Vulnerability CVE-2020-28500 - CERT Civis.Net

Vulnerability Name:

CVE-2020-28500 (CCN-196972)

Assigned:

2020-11-12

Published:

2021-02-15

Updated:

2022-09-13

Summary:

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2020-28500

Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

Source: XF
Type: UNKNOWN
nodejs-cve202028500-dos(196972)

Source: CONFIRM
Type: Broken Link
N/A

Source: CONFIRM
Type: Patch, Third Party Advisory
N/A

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210312-0006/

Source: CONFIRM
Type: Exploit, Third Party Advisory
N/A

Source: CONFIRM
Type: Exploit, Third Party Advisory
N/A

Source: CONFIRM
Type: Exploit, Third Party Advisory
N/A

Source: CONFIRM
Type: Exploit, Third Party Advisory
N/A

Source: CONFIRM
Type: Exploit, Third Party Advisory
N/A

Source: CCN
Type: SNYK-JS-LODASH-1018905
Regular Expression Denial of Service (ReDoS)

Source: CONFIRM
Type: Exploit, Third Party Advisory
N/A

Source: CCN
Type: IBM Security Bulletin 6450000 (Integration Bus)
IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2020-28500)

Source: CCN
Type: IBM Security Bulletin 6450779 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Source: CCN
Type: IBM Security Bulletin 6451593 (Cloud Automation Manager)
A security vulnerability in Node.js Lodash module affects IBM Cloud Automation Manager.

Source: CCN
Type: IBM Security Bulletin 6453073 (Cloud Pak for Multicloud Management)
A security vulnerability in Node.js lodash module affects IBM Cloud Pak for Multicloud Management Managed Service

Source: CCN
Type: IBM Security Bulletin 6465181 (Cloud Pak for Integration)
IBM Cloud Pak for Integration is vulnerable to Node.js lodash vulnerability (CVE-2020-28500)

Source: CCN
Type: IBM Security Bulletin 6465933 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is affected by Node.js vulnerability

Source: CCN
Type: IBM Security Bulletin 6469135 (Security Guardium Insights)
IBM Security Guardium Insights is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6476626 (WA for ICP)
Potential vulnerability with Node.js lodash module

Source: CCN
Type: IBM Security Bulletin 6483681 (API Connect)
IBM API Connect is impacted by multiple vulnerabilities in Drupal dated modernizr library

Source: CCN
Type: IBM Security Bulletin 6484923 (Spectrum Protect Plus)
Vulnerabilities in Apache Commons and Node.js affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6486341 (Cloud Private)
IBM Cloud Private is vulnerable to Node.js lodash vulnerabilities (CVE-2020-28500)

Source: CCN
Type: IBM Security Bulletin 6493751 (VM Recovery Manager HA for Power Systems)
Vulnerability in lodash affects IBM VM Recovery Manager HA GUI

Source: CCN
Type: IBM Security Bulletin 6494365 (VM Recovery Manager DR for Power Systems)
Vulnerability in lodash affects IBM VM Recovery Manager DR GUI

Source: CCN
Type: IBM Security Bulletin 6524656 (PowerHA SystemMirror)
Lodash versions prior to 4.17.21 vulnerability in PowerHA

Source: CCN
Type: IBM Security Bulletin 6524700 (Planning Analytics Workspace)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6568787 (Cloud Pak for Security)
Cloud Pak for Security contains packages that have multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6570957 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6574043 (Process Mining)
Vulnerability in Node.js lodash affects IBM Process Mining (CVE-2021-23337,CVE-2020-28500)

Source: CCN
Type: IBM Security Bulletin 6575667 (Spectrum Discover)
High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6589581 (Security QRadar Analyst Workflow)
Node.js as used by IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6598689 (Tivoli Netcool/OMNIbus WebGUI)
Vulnerabilities in lodash library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-1010266, CVE-2020-28500, CVE-2018-16487, CVE-2018-3721, CVE-2020-8203, CVE-2021-23337, CVE-2019-10744)

Source: CCN
Type: IBM Security Bulletin 6602305 (UrbanCode Velocity)
CVE-2020-28500

Source: CCN
Type: IBM Security Bulletin 6612727 (Cloud Pak System Software)
Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6838293 (QRadar Assistant)
IBM QRadar Assistant app for IBM QRadar SIEM includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6857863 (MobileFirst Platform Foundation)
Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6966416 (Engineering Workflow Management)
IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203

Source: CCN
Type: IBM Security Bulletin 6991637 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: NPM Web site
lodash

Source: N/A
Type: Not Applicable, Third Party Advisory
N/A

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:

Configuration 1:

cpe:/a:lodash:lodash:*:*:*:*:*:node.js:*:* (Version < 4.17.21)

Configuration 2:

cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:*:*:*:*:*:*:*:* (Version >= 17.7 and <= 17.12)

OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 17.12.0 and <= 17.12.11)

OR cpe:/a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 20.12.0 and <= 20.12.7)

OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 19.12.0 and <= 19.12.11)

OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 18.8.0 and <= 18.8.12)

OR cpe:/a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* (Version < 9.2.6.1)

OR cpe:/a:oracle:health_sciences_data_management_workbench:2.5.2.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:health_sciences_data_management_workbench:3.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*

OR cpe:/a:siemens:sinec_ins:*:*:*:*:*:*:*:* (Version < 1.0)

OR cpe:/a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*

OR cpe:/a:ibm:integration_bus:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*

OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:2018.4.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:10.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:engineering_workflow_management:7.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:engineering_workflow_management:7.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:2018.4.1.16:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_qradar_analyst_workflow:1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_netcool/omnibus_webgui:8.1.0:*:*:*:*:*:*:*

Denotes that component is vulnerable