CVE-2020-28500

Summary

CVE	CVE-2020-28500
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-02-15 11:15:00 UTC
Updated	2022-09-13 21:18:00 UTC
Description	Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Risk And Classification

Problem Types: NVD-CWE-Other

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Lodash	Lodash	All	All	All	All
Application	Lodash	Lodash	All	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.2.0	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.3.0	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.5.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.2.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.3.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.5.0	All	All	All
Application	Oracle	Banking Extensibility Workbench	14.2.0	All	All	All
Application	Oracle	Banking Extensibility Workbench	14.3.0	All	All	All
Application	Oracle	Banking Extensibility Workbench	14.5.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.2.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.3.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.5.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.2.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.3.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.5.0	All	All	All
Application	Oracle	Communications Cloud Native Core Policy	1.11.0	All	All	All
Application	Oracle	Communications Design Studio	7.4.2	All	All	All
Application	Oracle	Communications Services Gatekeeper	7.0	All	All	All
Application	Oracle	Communications Session Border Controller	8.4	All	All	All
Application	Oracle	Communications Session Border Controller	9.0	All	All	All
Application	Oracle	Enterprise Communications Broker	3.2.0	All	All	All
Application	Oracle	Enterprise Communications Broker	3.3.0	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.2.0	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.3.0	All	All	All
Application	Oracle	Health Sciences Data Management Workbench	2.5.2.1	All	All	All
Application	Oracle	Health Sciences Data Management Workbench	3.0.0.0	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	All	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Unifier	18.8	All	All	All
Application	Oracle	Primavera Unifier	19.12	All	All	All
Application	Oracle	Primavera Unifier	20.12	All	All	All
Application	Oracle	Primavera Unifier	All	All	All	All
Application	Oracle	Retail Customer Management And Segmentation Foundation	19.0	All	All	All
Application	Siemens	Sinec Ins	All	All	All	All
Application	Siemens	Sinec Ins	1.0	-	All	All
Application	Siemens	Sinec Ins	1.0	sp1	All	All

References

Reference	Source	Link	Tags
Regular Expression Denial of Service (ReDoS) in lodash \| Snyk	CONFIRM	snyk.io	Exploit, Third Party Advisory
Regular Expression Denial of Service (ReDoS) in org.webjars.npm:lodash \| Snyk	CONFIRM	snyk.io	Exploit, Third Party Advisory
Regular Expression Denial of Service (ReDoS) in org.webjars.bower:lodash \| Snyk	CONFIRM	snyk.io	Exploit, Third Party Advisory
February 2021 Lodash Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
perf: improve performance of `toNumber`, `trim` and `trimEnd` on large input strings by falsyvalues · Pull Request #5065 · lodash/lodash · GitHub	CONFIRM	github.com	Patch, Third Party Advisory
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf	CONFIRM	cert-portal.siemens.com
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Regular Expression Denial of Service (ReDoS) in org.webjars.bowergithub.lodash:lodash \| Snyk	CONFIRM	snyk.io	Exploit, Third Party Advisory
Regular Expression Denial of Service (ReDoS) in org.fujion.webjars:lodash \| Snyk	CONFIRM	snyk.io	Exploit, Third Party Advisory
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
N/A	CONFIRM	github.com	Broken Link
Regular Expression Denial of Service (ReDoS) in org.webjars:lodash \| Snyk	CONFIRM	snyk.io	Exploit, Third Party Advisory
lodash/trimEnd.js at npm · lodash/lodash · GitHub	MITRE	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Liyuan Chen

Legacy QID Mappings

376257 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2022)