CVE-2021-23337

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVSS v3 7.2 HIGH
CVSS v2.0 6.5 MEDIUM

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf	Patch Third Party Advisory
https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851	Broken Link
https://security.netapp.com/advisory/ntap-20210312-0006/	Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LODASH-1040724	Exploit Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:::::::*
	cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:::::::*
	cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:::::::*
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:::::::*
	cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:::::::*
	cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:::::::*
	cpe:2.3:a:oracle:communications_session_border_controller:8.4:::::::*
	cpe:2.3:a:oracle:communications_session_border_controller:9.0:::::::*
	cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:::::::*
	cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:::::::*
	cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:::::::*
	cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:::::::*
	cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools::::::::
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_unifier::::::::
	cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:cloud_manager:-:::::::*
	cpe:2.3:a:netapp:system_manager:9.0:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:siemens:sinec_ins::::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:-::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:sp1::::::

History

13 Sep 2022, 21:25

Type	Values Removed	Values Added
First Time		Oracle financial Services Crime And Compliance Management Studio Siemens sinec Ins Siemens Oracle health Sciences Data Management Workbench
References	~~(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf -~~	(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf - Patch, Third Party Advisory
References	~~(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -~~	(N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:siemens:sinec_ins:::::::: cpe:2.3:a:siemens:sinec_ins:1.0:-:::::: cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:::::::* cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:::::::* cpe:2.3:a:siemens:sinec_ins:1.0:sp1:::::: cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:::::::* cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:::::::*

13 Sep 2022, 12:15

Type	Values Removed	Values Added
References		(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf -

25 Jul 2022, 18:15

Type	Values Removed	Values Added
CWE	~~CWE-77~~	CWE-94
References		(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

04 Apr 2022, 13:32

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:::::::* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::* cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:::::::* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::* cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:::::::* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools::::::::
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
First Time		Oracle communications Services Gatekeeper Oracle peoplesoft Enterprise Peopletools Oracle retail Customer Management And Segmentation Foundation Oracle jd Edwards Enterpriseone Tools Oracle communications Cloud Native Core Binding Support Function

07 Feb 2022, 16:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

07 Dec 2021, 20:52

Type	Values Removed	Values Added
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
References	~~(N/A) https://www.oracle.com//security-alerts/cpujul2021.html -~~	(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:::::::* cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere:: cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:::::::* cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:::::::* cpe:2.3:a:oracle:communications_session_border_controller:8.4:::::::* cpe:2.3:a:netapp:cloud_manager:-:::::::* cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:::::::* cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:::::::* cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:::::::* cpe:2.3:a:oracle:communications_session_border_controller:9.0:::::::* cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:::::::* cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:::::::* cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:::::::* cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:::::::* cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:::::::* cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:::::::* cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:::::::* cpe:2.3:a:oracle:primavera_unifier:18.8:::::::* cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows:: cpe:2.3:a:oracle:primavera_unifier:::::::: cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:::::::* cpe:2.3:a:oracle:primavera_unifier:19.12:::::::* cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:::::::* cpe:2.3:a:oracle:primavera_unifier:20.12:::::::* cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:::::::* cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux:: cpe:2.3:a:netapp:system_manager:9.0:::::::* cpe:2.3:a:oracle:primavera_gateway:::::::: cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:::::::* cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:::::::* cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:::::::*

20 Oct 2021, 11:16

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -

26 Mar 2021, 02:42

Type	Values Removed	Values Added
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20210312-0006/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20210312-0006/ - Third Party Advisory

18 Mar 2021, 16:15

Type	Values Removed	Values Added
Summary	~~All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.~~	Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

12 Mar 2021, 13:15

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20210312-0006/ -

01 Mar 2021, 21:59

Type	Values Removed	Values Added
References	~~(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 - Exploit~~	(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 - Exploit, Third Party Advisory

26 Feb 2021, 15:45

Type	Values Removed	Values Added
References	~~(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928 -~~	(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928 - Exploit, Third Party Advisory
References	~~(MISC) https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851 -~~	(MISC) https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851 - Broken Link
References	~~(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930 -~~	(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930 - Exploit, Third Party Advisory
References	~~(MISC) https://snyk.io/vuln/SNYK-JS-LODASH-1040724 -~~	(MISC) https://snyk.io/vuln/SNYK-JS-LODASH-1040724 - Exploit, Third Party Advisory
References	~~(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931 -~~	(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931 - Exploit, Third Party Advisory
References	~~(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 -~~	(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 - Exploit
References	~~(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929 -~~	(MISC) https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929 - Exploit, Third Party Advisory
CPE		cpe:2.3:a:lodash:lodash::::::node.js::*
CWE		CWE-77
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.5 v3 : 7.2

15 Feb 2021, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-02-15 13:15

Updated : 2023-12-10 13:41

NVD link : CVE-2021-23337

Mitre link : CVE-2021-23337

CVE.ORG link : CVE-2021-23337

JSON object : View

Products Affected

oracle

banking_supply_chain_finance
communications_session_border_controller
primavera_unifier
banking_extensibility_workbench
jd_edwards_enterpriseone_tools
communications_design_studio
retail_customer_management_and_segmentation_foundation
communications_cloud_native_core_policy
financial_services_crime_and_compliance_management_studio
communications_services_gatekeeper
primavera_gateway
banking_corporate_lending_process_management
banking_trade_finance_process_management
communications_cloud_native_core_binding_support_function
banking_credit_facilities_process_management
health_sciences_data_management_workbench
peoplesoft_enterprise_peopletools
enterprise_communications_broker

siemens

sinec_ins

netapp

cloud_manager
system_manager
active_iq_unified_manager

lodash

lodash

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

7.2 /10