Lucene search

[email protected]NVD:CVE-2020-28500

HistoryFeb 15, 2021 - 11:15 a.m.

CVE-2020-28500

2021-02-1511:15:12

[email protected]

web.nvd.nist.gov

lodash

vulnerability

cve-2020-28500

redos

regular expression denial of service

tonumber

trim

trimend

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.002

Percentile

61.4%

JSON

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Affected configurations

Nvd

Node

lodashlodashRange<4.17.21node.js

Node

oraclebanking_corporate_lending_process_managementMatch14.2.0

oraclebanking_corporate_lending_process_managementMatch14.3.0

oraclebanking_corporate_lending_process_managementMatch14.5.0

oraclebanking_credit_facilities_process_managementMatch14.2.0

oraclebanking_credit_facilities_process_managementMatch14.3.0

oraclebanking_credit_facilities_process_managementMatch14.5.0

oraclebanking_extensibility_workbenchMatch14.2.0

oraclebanking_extensibility_workbenchMatch14.3.0

oraclebanking_extensibility_workbenchMatch14.5.0

oraclebanking_supply_chain_financeMatch14.2.0

oraclebanking_supply_chain_financeMatch14.3.0

oraclebanking_supply_chain_financeMatch14.5.0

oraclebanking_trade_finance_process_managementMatch14.2.0

oraclebanking_trade_finance_process_managementMatch14.3.0

oraclebanking_trade_finance_process_managementMatch14.5.0

oraclecommunications_cloud_native_core_policyMatch1.11.0

oraclecommunications_design_studioMatch7.4.2

oraclecommunications_services_gatekeeperMatch7.0

oraclecommunications_session_border_controllerMatch8.4

oraclecommunications_session_border_controllerMatch9.0

oracleenterprise_communications_brokerMatch3.2.0

oracleenterprise_communications_brokerMatch3.3.0

oraclefinancial_services_crime_and_compliance_management_studioMatch8.0.8.2.0

oraclefinancial_services_crime_and_compliance_management_studioMatch8.0.8.3.0

oraclehealth_sciences_data_management_workbenchMatch2.5.2.1

oraclehealth_sciences_data_management_workbenchMatch3.0.0.0

oraclejd_edwards_enterpriseone_toolsRange<9.2.6.1

oraclepeoplesoft_enterprise_peopletoolsMatch8.58

oraclepeoplesoft_enterprise_peopletoolsMatch8.59

oracleprimavera_gatewayRange17.12.0–17.12.11

oracleprimavera_gatewayRange18.8.0–18.8.12

oracleprimavera_gatewayRange19.12.0–19.12.11

oracleprimavera_gatewayRange20.12.0–20.12.7

oracleprimavera_unifierRange17.7–17.12

oracleprimavera_unifierMatch18.8

oracleprimavera_unifierMatch19.12

oracleprimavera_unifierMatch20.12

oracleretail_customer_management_and_segmentation_foundationMatch19.0

Node

siemenssinec_insRange<1.0

siemenssinec_insMatch1.0-

siemenssinec_insMatch1.0sp1

References

cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

github.com/lodash/lodash/blob/npm/trimEnd.js%23L8

github.com/lodash/lodash/pull/5065

security.netapp.com/advisory/ntap-20210312-0006/

snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896

snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893

snyk.io/vuln/SNYK-JS-LODASH-1018905

www.oracle.com//security-alerts/cpujul2021.html

www.oracle.com/security-alerts/cpujan2022.html

www.oracle.com/security-alerts/cpujul2022.html

www.oracle.com/security-alerts/cpuoct2021.html

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.002

Percentile

61.4%

JSON

Related for NVD:CVE-2020-28500

ibm37 osv2 prion1 cve1 redhatcve1 veracode1 huntr1 cvelist1 github1 ubuntucve1 debiancve1 nessus5 redhat7 f51 ics1 oracle4