CVE-2020-28500: Regular Expression Denial of Service (ReDoS)
First published: Mon Feb 15 2021(Updated: )
A flaw was found in nodejs-lodash. A Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions is possible.
Credit: report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/cockpit-ovirt | <0:0.15.1-2.el8e | 0:0.15.1-2.el8e |
| redhat/ovirt-engine-ui-extensions | <0:1.2.6-1.el8e | 0:1.2.6-1.el8e |
| redhat/ovirt-web-ui | <0:1.6.9-1.el8e | 0:1.6.9-1.el8e |
| npm/lodash.trim | <=4.5.1 | |
| npm/lodash.trimend | <=4.5.1 | |
| npm/lodash-es | <4.17.21 | 4.17.21 |
| npm/lodash | <4.17.21 | 4.17.21 |
| redhat/nodejs-lodash | <4.17.21 | 4.17.21 |
| Lodash Lodash Node.js | <4.17.21 | |
| Oracle Banking Corporate Lending Process Management | =14.2.0 | |
| Oracle Banking Corporate Lending Process Management | =14.3.0 | |
| Oracle Banking Corporate Lending Process Management | =14.5.0 | |
| Oracle Banking Credit Facilities Process Management | =14.2.0 | |
| Oracle Banking Credit Facilities Process Management | =14.3.0 | |
| Oracle Banking Credit Facilities Process Management | =14.5.0 | |
| Oracle Banking Extensibility Workbench | =14.2.0 | |
| Oracle Banking Extensibility Workbench | =14.3.0 | |
| Oracle Banking Extensibility Workbench | =14.5.0 | |
| Oracle Banking Supply Chain Finance | =14.2.0 | |
| Oracle Banking Supply Chain Finance | =14.3.0 | |
| Oracle Banking Supply Chain Finance | =14.5.0 | |
| Oracle Banking Trade Finance Process Management | =14.2.0 | |
| Oracle Banking Trade Finance Process Management | =14.3.0 | |
| Oracle Banking Trade Finance Process Management | =14.5.0 | |
| Oracle Communications Cloud Native Core Policy | =1.11.0 | |
| Oracle Communications Design Studio | =7.4.2 | |
| Oracle Communications Services Gatekeeper | =7.0 | |
| Oracle Communications Session Border Controller | =8.4 | |
| Oracle Communications Session Border Controller | =9.0 | |
| Oracle Enterprise Communications Broker | =3.2.0 | |
| Oracle Enterprise Communications Broker | =3.3.0 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.2.0 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.3.0 | |
| Oracle Health Sciences Data Management Workbench | =2.5.2.1 | |
| Oracle Health Sciences Data Management Workbench | =3.0.0.0 | |
| Oracle Jd Edwards Enterpriseone Tools | <9.2.6.1 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Oracle Primavera Gateway | >=17.12.0<=17.12.11 | |
| Oracle Primavera Gateway | >=18.8.0<=18.8.12 | |
| Oracle Primavera Gateway | >=19.12.0<=19.12.11 | |
| Oracle Primavera Gateway | >=20.12.0<=20.12.7 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Retail Customer Management and Segmentation Foundation | =19.0 | |
| Siemens Sinec Ins | <1.0 | |
| Siemens Sinec Ins | =1.0 | |
| Siemens Sinec Ins | =1.0-sp1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-28500
- https://github.com/lodash/lodash/pull/5065
- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
- https://github.com/advisories/GHSA-29mw-wpgm-hmr9 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/196972
- https://www.ibm.com/support/pages/node/6570957 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1928955
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1928956
- https://access.redhat.com/errata/RHSA-2021:1168
- https://access.redhat.com/security/cve/cve-2020-28500
- https://access.redhat.com/errata/RHSA-2021:2179
- https://access.redhat.com/errata/RHSA-2021:2543
- https://access.redhat.com/errata/RHSA-2021:2438
- https://access.redhat.com/errata/RHSA-2021:3016
- https://access.redhat.com/errata/RHSA-2021:3459
- https://access.redhat.com/errata/RHSA-2022:6429
- https://bugzilla.redhat.com/show_bug.cgi?id=1928954
- https://www.cve.org/CVERecord?id=CVE-2020-28500 https://nvd.nist.gov/vuln/detail/CVE-2020-28500 https://snyk.io/vuln/SNYK-JS-LODASH-1018905
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-28500?
CVE-2020-28500 is a vulnerability in nodejs-lodash that allows for Regular Expression Denial of Service (ReDoS) attacks via the toNumber, trim, and trimEnd functions.
What is the severity of CVE-2020-28500?
CVE-2020-28500 has a severity rating of 7.5, which is considered high.
Which software versions are affected by CVE-2020-28500?
All versions of package lodash prior to 4.17.21 are vulnerable to CVE-2020-28500, including the following software versions: cockpit-ovirt 0:0.15.1-2.el8e, ovirt-engine-ui-extensions 0:1.2.6-1.el8e, ovirt-web-ui 0:1.6.9-1.el8e, nodejs-lodash 4.17.21, lodash.trim 4.17.21, lodash.trimend 4.17.21, lodash-es 4.17.21, and lodash 4.17.21.
How can I fix CVE-2020-28500?
To fix CVE-2020-28500, you should update the affected software packages to version 4.17.21 or later.
Where can I find more information about CVE-2020-28500?
You can find more information about CVE-2020-28500 at the following references: IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/vulnerabilities/196972), IBM Support (https://www.ibm.com/support/pages/node/6570957), CVE website (https://www.cve.org/CVERecord?id=CVE-2020-28500), NVD (https://nvd.nist.gov/vuln/detail/CVE-2020-28500), and Snyk (https://snyk.io/vuln/SNYK-JS-LODASH-1018905).
- collector/redhat-cve
- collector/github-advisory-latest
- alias/GHSA-29mw-wpgm-hmr9
- alias/CVE-2020-28500
- collector/github-advisory
- agent/author
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/softwarecombine
- agent/description
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/event
- package-manager/redhat
- package-manager/npm
- vendor/lodash
- canonical/lodash lodash node.js
- vendor/oracle
- canonical/oracle banking corporate lending process management
- version/oracle banking corporate lending process management/14.2.0
- version/oracle banking corporate lending process management/14.3.0
- version/oracle banking corporate lending process management/14.5.0
- canonical/oracle banking credit facilities process management
- version/oracle banking credit facilities process management/14.2.0
- version/oracle banking credit facilities process management/14.3.0
- version/oracle banking credit facilities process management/14.5.0
- canonical/oracle banking extensibility workbench
- version/oracle banking extensibility workbench/14.2.0
- version/oracle banking extensibility workbench/14.3.0
- version/oracle banking extensibility workbench/14.5.0
- canonical/oracle banking supply chain finance
- version/oracle banking supply chain finance/14.2.0
- version/oracle banking supply chain finance/14.3.0
- version/oracle banking supply chain finance/14.5.0
- canonical/oracle banking trade finance process management
- version/oracle banking trade finance process management/14.2.0
- version/oracle banking trade finance process management/14.3.0
- version/oracle banking trade finance process management/14.5.0
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.11.0
- canonical/oracle communications design studio
- version/oracle communications design studio/7.4.2
- canonical/oracle communications services gatekeeper
- version/oracle communications services gatekeeper/7.0
- canonical/oracle communications session border controller
- version/oracle communications session border controller/8.4
- version/oracle communications session border controller/9.0
- canonical/oracle enterprise communications broker
- version/oracle enterprise communications broker/3.2.0
- version/oracle enterprise communications broker/3.3.0
- canonical/oracle financial services crime and compliance management studio
- version/oracle financial services crime and compliance management studio/8.0.8.2.0
- version/oracle financial services crime and compliance management studio/8.0.8.3.0
- canonical/oracle health sciences data management workbench
- version/oracle health sciences data management workbench/2.5.2.1
- version/oracle health sciences data management workbench/3.0.0.0
- canonical/oracle jd edwards enterpriseone tools
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle primavera gateway
- version/oracle primavera gateway/17.12.0
- version/oracle primavera gateway/17.12.11
- version/oracle primavera gateway/18.8.0
- version/oracle primavera gateway/18.8.12
- version/oracle primavera gateway/19.12.0
- version/oracle primavera gateway/19.12.11
- version/oracle primavera gateway/20.12.0
- version/oracle primavera gateway/20.12.7
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- canonical/oracle retail customer management and segmentation foundation
- version/oracle retail customer management and segmentation foundation/19.0
- vendor/siemens
- canonical/siemens sinec ins
- version/siemens sinec ins/1.0
- version/siemens sinec ins/1.0-sp1