CVE-2020-28500
MEDIUMCVSS 5.3/10EPSS 7.34%
Last modified
CVE-2020-28500 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.. EPSS estimates a 7.34% chance of exploitation in the next 30 days.
Description
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lodash | Lodash | < 4.17.21 |
| Oracle | Banking Corporate Lending Process Management | 14.2.0 |
| Oracle | Banking Corporate Lending Process Management | 14.3.0 |
| Oracle | Banking Corporate Lending Process Management | 14.5.0 |
| Oracle | Banking Credit Facilities Process Management | 14.2.0 |
| Oracle | Banking Credit Facilities Process Management | 14.3.0 |
| Oracle | Banking Credit Facilities Process Management | 14.5.0 |
| Oracle | Banking Extensibility Workbench | 14.2.0 |
| Oracle | Banking Extensibility Workbench | 14.3.0 |
| Oracle | Banking Extensibility Workbench | 14.5.0 |
| Oracle | Banking Supply Chain Finance | 14.2.0 |
| Oracle | Banking Supply Chain Finance | 14.3.0 |
| Oracle | Banking Supply Chain Finance | 14.5.0 |
| Oracle | Banking Trade Finance Process Management | 14.2.0 |
| Oracle | Banking Trade Finance Process Management | 14.3.0 |
| Oracle | Banking Trade Finance Process Management | 14.5.0 |
| Oracle | Communications Cloud Native Core Policy | 1.11.0 |
| Oracle | Communications Design Studio | 7.4.2 |
| Oracle | Communications Services Gatekeeper | 7.0 |
| Oracle | Communications Session Border Controller | 8.4 |
| Oracle | Communications Session Border Controller | 9.0 |
| Oracle | Enterprise Communications Broker | 3.2.0 |
| Oracle | Enterprise Communications Broker | 3.3.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.3.0 |
| Oracle | Health Sciences Data Management Workbench | 2.5.2.1 |
| Oracle | Health Sciences Data Management Workbench | 3.0.0.0 |
| Oracle | Jd Edwards Enterpriseone Tools | < 9.2.6.1 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.11 |
| Oracle | Primavera Gateway | >= 18.8.0, <= 18.8.12 |
| Oracle | Primavera Gateway | >= 19.12.0, <= 19.12.11 |
| Oracle | Primavera Gateway | >= 20.12.0, <= 20.12.7 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Primavera Unifier | 18.8 |
| Oracle | Primavera Unifier | 19.12 |
| Oracle | Primavera Unifier | 20.12 |
| Oracle | Retail Customer Management And Segmentation Foundation | 19.0 |
| Siemens | Sinec Ins | < 1.0 |
| Siemens | Sinec Ins | 1.0 |
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdfPatch, Third Party Advisory
- https://github.com/lodash/lodash/pull/5065Patch, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210312-0006/Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896Exploit, Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894Exploit, Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892Exploit, Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895Exploit, Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893Exploit, Third Party Advisory
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905Exploit, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlNot Applicable, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdfPatch, Third Party Advisory
- https://github.com/lodash/lodash/pull/5065Patch, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210312-0006/Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896Exploit, Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894Exploit, Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892Exploit, Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895Exploit, Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893Exploit, Third Party Advisory
- https://snyk.io/vuln/SNYK-JS-LODASH-1018905Exploit, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlNot Applicable, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-28500?
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
How severe is CVE-2020-28500?
CVE-2020-28500 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 7.34% probability of exploitation in the next 30 days.
How do I fix CVE-2020-28500?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2020-28500?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST