0
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netappcloud_manager
-
netappsystem_manager
9.0
siemenssinec_ins
𝑥
< 1.0
siemenssinec_ins
1.0
siemenssinec_ins
1.0:sp1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-lodash
bullseye
4.17.21+dfsg+~cs8.31.173-1
fixed
buster
no-dsa
bookworm
4.17.21+dfsg+~cs8.31.198.20210220-9
fixed
sid
4.17.21+dfsg+~cs8.31.198.20210220-9
fixed
trixie
4.17.21+dfsg+~cs8.31.198.20210220-9
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-lodash
noble
needed
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
groovy
ignored
focal
needed
bionic
needed
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
https://security.netapp.com/advisory/ntap-20210312-0006/
https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
https://snyk.io/vuln/SNYK-JS-LODASH-1040724
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
https://security.netapp.com/advisory/ntap-20210312-0006/
https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
https://snyk.io/vuln/SNYK-JS-LODASH-1040724
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html