Vulnerability Name:

CVE-2021-23337 (CCN-196797)

Assigned:2021-02-15
Published:2021-02-15
Updated:2022-09-13
Summary:Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS v3 Severity:7.2 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.2 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-94
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-23337

Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

Source: XF
Type: UNKNOWN
nodejs-cve202123337-cmd-exec(196797)

Source: MISC
Type: Broken Link
https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210312-0006/

Source: CCN
Type: SNYK-JAVA-ORGFUJIONWEBJARS-1074932
Command Injection

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929

Source: CCN
Type: SNYK-JS-LODASH-1040724
Command Injection

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LODASH-1040724

Source: CCN
Type: IBM Security Bulletin 6444081 (Watson OpenScale)
IBM Watson OpenScale on Cloud Pak for Data is impacted by Vulnerabilities in Node.js

Source: CCN
Type: IBM Security Bulletin 6448836 (Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container may be vulnerable to a command injection vulnerability (CVE-2021-23337)

Source: CCN
Type: IBM Security Bulletin 6450779 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Source: CCN
Type: IBM Security Bulletin 6451791 (Cloud Automation Manager)
A security vulnerability in Node.js Lodash module affects IBM Cloud Automation Manager.

Source: CCN
Type: IBM Security Bulletin 6454579 (Cloud Pak for Multicloud Management)
A security vulnerability in Node.js lodash module affects IBM Cloud Pak for Multicloud Management Managed Service

Source: CCN
Type: IBM Security Bulletin 6462883 (Integration Bus)
IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-23337)

Source: CCN
Type: IBM Security Bulletin 6465183 (Cloud Pak for Integration)
IBM Cloud Pak for Integration is vulnerable to Node.js lodash vulnerability (CVE-2021-23337)

Source: CCN
Type: IBM Security Bulletin 6465927 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is affected by Node.js vulnerability

Source: CCN
Type: IBM Security Bulletin 6469135 (Security Guardium Insights)
IBM Security Guardium Insights is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6476630 (WA for ICP)
Potential vulnerability with Node.js lodash module

Source: CCN
Type: IBM Security Bulletin 6483681 (API Connect)
IBM API Connect is impacted by multiple vulnerabilities in Drupal dated modernizr library

Source: CCN
Type: IBM Security Bulletin 6484923 (Spectrum Protect Plus)
Vulnerabilities in Apache Commons and Node.js affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6486333 (Cloud Private)
IBM Cloud Private is vulnerable to Node.js lodash vulnerabilities (CVE-2021-23337)

Source: CCN
Type: IBM Security Bulletin 6493729 (Cloud Pak for Security)
Cloud Pak for Security is vulnerable to several CVEs

Source: CCN
Type: IBM Security Bulletin 6493751 (VM Recovery Manager HA for Power Systems)
Vulnerability in lodash affects IBM VM Recovery Manager HA GUI

Source: CCN
Type: IBM Security Bulletin 6494365 (VM Recovery Manager DR for Power Systems)
Vulnerability in lodash affects IBM VM Recovery Manager DR GUI

Source: CCN
Type: IBM Security Bulletin 6524656 (PowerHA SystemMirror)
Lodash versions prior to 4.17.21 vulnerability in PowerHA

Source: CCN
Type: IBM Security Bulletin 6524700 (Planning Analytics Workspace)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6568787 (Cloud Pak for Security)
Cloud Pak for Security contains packages that have multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6570957 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6574021 (Process Mining)
Vulnerability in Lodash affects IBM Process Mining (Multiple CVEs)

Source: CCN
Type: IBM Security Bulletin 6574043 (Process Mining)
Vulnerability in Node.js lodash affects IBM Process Mining (CVE-2021-23337,CVE-2020-28500)

Source: CCN
Type: IBM Security Bulletin 6575667 (Spectrum Discover)
High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6589581 (Security QRadar Analyst Workflow)
Node.js as used by IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6598689 (Tivoli Netcool/OMNIbus WebGUI)
Vulnerabilities in lodash library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-1010266, CVE-2020-28500, CVE-2018-16487, CVE-2018-3721, CVE-2020-8203, CVE-2021-23337, CVE-2019-10744)

Source: CCN
Type: IBM Security Bulletin 6602303 (UrbanCode Velocity)
CVE-2021-23337

Source: CCN
Type: IBM Security Bulletin 6612727 (Cloud Pak System Software)
Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6830017 (QRadar Pulse App)
QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6838293 (QRadar Assistant)
IBM QRadar Assistant app for IBM QRadar SIEM includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6857863 (MobileFirst Platform Foundation)
Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6966416 (Engineering Workflow Management)
IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203

Source: CCN
Type: IBM Security Bulletin 6991637 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: NPM Web site
lodash

Source: CCN
Type: NPM Web site
lodash

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:lodash:lodash:*:*:*:*:*:node.js:*:* (Version < 4.17.21)

    • Configuration 2:
  • cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_unifier:*:*:*:*:*:*:*:* (Version >= 17.7 and <= 17.12)
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 17.12.0 and <= 17.12.11)
  • OR cpe:/a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 20.12.0 and <= 20.12.7)
  • OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 19.12.0 and <= 19.12.11)
  • OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 18.8.0 and <= 18.8.12)
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* (Version < 9.2.6.1)
  • OR cpe:/a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:health_sciences_data_management_workbench:2.5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:health_sciences_data_management_workbench:3.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
  • OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
  • OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
  • OR cpe:/a:netapp:cloud_manager:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:system_manager:9.0:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
  • OR cpe:/a:siemens:sinec_ins:*:*:*:*:*:*:*:* (Version < 1.0)
  • OR cpe:/a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*
  • OR cpe:/a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:2018.4.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:engineering_workflow_management:7.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:engineering_workflow_management:7.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:2018.4.1.16:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_qradar_analyst_workflow:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/omnibus_webgui:8.1.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    lodash lodash *
    oracle primavera unifier 18.8
    oracle primavera unifier *
    oracle peoplesoft enterprise peopletools 8.58
    oracle primavera unifier 19.12
    oracle retail customer management and segmentation foundation 19.0
    oracle communications services gatekeeper 7.0
    oracle enterprise communications broker 3.2.0
    oracle primavera unifier 20.12
    oracle banking extensibility workbench 14.3.0
    oracle banking trade finance process management 14.3.0
    oracle banking credit facilities process management 14.3.0
    oracle banking corporate lending process management 14.3.0
    oracle peoplesoft enterprise peopletools 8.59
    oracle primavera gateway *
    oracle communications session border controller 8.4
    oracle communications session border controller 9.0
    oracle primavera gateway *
    oracle primavera gateway *
    oracle primavera gateway *
    oracle banking supply chain finance 14.2.0
    oracle banking trade finance process management 14.5.0
    oracle banking credit facilities process management 14.2.0
    oracle banking credit facilities process management 14.5.0
    oracle banking corporate lending process management 14.2.0
    oracle banking corporate lending process management 14.5.0
    oracle banking supply chain finance 14.5.0
    oracle banking supply chain finance 14.3.0
    oracle banking trade finance process management 14.2.0
    oracle banking extensibility workbench 14.2.0
    oracle banking extensibility workbench 14.5.0
    oracle enterprise communications broker 3.3.0
    oracle communications design studio 7.4.2.0.0
    oracle communications cloud native core policy 1.11.0
    oracle communications cloud native core binding support function 1.9.0
    oracle jd edwards enterpriseone tools *
    oracle financial services crime and compliance management studio 8.0.8.3.0
    oracle health sciences data management workbench 2.5.2.1
    oracle health sciences data management workbench 3.0.0.0
    oracle financial services crime and compliance management studio 8.0.8.2.0
    netapp active iq unified manager -
    netapp active iq unified manager -
    netapp active iq unified manager -
    netapp cloud manager -
    netapp system manager 9.0
    siemens sinec ins 1.0 sp1
    siemens sinec ins *
    siemens sinec ins 1.0 -
    nodejs node.js *
    oracle primavera unifier 17.12
    oracle primavera unifier 18.8
    ibm integration bus 10.0.0
    ibm app connect 11.0.0.0
    ibm mobilefirst platform foundation 8.0.0
    ibm watson discovery 2.0.0
    ibm api connect 2018.4.1.0
    ibm cloud private 3.2.1 cd
    ibm spectrum protect plus 10.1.6
    ibm cloud private 3.2.2 cd
    ibm api connect 10.0.0.0
    ibm engineering workflow management 7.0.1
    ibm engineering workflow management 7.0.2
    ibm spectrum protect plus 10.1.7
    ibm watson discovery 2.2.1
    ibm api connect 2018.4.1.16
    ibm spectrum protect plus 10.1.8
    ibm cloud pak for security 1.7.0.0
    ibm cloud pak for security 1.7.1.0
    ibm cloud pak for security 1.7.2.0
    ibm cognos analytics 11.2.0
    ibm cognos analytics 11.1.7
    ibm cognos analytics 11.2.1
    ibm planning analytics workspace 2.0
    ibm security qradar analyst workflow 1.0
    ibm tivoli netcool/omnibus webgui 8.1.0