Lucene search

K
cveSnykCVE-2021-23337
HistoryFeb 15, 2021 - 1:15 p.m.

CVE-2021-23337

2021-02-1513:15:12
CWE-94
snyk
web.nvd.nist.gov
270
10
lodash
cve-2021-23337
command injection
template function
security vulnerability

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

EPSS

0.009

Percentile

82.6%

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Affected configurations

Nvd
Node
lodashlodashRange<4.17.21node.js
Node
oraclebanking_corporate_lending_process_managementMatch14.2.0
OR
oraclebanking_corporate_lending_process_managementMatch14.3.0
OR
oraclebanking_corporate_lending_process_managementMatch14.5.0
OR
oraclebanking_credit_facilities_process_managementMatch14.2.0
OR
oraclebanking_credit_facilities_process_managementMatch14.3.0
OR
oraclebanking_credit_facilities_process_managementMatch14.5.0
OR
oraclebanking_extensibility_workbenchMatch14.2.0
OR
oraclebanking_extensibility_workbenchMatch14.3.0
OR
oraclebanking_extensibility_workbenchMatch14.5.0
OR
oraclebanking_supply_chain_financeMatch14.2.0
OR
oraclebanking_supply_chain_financeMatch14.3.0
OR
oraclebanking_supply_chain_financeMatch14.5.0
OR
oraclebanking_trade_finance_process_managementMatch14.2.0
OR
oraclebanking_trade_finance_process_managementMatch14.3.0
OR
oraclebanking_trade_finance_process_managementMatch14.5.0
OR
oraclecommunications_cloud_native_core_binding_support_functionMatch1.9.0
OR
oraclecommunications_cloud_native_core_policyMatch1.11.0
OR
oraclecommunications_design_studioMatch7.4.2.0.0
OR
oraclecommunications_services_gatekeeperMatch7.0
OR
oraclecommunications_session_border_controllerMatch8.4
OR
oraclecommunications_session_border_controllerMatch9.0
OR
oracleenterprise_communications_brokerMatch3.2.0
OR
oracleenterprise_communications_brokerMatch3.3.0
OR
oraclefinancial_services_crime_and_compliance_management_studioMatch8.0.8.2.0
OR
oraclefinancial_services_crime_and_compliance_management_studioMatch8.0.8.3.0
OR
oraclehealth_sciences_data_management_workbenchMatch2.5.2.1
OR
oraclehealth_sciences_data_management_workbenchMatch3.0.0.0
OR
oraclejd_edwards_enterpriseone_toolsRange<9.2.6.1
OR
oraclepeoplesoft_enterprise_peopletoolsMatch8.58
OR
oraclepeoplesoft_enterprise_peopletoolsMatch8.59
OR
oracleprimavera_gatewayRange17.12.017.12.11
OR
oracleprimavera_gatewayRange18.8.018.8.12
OR
oracleprimavera_gatewayRange19.12.019.12.11
OR
oracleprimavera_gatewayRange20.12.020.12.7
OR
oracleprimavera_unifierRange17.717.12
OR
oracleprimavera_unifierMatch18.8
OR
oracleprimavera_unifierMatch19.12
OR
oracleprimavera_unifierMatch20.12
OR
oracleretail_customer_management_and_segmentation_foundationMatch19.0
Node
netappactive_iq_unified_managerMatch-linux
OR
netappactive_iq_unified_managerMatch-vmware_vsphere
OR
netappactive_iq_unified_managerMatch-windows
OR
netappcloud_managerMatch-
OR
netappsystem_managerMatch9.0
Node
siemenssinec_insRange<1.0
OR
siemenssinec_insMatch1.0-
OR
siemenssinec_insMatch1.0sp1
VendorProductVersionCPE
lodashlodash*cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*
oraclebanking_corporate_lending_process_management14.2.0cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
oraclebanking_corporate_lending_process_management14.3.0cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
oraclebanking_corporate_lending_process_management14.5.0cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
oraclebanking_credit_facilities_process_management14.2.0cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
oraclebanking_credit_facilities_process_management14.3.0cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
oraclebanking_credit_facilities_process_management14.5.0cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
oraclebanking_extensibility_workbench14.2.0cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*
oraclebanking_extensibility_workbench14.3.0cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*
oraclebanking_extensibility_workbench14.5.0cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*
Rows per page:
1-10 of 451

CNA Affected

[
  {
    "product": "Lodash",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "prior to 4.17.21"
      }
    ]
  }
]

Social References

More

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

EPSS

0.009

Percentile

82.6%