CVE-2021-23337: Command Injection
First published: Mon Feb 15 2021(Updated: )
`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Credit: report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/cockpit-ovirt | <0:0.15.1-2.el8e | 0:0.15.1-2.el8e |
| redhat/ovirt-engine-ui-extensions | <0:1.2.6-1.el8e | 0:1.2.6-1.el8e |
| redhat/ovirt-web-ui | <0:1.6.9-1.el8e | 0:1.6.9-1.el8e |
| redhat/nodejs-lodash | <4.17.21 | 4.17.21 |
| npm/lodash-template | <=1.0.0 | |
| npm/lodash.template | <=4.5.0 | |
| npm/lodash-es | <4.17.21 | 4.17.21 |
| npm/lodash | <4.17.21 | 4.17.21 |
| Lodash Lodash Node.js | <4.17.21 | |
| Oracle Banking Corporate Lending Process Management | =14.2.0 | |
| Oracle Banking Corporate Lending Process Management | =14.3.0 | |
| Oracle Banking Corporate Lending Process Management | =14.5.0 | |
| Oracle Banking Credit Facilities Process Management | =14.2.0 | |
| Oracle Banking Credit Facilities Process Management | =14.3.0 | |
| Oracle Banking Credit Facilities Process Management | =14.5.0 | |
| Oracle Banking Extensibility Workbench | =14.2.0 | |
| Oracle Banking Extensibility Workbench | =14.3.0 | |
| Oracle Banking Extensibility Workbench | =14.5.0 | |
| Oracle Banking Supply Chain Finance | =14.2.0 | |
| Oracle Banking Supply Chain Finance | =14.3.0 | |
| Oracle Banking Supply Chain Finance | =14.5.0 | |
| Oracle Banking Trade Finance Process Management | =14.2.0 | |
| Oracle Banking Trade Finance Process Management | =14.3.0 | |
| Oracle Banking Trade Finance Process Management | =14.5.0 | |
| Oracle Communications Cloud Native Core Binding Support Function | =1.9.0 | |
| Oracle Communications Cloud Native Core Policy | =1.11.0 | |
| Oracle Communications Design Studio | =7.4.2.0.0 | |
| Oracle Communications Services Gatekeeper | =7.0 | |
| Oracle Communications Session Border Controller | =8.4 | |
| Oracle Communications Session Border Controller | =9.0 | |
| Oracle Enterprise Communications Broker | =3.2.0 | |
| Oracle Enterprise Communications Broker | =3.3.0 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.2.0 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.3.0 | |
| Oracle Health Sciences Data Management Workbench | =2.5.2.1 | |
| Oracle Health Sciences Data Management Workbench | =3.0.0.0 | |
| Oracle Jd Edwards Enterpriseone Tools | <9.2.6.1 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Oracle Primavera Gateway | >=17.12.0<=17.12.11 | |
| Oracle Primavera Gateway | >=18.8.0<=18.8.12 | |
| Oracle Primavera Gateway | >=19.12.0<=19.12.11 | |
| Oracle Primavera Gateway | >=20.12.0<=20.12.7 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Retail Customer Management and Segmentation Foundation | =19.0 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| NetApp Cloud Manager | ||
| Netapp System Manager | =9.0 | |
| Siemens Sinec Ins | <1.0 | |
| Siemens Sinec Ins | =1.0 | |
| Siemens Sinec Ins | =1.0-sp1 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-23337 https://nvd.nist.gov/vuln/detail/CVE-2021-23337 https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://bugzilla.redhat.com/show_bug.cgi?id=1928937
- https://access.redhat.com/errata/RHSA-2021:3016
- https://access.redhat.com/errata/RHSA-2022:6429
- https://access.redhat.com/errata/RHSA-2021:2438
- https://access.redhat.com/errata/RHSA-2021:3459
- https://access.redhat.com/errata/RHSA-2021:2179
- https://access.redhat.com/security/cve/cve-2021-23337
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1928939
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1928938
- https://github.com/lodash/lodash/pull/5085/commits/23125079fc43ece274c0e3a49a644ae2dae8b1d3
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://access.redhat.com/errata/RHSA-2021:1168
- https://access.redhat.com/errata/RHSA-2021:2543
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://security.netapp.com/advisory/ntap-20210312-0006
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm (Advisory)
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/196797
- https://www.ibm.com/support/pages/node/6493729 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-23337?
CVE-2021-23337 is a vulnerability in Lodash versions prior to 4.17.21 that allows command injection via the template function.
How does CVE-2021-23337 impact Node.js lodash module?
CVE-2021-23337 can allow a remote authenticated attacker to execute arbitrary commands on the system by exploiting a command injection flaw in the template.
Which software is affected by CVE-2021-23337?
Node.js lodash module versions prior to 4.17.21 are affected by CVE-2021-23337.
What is the severity of CVE-2021-23337?
CVE-2021-23337 has a severity rating of high.
How can I fix the CVE-2021-23337 vulnerability?
To fix the CVE-2021-23337 vulnerability, update Node.js lodash module to version 4.17.21 or later.
- collector/redhat-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-23337
- agent/software-canonical-lookup
- agent/weakness
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-35jh-r3h4-6jhm
- collector/github-advisory
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/ibm-support
- source/IBM
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/title
- agent/event
- package-manager/redhat
- package-manager/npm
- vendor/lodash
- canonical/lodash lodash node.js
- vendor/oracle
- canonical/oracle banking corporate lending process management
- version/oracle banking corporate lending process management/14.2.0
- version/oracle banking corporate lending process management/14.3.0
- version/oracle banking corporate lending process management/14.5.0
- canonical/oracle banking credit facilities process management
- version/oracle banking credit facilities process management/14.2.0
- version/oracle banking credit facilities process management/14.3.0
- version/oracle banking credit facilities process management/14.5.0
- canonical/oracle banking extensibility workbench
- version/oracle banking extensibility workbench/14.2.0
- version/oracle banking extensibility workbench/14.3.0
- version/oracle banking extensibility workbench/14.5.0
- canonical/oracle banking supply chain finance
- version/oracle banking supply chain finance/14.2.0
- version/oracle banking supply chain finance/14.3.0
- version/oracle banking supply chain finance/14.5.0
- canonical/oracle banking trade finance process management
- version/oracle banking trade finance process management/14.2.0
- version/oracle banking trade finance process management/14.3.0
- version/oracle banking trade finance process management/14.5.0
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/1.9.0
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.11.0
- canonical/oracle communications design studio
- version/oracle communications design studio/7.4.2.0.0
- canonical/oracle communications services gatekeeper
- version/oracle communications services gatekeeper/7.0
- canonical/oracle communications session border controller
- version/oracle communications session border controller/8.4
- version/oracle communications session border controller/9.0
- canonical/oracle enterprise communications broker
- version/oracle enterprise communications broker/3.2.0
- version/oracle enterprise communications broker/3.3.0
- canonical/oracle financial services crime and compliance management studio
- version/oracle financial services crime and compliance management studio/8.0.8.2.0
- version/oracle financial services crime and compliance management studio/8.0.8.3.0
- canonical/oracle health sciences data management workbench
- version/oracle health sciences data management workbench/2.5.2.1
- version/oracle health sciences data management workbench/3.0.0.0
- canonical/oracle jd edwards enterpriseone tools
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle primavera gateway
- version/oracle primavera gateway/17.12.0
- version/oracle primavera gateway/17.12.11
- version/oracle primavera gateway/18.8.0
- version/oracle primavera gateway/18.8.12
- version/oracle primavera gateway/19.12.0
- version/oracle primavera gateway/19.12.11
- version/oracle primavera gateway/20.12.0
- version/oracle primavera gateway/20.12.7
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- canonical/oracle retail customer management and segmentation foundation
- version/oracle retail customer management and segmentation foundation/19.0
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp cloud manager
- canonical/netapp system manager
- version/netapp system manager/9.0
- vendor/siemens
- canonical/siemens sinec ins
- version/siemens sinec ins/1.0
- version/siemens sinec ins/1.0-sp1
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.7.2.0
- version/ibm cloud pak for security (cp4s)/1.7.1.0
- version/ibm cloud pak for security (cp4s)/1.7.0.0