RCE in Lodash
CVE-2021-23337
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Vulnerability class: RCE (Remote Code Execution)
EPSS: 0.224 (97.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Lodash
- Netapp Active_iq_unified_manager
- Netapp Cloud_manager
- Netapp System_manager — versions 9.0
- Oracle Banking_corporate_lending_process_management — versions 14.2.0, 14.3.0, 14.5.0
- Oracle Banking_credit_facilities_process_management — versions 14.2.0, 14.3.0, 14.5.0
- Oracle Banking_extensibility_workbench — versions 14.2.0, 14.3.0, 14.5.0
- Oracle Banking_supply_chain_finance — versions 14.2.0, 14.3.0, 14.5.0
- Oracle Banking_trade_finance_process_management — versions 14.2.0, 14.3.0, 14.5.0
- Oracle Communications_cloud_native_core_binding_support_function — versions 1.9.0
Weakness classification (CWE)
Public proof-of-concept exploits
- khayashi4337/lodash.template-fixed
- ARPSyndicate/cvemon
- Brook-5686/Node_
- ELHADANITAHA/OWASP-JSP-TP
- Eleson-Souza/security-scan-pipeline
- HotDB-Community/HotDB-Engine
- Icare741/TPTrivy
- JimmyJohnLakeCook/lodash-backport
- LSEG-API-Samples/Example.EWA.TypeScript.WebApplication
- MathisLeDev/-Guide-Trivy-Scanner-de-S-curit-
References
- report@snyk.io (Exploit, Third Party Advisory, x_refsource_MISC)
- report@snyk.io (Exploit, Third Party Advisory, x_refsource_MISC)
- report@snyk.io (Exploit, Third Party Advisory, x_refsource_MISC)
- report@snyk.io (Exploit, Third Party Advisory, x_refsource_MISC)
- report@snyk.io (Exploit, Third Party Advisory, x_refsource_MISC)
- report@snyk.io (Exploit, Third Party Advisory, x_refsource_MISC)
- report@snyk.io (x_refsource_MISC, Broken Link)
- report@snyk.io (Patch, Third Party Advisory, x_refsource_MISC)
- report@snyk.io (x_refsource_CONFIRM, Third Party Advisory)
- report@snyk.io (Patch, Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2021-23337?
- CVE-2021-23337 is a high-severity vulnerability in Lodash, classified under Code Injection. CVSS score: 7.2/10. Published 2021-02-15.
- How severe is CVE-2021-23337?
- High severity. CVSS v3 base score is 7.2 out of 10.
- Is CVE-2021-23337 known to be exploited?
- 57 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.