📂 Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2021-23337 |
🔴 High |
7.3 |
Proof of concept |
< 1% |
lodash-4.17.20.tgz |
Direct |
lodash - 4.17.21,lodash-es - 4.17.21 |
✅ |
 Reachable |
| CVE-2020-28500 |
🟠 Medium |
5.5 |
Proof of concept |
< 1% |
lodash-4.17.20.tgz |
Direct |
lodash-es - 4.17.21,lodash - 4.17.21 |
✅ |
Reachable |
Details
🔴CVE-2021-23337
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/detect.js (Extension)
-> ❌ lodash-4.17.20/lodash.js (Vulnerable Component)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: Feb 15, 2021 12:15 PM
URL: CVE-2021-23337
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 7.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: Feb 15, 2021 12:15 PM
Fix Resolution : lodash - 4.17.21,lodash-es - 4.17.21
🟠CVE-2020-28500
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/detect.js (Extension)
-> ❌ lodash-4.17.20/lodash.js (Vulnerable Component)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: Feb 15, 2021 11:10 AM
URL: CVE-2020-28500
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-29mw-wpgm-hmr9
Release Date: Feb 15, 2021 11:10 AM
Fix Resolution : lodash-es - 4.17.21,lodash - 4.17.21
📂 Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Findings
Details
🔴CVE-2021-23337
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
❌ lodash-4.17.20.tgz (Vulnerable Library)
snyk-1.434.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: Feb 15, 2021 12:15 PM
URL: CVE-2021-23337
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 7.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: Feb 15, 2021 12:15 PM
Fix Resolution : lodash - 4.17.21,lodash-es - 4.17.21
🟠CVE-2020-28500
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
❌ lodash-4.17.20.tgz (Vulnerable Library)
snyk-1.434.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: Feb 15, 2021 11:10 AM
URL: CVE-2020-28500
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-29mw-wpgm-hmr9
Release Date: Feb 15, 2021 11:10 AM
Fix Resolution : lodash-es - 4.17.21,lodash - 4.17.21