GHSA-35jh-r3h4-6jhm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-35jh-r3h4-6jhm/GHSA-35jh-r3h4-6jhm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-35jh-r3h4-6jhm
- Aliases
- Published
- 2021-05-06T16:05:51Z
- Modified
- 2025-08-12T21:55:57.719943Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Command Injection in lodash
- Details
-
lodashversions prior to 4.17.21 are vulnerable to Command Injection via the template function. - Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-77", "CWE-94" ], "github_reviewed": true, "nvd_published_at": "2021-02-15T13:15:00Z", "github_reviewed_at": "2021-03-31T23:59:26Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
- https://security.netapp.com/advisory/ntap-20210312-0006
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851
- https://github.com/lodash/lodash
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
Affected packages
npm / lodash
Package
- Name
- lodash
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash
npm / lodash-es
Package
- Name
- lodash-es
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash-es
npm / lodash.template
Package
- Name
- lodash.template
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash.template
npm / lodash-template
Package
- Name
- lodash-template
- View open source insights on deps.dev
- Purl
- pkg:npm/lodash-template
RubyGems / lodash-rails
Package
- Name
- lodash-rails
- Purl
- pkg:gem/lodash-rails
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.17.21
Affected versions
0.*
0.7.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2
0.10.0
1.*
1.0.0.rc.1
1.0.0.rc.2
1.0.0.rc.3
1.0.1
1.1.0
1.1.1
1.2.0
1.2.1
1.3.1
2.*
2.0.0
2.1.0
2.2.0
2.2.1
2.3.0
2.4.0
2.4.1
3.*
3.1.0
3.2.0
3.3.0
3.3.1
3.3.1.1
3.4.0
3.5.0
3.6.0
3.7.0
3.9.3
3.10.0
3.10.1
4.*
4.0.0
4.3.0
4.5.1
4.6.1
4.11.2
4.12.0
4.13.1
4.14.1
4.15.0
4.16.1
4.16.3
4.16.4
4.16.6
4.17.2
4.17.4
4.17.5
4.17.10
4.17.11
4.17.14
4.17.15