Bug 1928937 (CVE-2021-23337) - CVE-2021-23337 nodejs-lodash: command injection via template
Summary: CVE-2021-23337 nodejs-lodash: command injection via template
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-23337
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1928938 1946164 1928939 1930138 1930139 1930140 1930141 1930142 1930143 1930144 1930145 1930146 1930147 1931267 1931268 1931269 1931270 1931271 1931272 1931273 1931274 1931275 1937751 1937752 1937753 1938272 1938273 2110861
Blocks: 1928940
TreeView+ depends on / blocked
 
Reported: 2021-02-15 20:21 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-08-31 09:00 UTC (History)
77 users (show)

Fixed In Version: nodejs-lodash-4.17.21
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-lodash. A command injection flaw is possible through template variables.
Clone Of:
Environment:
Last Closed: 2021-04-13 06:39:02 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:31:50 UTC
Red Hat Product Errata RHSA-2021:2543 0 None None None 2021-06-24 15:20:27 UTC
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:50:13 UTC
Red Hat Product Errata RHSA-2021:3459 0 None None None 2021-09-08 14:11:49 UTC
Red Hat Product Errata RHSA-2022:6429 0 None None None 2022-09-13 00:58:24 UTC

Description Guilherme de Almeida Suckevicz 2021-02-15 20:21:31 UTC 
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Reference:
https://snyk.io/vuln/SNYK-JS-LODASH-1040724
Comment 1 Guilherme de Almeida Suckevicz 2021-02-15 20:22:04 UTC 
Created lodash tracking bugs for this issue:

Affects: fedora-32 [bug 1928939]


Created nodejs-lodash tracking bugs for this issue:

Affects: epel-all [bug 1928938]
Comment 2 Jason Shepherd 2021-02-16 00:18:15 UTC 
While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable template function.
Comment 4 Mark Cooper 2021-02-18 01:16:02 UTC 
Upstream fix: https://github.com/lodash/lodash/pull/5085/commits/23125079fc43ece274c0e3a49a644ae2dae8b1d3 [not merged yet]
Comment 11 Jason Shepherd 2021-02-22 00:08:33 UTC 
Upstream Commit:

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
Comment 12 Jason Shepherd 2021-02-22 00:13:42 UTC 
Upstream Commit:

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
Comment 16 Stoyan Nikolov 2021-03-23 13:04:42 UTC 
Statement:

In OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is Low.

While Red Hat Virtualization's cockpit-ovirt has a dependency on lodash it doesn't use the vulnerable template function.

While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable template function.
Comment 19 errata-xmlrpc 2021-04-13 00:09:36 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168
Comment 20 Product Security DevOps Team 2021-04-13 06:39:02 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23337
Comment 22 errata-xmlrpc 2021-06-01 13:22:08 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:2179 https://access.redhat.com/errata/RHSA-2021:2179
Comment 23 errata-xmlrpc 2021-06-24 15:20:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543
Comment 24 errata-xmlrpc 2021-07-27 22:31:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 25 Jan Werner 2021-07-29 14:21:13 UTC 
updated the public date - originally it was incorrectly set to 2019. Thanks @btarasso
Comment 26 errata-xmlrpc 2021-08-06 00:50:09 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
Comment 27 errata-xmlrpc 2021-09-08 14:11:19 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:3459 https://access.redhat.com/errata/RHSA-2021:3459
Comment 30 errata-xmlrpc 2022-09-13 00:58:20 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:6429 https://access.redhat.com/errata/RHSA-2022:6429
Note You need to log in before you can comment on or make changes to this bug.