Vulnerability Description
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score
7.2
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lodash | Lodash | < 4.17.21 |
| Oracle | Banking Corporate Lending Process Management | 14.2.0 |
| Oracle | Banking Credit Facilities Process Management | 14.2.0 |
| Oracle | Banking Extensibility Workbench | 14.2.0 |
| Oracle | Banking Supply Chain Finance | 14.2.0 |
| Oracle | Banking Trade Finance Process Management | 14.2.0 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.9.0 |
| Oracle | Communications Cloud Native Core Policy | 1.11.0 |
| Oracle | Communications Design Studio | 7.4.2.0.0 |
| Oracle | Communications Services Gatekeeper | 7.0 |
| Oracle | Communications Session Border Controller | 8.4 |
| Oracle | Enterprise Communications Broker | 3.2.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Health Sciences Data Management Workbench | 2.5.2.1 |
| Oracle | Jd Edwards Enterpriseone Tools | < 9.2.6.1 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.11 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Retail Customer Management And Segmentation Foundation | 19.0 |
| Netapp | Active Iq Unified Manager | - |
Related Weaknesses (CWE)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdfPatchThird Party Advisory
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lBroken Link
- https://security.netapp.com/advisory/ntap-20210312-0006/Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724ExploitThird Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdfPatchThird Party Advisory
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lBroken Link
FAQ
What is CVE-2021-23337?
CVE-2021-23337 is a vulnerability with a CVSS score of 7.2 (HIGH). Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
How severe is CVE-2021-23337?
CVE-2021-23337 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23337?
Check the references section above for vendor advisories and patch information. Affected products include: Lodash Lodash, Oracle Banking Corporate Lending Process Management, Oracle Banking Credit Facilities Process Management, Oracle Banking Extensibility Workbench, Oracle Banking Supply Chain Finance.