1. Home
  2. Vulnerabilities
  3. CVE-2021-23337
7.2
HIGH CVSS 3.1
CVE-2021-23337
Command Injection
Overview
Description

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Details
INFO

Published Date :

Feb. 15, 2021, 1:15 p.m.

Last Modified :

Nov. 21, 2024, 5:51 a.m.

Remotely Exploit :

Yes !

Source :

[email protected]
Impact
Affected Products

The following products are affected by CVE-2021-23337 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Oracle peoplesoft_enterprise_peopletools
2 Oracle retail_customer_management_and_segmentation_foundation
3 Oracle primavera_unifier
4 Oracle jd_edwards_enterpriseone_tools
5 Oracle communications_cloud_native_core_policy
6 Oracle communications_services_gatekeeper
7 Oracle banking_corporate_lending_process_management
8 Oracle banking_credit_facilities_process_management
9 Oracle banking_extensibility_workbench
10 Oracle banking_supply_chain_finance
11 Oracle primavera_gateway
12 Oracle communications_design_studio
13 Oracle communications_cloud_native_core_binding_support_function
14 Oracle communications_session_border_controller
15 Oracle enterprise_communications_broker
16 Oracle banking_trade_finance_process_management
17 Oracle health_sciences_data_management_workbench
18 Oracle financial_services_crime_and_compliance_management_studio
1 Netapp active_iq_unified_manager
2 Netapp cloud_manager
3 Netapp system_manager
1 Siemens sinec_ins
1 Lodash lodash
: Total Affected Vendor : 4 | Products : 23
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 2.0 MEDIUM [email protected]
CVSS 3.1 HIGH [email protected]
CVSS 3.1 HIGH [email protected]
Solution
This addresses a command injection vulnerability in Lodash via the template function.
  • Upgrade Lodash to version 4.17.21 or later.
  • Apply the appropriate vendor security patch.
  • Update the affected product to a patched version.
Public PoC/Exploit Available at Github

CVE-2021-23337 has a 293 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2021-23337.

URL Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf Patch Third Party Advisory
https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851 Broken Link
https://security.netapp.com/advisory/ntap-20210312-0006/ Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930 Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928 Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931 Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929 Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LODASH-1040724 Exploit Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf Patch Third Party Advisory
https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851 Broken Link
https://security.netapp.com/advisory/ntap-20210312-0006/ Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930 Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928 Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931 Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929 Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LODASH-1040724 Exploit Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch Third Party Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2021-23337 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2021-23337 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
actions-marketplace-validations/glferreira-devsecops_cascavel-dependency-audit

None

Shell

Updated: 1 day, 16 hours ago
0 stars 0 fork 0 watcher
Born at : June 17, 2026, 3:53 p.m. This repo has been linked 3 different CVEs too.
Profile Photo
mej23a/adjudica-fixture-repo

None

Updated: 2 days, 11 hours ago
0 stars 0 fork 0 watcher
Born at : June 16, 2026, 8:51 p.m. This repo has been linked 5 different CVEs too.
Profile Photo
snowcapped-morula414/bingo

Automate penetration testing workflows using an AI-powered terminal.

bingai bingo bingo-game gambling gerador go gomodules gpt minecraft minecraft-datapack modules mongodb packages react socket-io typescript vanilla-js versioning workflow

Python PowerShell Shell

Updated: 1 day, 17 hours ago
0 stars 0 fork 0 watcher
Born at : June 16, 2026, 4:59 a.m. This repo has been linked 24 different CVEs too.
Profile Photo
Psamuel-dev/teste-apresentacao

None

JavaScript

Updated: 3 days, 4 hours ago
0 stars 0 fork 0 watcher
Born at : June 16, 2026, 3:51 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
Psamuel-dev/projeto-seguranca-V2

None

JavaScript

Updated: 3 days, 4 hours ago
0 stars 0 fork 0 watcher
Born at : June 16, 2026, 3:13 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
mstampfli/cve2detect

Turn a CVE into Sigma/Nuclei detection-rule skeletons and a repro scaffold

Python

Updated: 4 days, 4 hours ago
0 stars 0 fork 0 watcher
Born at : June 14, 2026, 11:52 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
blacklatch-cybersecurity/supply-chain-security-scanner

Automated security scanner for dependencies, vulnerabilities, and compliance in software supply chains

JavaScript TypeScript Dockerfile

Updated: 6 days, 17 hours ago
0 stars 0 fork 0 watcher
Born at : June 12, 2026, 2:25 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
bingook/bingo

Bingo - AI-powered Red Team Terminal (DeepSeek/Claude/GPT/GLM)

Python PowerShell Shell

Updated: 2 days, 15 hours ago
189 stars 21 fork 21 watcher
Born at : June 12, 2026, 10:26 a.m. This repo has been linked 26 different CVEs too.
Profile Photo
alvidul/vulnrank

Local-first endpoint vulnerability and posture scanner with OSV, KEV, EPSS, and P1-P4 prioritization

endpoint-security epss kev osv python security-tools vulnerability-management

Python Batchfile PowerShell

Updated: 5 days ago
0 stars 0 fork 0 watcher
Born at : June 11, 2026, 11:36 p.m. This repo has been linked 4 different CVEs too.
Profile Photo
mt2h/vulnerability-test

None

JavaScript

Updated: 1 week, 2 days ago
0 stars 1 fork 1 watcher
Born at : June 9, 2026, 7:18 p.m. This repo has been linked 11 different CVEs too.
Profile Photo
sheshisheriaspen/sentinel-test-snyk

Test repository with vulnerable dependencies for Snyk scanner integration testing

JavaScript

Updated: 1 week, 2 days ago
0 stars 0 fork 0 watcher
Born at : June 9, 2026, 2:45 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
khush-aziro/nodejs_migration_app

None

JavaScript HTML

Updated: 1 week, 3 days ago
0 stars 0 fork 0 watcher
Born at : June 9, 2026, 7:08 a.m. This repo has been linked 11 different CVEs too.
Profile Photo
dungnotnull/vibe-dependency-guard-agent

📦 Intelligent dependency governance agent for npm, Python, Rust, and Go. Detects duplicate libraries, evaluates security risks, enforces policies, recommends alternatives, and provides automated ecosystem intelligence.

TypeScript

Updated: 1 week, 2 days ago
2 stars 0 fork 0 watcher
Born at : June 9, 2026, 4:36 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
vishal755/cve-remediation-project

A deliberately vulnerable Notes web app (React + Spring MVC) paired with an autonomous AI agent that scans, plans, patches, and submits GitHub PRs to remediate CVE vulnerabilities.

Python Java HTML JavaScript CSS

Updated: 11 hours, 35 minutes ago
0 stars 0 fork 0 watcher
Born at : June 8, 2026, 8:26 p.m. This repo has been linked 4 different CVEs too.
Profile Photo
JasonTanz/fixing-dependency-vulnerabilities-demo

None

JavaScript

Updated: 1 week, 3 days ago
0 stars 0 fork 0 watcher
Born at : June 8, 2026, 1:47 p.m. This repo has been linked 20 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2021-23337 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2021-23337 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
    Added Reference https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
    Added Reference https://security.netapp.com/advisory/ntap-20210312-0006/
    Added Reference https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
    Added Reference https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
    Added Reference https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
    Added Reference https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
    Added Reference https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
    Added Reference https://snyk.io/vuln/SNYK-JS-LODASH-1040724
    Added Reference https://www.oracle.com//security-alerts/cpujul2021.html
    Added Reference https://www.oracle.com/security-alerts/cpujan2022.html
    Added Reference https://www.oracle.com/security-alerts/cpujul2022.html
    Added Reference https://www.oracle.com/security-alerts/cpuoct2021.html
  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • Modified Analysis by [email protected]

    Sep. 13, 2022

    Action Type Old Value New Value
    Changed Reference Type https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf No Types Assigned https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf Patch, Third Party Advisory
    Changed Reference Type https://www.oracle.com/security-alerts/cpujul2022.html No Types Assigned https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory
    Changed CPE Configuration OR *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.6.1 *cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* *cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0 up to (including) 17.12.11 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0 up to (including) 18.8.12 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0 up to (including) 19.12.11 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 20.12.0 up to (including) 20.12.7 *cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7 up to (including) 17.12 *cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:* *cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* OR *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:*:*:*:*:*:*:* *cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.6.1 *cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* *cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0 up to (including) 17.12.11 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0 up to (including) 18.8.12 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0 up to (including) 19.12.11 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 20.12.0 up to (including) 20.12.7 *cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7 up to (including) 17.12 *cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:* *cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
    Added CPE Configuration OR *cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:* versions up to (excluding) 1.0 *cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:* *cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
  • CVE Modified by [email protected]

    Sep. 13, 2022

    Action Type Old Value New Value
    Added Reference https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf [No Types Assigned]
  • CVE Modified by [email protected]

    Jul. 25, 2022

    Action Type Old Value New Value
    Added Reference https://www.oracle.com/security-alerts/cpujul2022.html [No Types Assigned]
  • CWE Remap by [email protected]

    Jun. 28, 2022

    Action Type Old Value New Value
    Changed CWE CWE-77 CWE-94
  • Modified Analysis by [email protected]

    Apr. 04, 2022

    Action Type Old Value New Value
    Changed Reference Type https://www.oracle.com/security-alerts/cpujan2022.html No Types Assigned https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory
    Changed CPE Configuration OR *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0 up to (including) 17.12.11 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0 up to (including) 18.8.12 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0 up to (including) 19.12.11 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 20.12.0 up to (including) 20.12.7 *cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7 up to (including) 17.12 *cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:* OR *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.6.1 *cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* *cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0 up to (including) 17.12.11 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0 up to (including) 18.8.12 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0 up to (including) 19.12.11 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 20.12.0 up to (including) 20.12.7 *cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7 up to (including) 17.12 *cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:* *cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • CVE Modified by [email protected]

    Feb. 07, 2022

    Action Type Old Value New Value
    Added Reference https://www.oracle.com/security-alerts/cpujan2022.html [No Types Assigned]
  • Modified Analysis by [email protected]

    Dec. 07, 2021

    Action Type Old Value New Value
    Changed Reference Type https://www.oracle.com//security-alerts/cpujul2021.html No Types Assigned https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory
    Changed Reference Type https://www.oracle.com/security-alerts/cpuoct2021.html No Types Assigned https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory
    Added CPE Configuration OR *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:* *cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0 up to (including) 17.12.11 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0 up to (including) 18.8.12 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0 up to (including) 19.12.11 *cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 20.12.0 up to (including) 20.12.7 *cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7 up to (including) 17.12 *cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* *cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
    Added CPE Configuration OR *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* *cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:* *cpe:2.3:a:netapp:system_manager:9.0:*:*:*:*:*:*:*
  • CVE Modified by [email protected]

    Oct. 20, 2021

    Action Type Old Value New Value
    Added Reference https://www.oracle.com/security-alerts/cpuoct2021.html [No Types Assigned]
  • CVE Modified by [email protected]

    Jul. 20, 2021

    Action Type Old Value New Value
    Added Reference https://www.oracle.com//security-alerts/cpujul2021.html [No Types Assigned]
  • Modified Analysis by [email protected]

    Mar. 26, 2021

    Action Type Old Value New Value
    Changed Reference Type https://security.netapp.com/advisory/ntap-20210312-0006/ No Types Assigned https://security.netapp.com/advisory/ntap-20210312-0006/ Third Party Advisory
  • CVE Modified by [email protected]

    Mar. 18, 2021

    Action Type Old Value New Value
    Changed Description All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template. Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
  • CVE Modified by [email protected]

    Mar. 12, 2021

    Action Type Old Value New Value
    Added Reference https://security.netapp.com/advisory/ntap-20210312-0006/ [No Types Assigned]
  • Reanalysis by [email protected]

    Mar. 01, 2021

    Action Type Old Value New Value
    Changed Reference Type https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 Exploit https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 Exploit, Third Party Advisory
    Changed CPE Configuration OR *cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:* OR *cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:* versions up to (excluding) 4.17.21
  • Initial Analysis by [email protected]

    Feb. 26, 2021

    Action Type Old Value New Value
    Added CVSS V2 NIST (AV:N/AC:L/Au:S/C:P/I:P/A:P)
    Added CVSS V3.1 NIST AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851 No Types Assigned https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851 Broken Link
    Changed Reference Type https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 No Types Assigned https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 Exploit
    Changed Reference Type https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930 No Types Assigned https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930 Exploit, Third Party Advisory
    Changed Reference Type https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928 No Types Assigned https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928 Exploit, Third Party Advisory
    Changed Reference Type https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931 No Types Assigned https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931 Exploit, Third Party Advisory
    Changed Reference Type https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929 No Types Assigned https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929 Exploit, Third Party Advisory
    Changed Reference Type https://snyk.io/vuln/SNYK-JS-LODASH-1040724 No Types Assigned https://snyk.io/vuln/SNYK-JS-LODASH-1040724 Exploit, Third Party Advisory
    Added CWE NIST CWE-77
    Added CPE Configuration OR *cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 7.2
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Base CVSS Score: 6.5
Access Vector
Access Complexity
Authentication
Confidentiality Impact
Integrity Impact
Availability Impact
EPSS
Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

22.41 }} 20.01%

score

0.97390

percentile