Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-23337

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.2, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), and availability (service disruption) for affected systems. Impacting 23 products from lodash, from oracle, from oracle and 20 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2021, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2021-02-15T13:15:12.560

Last Modified

2024-11-21T05:51:31.643

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.2 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: SINGLE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.0

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-94
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application lodash lodash < 4.17.21 Yes
Application oracle banking_corporate_lending_process_management 14.2.0 Yes
Application oracle banking_corporate_lending_process_management 14.3.0 Yes
Application oracle banking_corporate_lending_process_management 14.5.0 Yes
Application oracle banking_credit_facilities_process_management 14.2.0 Yes
Application oracle banking_credit_facilities_process_management 14.3.0 Yes
Application oracle banking_credit_facilities_process_management 14.5.0 Yes
Application oracle banking_extensibility_workbench 14.2.0 Yes
Application oracle banking_extensibility_workbench 14.3.0 Yes
Application oracle banking_extensibility_workbench 14.5.0 Yes
Application oracle banking_supply_chain_finance 14.2.0 Yes
Application oracle banking_supply_chain_finance 14.3.0 Yes
Application oracle banking_supply_chain_finance 14.5.0 Yes
Application oracle banking_trade_finance_process_management 14.2.0 Yes
Application oracle banking_trade_finance_process_management 14.3.0 Yes
Application oracle banking_trade_finance_process_management 14.5.0 Yes
Application oracle communications_cloud_native_core_binding_support_function 1.9.0 Yes
Application oracle communications_cloud_native_core_policy 1.11.0 Yes
Application oracle communications_design_studio 7.4.2.0.0 Yes
Application oracle communications_services_gatekeeper 7.0 Yes
Application oracle communications_session_border_controller 8.4 Yes
Application oracle communications_session_border_controller 9.0 Yes
Application oracle enterprise_communications_broker 3.2.0 Yes
Application oracle enterprise_communications_broker 3.3.0 Yes
Application oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0 Yes
Application oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0 Yes
Application oracle health_sciences_data_management_workbench 2.5.2.1 Yes
Application oracle health_sciences_data_management_workbench 3.0.0.0 Yes
Application oracle jd_edwards_enterpriseone_tools < 9.2.6.1 Yes
Application oracle peoplesoft_enterprise_peopletools 8.58 Yes
Application oracle peoplesoft_enterprise_peopletools 8.59 Yes
Application oracle primavera_gateway ≤ 17.12.11 Yes
Application oracle primavera_gateway ≤ 18.8.12 Yes
Application oracle primavera_gateway ≤ 19.12.11 Yes
Application oracle primavera_gateway ≤ 20.12.7 Yes
Application oracle primavera_unifier ≤ 17.12 Yes
Application oracle primavera_unifier 18.8 Yes
Application oracle primavera_unifier 19.12 Yes
Application oracle primavera_unifier 20.12 Yes
Application oracle retail_customer_management_and_segmentation_foundation 19.0 Yes
Application netapp active_iq_unified_manager - Yes
Application netapp active_iq_unified_manager - Yes
Application netapp active_iq_unified_manager - Yes
Application netapp cloud_manager - Yes
Application netapp system_manager 9.0 Yes
Application siemens sinec_ins < 1.0 Yes
Application siemens sinec_ins 1.0 Yes
Application siemens sinec_ins 1.0 Yes
References

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For lodash's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.