CVE-2021-23337

Summary

CVE	CVE-2021-23337
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-02-15 13:15:00 UTC
Updated	2022-09-13 21:25:00 UTC
Description	Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Risk And Classification

Problem Types: CWE-94

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Lodash	Lodash	All	All	All	All
Application	Lodash	Lodash	All	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Cloud Manager	-	All	All	All
Application	Netapp	System Manager	9.0	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.2.0	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.3.0	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.5.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.2.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.3.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.5.0	All	All	All
Application	Oracle	Banking Extensibility Workbench	14.2.0	All	All	All
Application	Oracle	Banking Extensibility Workbench	14.3.0	All	All	All
Application	Oracle	Banking Extensibility Workbench	14.5.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.2.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.3.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.5.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.2.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.3.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.5.0	All	All	All
Application	Oracle	Communications Cloud Native Core Binding Support Function	1.9.0	All	All	All
Application	Oracle	Communications Cloud Native Core Policy	1.11.0	All	All	All
Application	Oracle	Communications Design Studio	7.4.2.0.0	All	All	All
Application	Oracle	Communications Services Gatekeeper	7.0	All	All	All
Application	Oracle	Communications Session Border Controller	8.4	All	All	All
Application	Oracle	Communications Session Border Controller	9.0	All	All	All
Application	Oracle	Enterprise Communications Broker	3.2.0	All	All	All
Application	Oracle	Enterprise Communications Broker	3.3.0	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.2.0	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.3.0	All	All	All
Application	Oracle	Health Sciences Data Management Workbench	2.5.2.1	All	All	All
Application	Oracle	Health Sciences Data Management Workbench	3.0.0.0	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	All	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Unifier	18.8	All	All	All
Application	Oracle	Primavera Unifier	19.12	All	All	All
Application	Oracle	Primavera Unifier	20.12	All	All	All
Application	Oracle	Primavera Unifier	All	All	All	All
Application	Oracle	Retail Customer Management And Segmentation Foundation	19.0	All	All	All
Application	Siemens	Sinec Ins	All	All	All	All
Application	Siemens	Sinec Ins	1.0	-	All	All
Application	Siemens	Sinec Ins	1.0	sp1	All	All

References

Reference	Source	Link	Tags
Command Injection in org.webjars.bowergithub.lodash:lodash \| Snyk	MISC	snyk.io	Exploit, Third Party Advisory
Command Injection in lodash \| Snyk	MISC	snyk.io	Exploit, Third Party Advisory
Command Injection in org.webjars.bower:lodash \| Snyk	MISC	snyk.io	Exploit, Third Party Advisory
Command Injection in org.webjars:lodash \| Snyk	MISC	snyk.io	Exploit, Third Party Advisory
February 2021 Lodash Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf	CONFIRM	cert-portal.siemens.com
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/l...	MISC	github.com	Broken Link
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Command Injection in org.webjars.npm:lodash \| Snyk	MISC	snyk.io	Exploit, Third Party Advisory
Command Injection in org.fujion.webjars:lodash \| Snyk	MISC	snyk.io	Exploit, Third Party Advisory
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
lodash/lodash.js at ddfd9b11a0126db2302cb70ec9973b66baec0975 · lodash/lodash · GitHub	MITRE	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Marc Hassan

Legacy QID Mappings

180353 Debian Security Update for node-lodash (CVE-2021-23337)
376257 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2022)
377842 Lodash Command Injection Vulnerability
980336 Nodejs (npm) Security Update for lodash (GHSA-35jh-r3h4-6jhm)