Vulnerability Description
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lodash | Lodash | < 4.17.21 |
| Oracle | Banking Corporate Lending Process Management | 14.2.0 |
| Oracle | Banking Credit Facilities Process Management | 14.2.0 |
| Oracle | Banking Extensibility Workbench | 14.2.0 |
| Oracle | Banking Supply Chain Finance | 14.2.0 |
| Oracle | Banking Trade Finance Process Management | 14.2.0 |
| Oracle | Communications Cloud Native Core Policy | 1.11.0 |
| Oracle | Communications Design Studio | 7.4.2 |
| Oracle | Communications Services Gatekeeper | 7.0 |
| Oracle | Communications Session Border Controller | 8.4 |
| Oracle | Enterprise Communications Broker | 3.2.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Health Sciences Data Management Workbench | 2.5.2.1 |
| Oracle | Jd Edwards Enterpriseone Tools | < 9.2.6.1 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.11 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Retail Customer Management And Segmentation Foundation | 19.0 |
| Siemens | Sinec Ins | < 1.0 |
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdfPatchThird Party Advisory
- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8Broken Link
- https://github.com/lodash/lodash/pull/5065PatchThird Party Advisory
- https://security.netapp.com/advisory/ntap-20210312-0006/Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905ExploitThird Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlNot ApplicableThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdfPatchThird Party Advisory
FAQ
What is CVE-2020-28500?
CVE-2020-28500 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
How severe is CVE-2020-28500?
CVE-2020-28500 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-28500?
Check the references section above for vendor advisories and patch information. Affected products include: Lodash Lodash, Oracle Banking Corporate Lending Process Management, Oracle Banking Credit Facilities Process Management, Oracle Banking Extensibility Workbench, Oracle Banking Supply Chain Finance.