CVE-2020-28500

Published on: 02/15/2021 12:00:00 AM UTC

Last Modified on: 09/13/2022 09:18:00 PM UTC

CVE-2020-28500

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P

Certain versions of Lodash from Lodash contain the following vulnerability:

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVE-2020-28500 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.

CVSS3 Score: 5.3 - MEDIUM

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	NONE	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	NONE	NONE	LOW

CVSS2 Score: 5 - MEDIUM

Access Vector^ⓘ	Access Complexity	Authentication
NETWORK	LOW	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
NONE	NONE	PARTIAL

CVE References

Description	Tags ^ⓘ	Link
Regular Expression Denial of Service (ReDoS) in lodash \| Snyk	Exploit Third Party Advisory snyk.io text/html	CONFIRM N/A
Regular Expression Denial of Service (ReDoS) in org.webjars.npm:lodash \| Snyk	Exploit Third Party Advisory snyk.io text/html	CONFIRM N/A
Regular Expression Denial of Service (ReDoS) in org.webjars.bower:lodash \| Snyk	Exploit Third Party Advisory snyk.io text/html	CONFIRM N/A
February 2021 Lodash Vulnerabilities in NetApp Products \| NetApp Product Security	security.netapp.com text/html	CONFIRM security.netapp.com/advisory/ntap-20210312-0006/
perf: improve performance of `toNumber`, `trim` and `trimEnd` on large input strings by falsyvalues · Pull Request #5065 · lodash/lodash · GitHub	Patch Third Party Advisory github.com text/html	CONFIRM N/A
Oracle Critical Patch Update Advisory - July 2021	www.oracle.com text/html	MISC www.oracle.com//security-alerts/cpujul2021.html
	cert-portal.siemens.com application/pdf	CONFIRM cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
Oracle Critical Patch Update Advisory - October 2021	www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - January 2022	www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpujan2022.html
Regular Expression Denial of Service (ReDoS) in org.webjars.bowergithub.lodash:lodash \| Snyk	Exploit Third Party Advisory snyk.io text/html	CONFIRM N/A
Regular Expression Denial of Service (ReDoS) in org.fujion.webjars:lodash \| Snyk	Exploit Third Party Advisory snyk.io text/html	CONFIRM N/A
Oracle Critical Patch Update Advisory - July 2022	www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpujul2022.html
lodash/trimEnd.js at npm · lodash/lodash · GitHub	Broken Link github.com text/html	CONFIRM N/A
Regular Expression Denial of Service (ReDoS) in org.webjars:lodash \| Snyk	Exploit Third Party Advisory snyk.io text/html	CONFIRM N/A

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

376257 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2022)

Exploit/POC from Github

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, tri…

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Lodash	Lodash	All	All	All	All
Application	Lodash	Lodash	All	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.2.0	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.3.0	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.5.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.2.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.3.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.5.0	All	All	All
Application	Oracle	Banking Extensibility Workbench	14.2.0	All	All	All
Application	Oracle	Banking Extensibility Workbench	14.3.0	All	All	All
Application	Oracle	Banking Extensibility Workbench	14.5.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.2.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.3.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.5.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.2.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.3.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.5.0	All	All	All
Application	Oracle	Communications Cloud Native Core Policy	1.11.0	All	All	All
Application	Oracle	Communications Design Studio	7.4.2	All	All	All
Application	Oracle	Communications Services Gatekeeper	7.0	All	All	All
Application	Oracle	Communications Session Border Controller	8.4	All	All	All
Application	Oracle	Communications Session Border Controller	9.0	All	All	All
Application	Oracle	Enterprise Communications Broker	3.2.0	All	All	All
Application	Oracle	Enterprise Communications Broker	3.3.0	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.2.0	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.3.0	All	All	All
Application	Oracle	Health Sciences Data Management Workbench	2.5.2.1	All	All	All
Application	Oracle	Health Sciences Data Management Workbench	3.0.0.0	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	All	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Unifier	18.8	All	All	All
Application	Oracle	Primavera Unifier	19.12	All	All	All
Application	Oracle	Primavera Unifier	20.12	All	All	All
Application	Oracle	Primavera Unifier	All	All	All	All
Application	Oracle	Retail Customer Management And Segmentation Foundation	19.0	All	All	All
Application	Siemens	Sinec Ins	All	All	All	All
Application	Siemens	Sinec Ins	1.0	-	All	All
Application	Siemens	Sinec Ins	1.0	sp1	All	All

cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*:
cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*:
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*:
cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*:
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*:
cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*:

Discovery Credit

Liyuan Chen

Social Mentions

Source	Title	Posted (UTC)