CVE-2020-28500

CWE-1333CWE-400Uncontrolled Resource Consumption7 documents6 sources
Severity
5.3MEDIUM
EPSS
0.2%
top 52.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
19
Lodash LodashOracle JD Edwards Enterpriseone ToolsSiemens Sinec INS+16 more
Timeline
PublishedFeb 15
Latest updateJan 6

Description

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages26 packages

npmlodash.trimend4.0.04.5.1
npmlodash.trim4.0.04.5.1
npmlodash4.0.04.17.21
npmlodash-es4.0.04.17.21
RubyGemslodash-rails4.0.04.17.21

Patches

Patch: cert-portal.siemens.comPatch: github.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Regular Expression Denial of Service (ReDoS) in lodash2022-01-06
GHSA
Regular Expression Denial of Service (ReDoS) in lodash2022-01-06
OSV
CVE-2020-28500: Lodash versions prior to 42021-02-15
CVEList
Regular Expression Denial of Service (ReDoS)2021-02-15

📋Vendor Advisories

2
Red Hat
nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions2021-02-15
Debian
CVE-2020-28500: node-lodash - Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of ...2020