CVE-2021-23337 – Command Injection
https://notcve.org/view.php?id=CVE-2021-23337
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Las versiones de Lodash anteriores a la 4.17.21 son vulnerables a la inyección de comandos a través de la función de plantilla A flaw was found in nodejs-lodash. A command injection flaw is possible through template variables. • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851 https://security.netapp.com/advisory/ntap-20210312-0006 https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929 https://snyk. • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2020-28500 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2020-28500
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Las versiones de Lodash anteriores a la 4.17.21 son vulnerables a la denegación de servicio por expresiones regulares (ReDoS) a través de las funciones toNumber, trim y trimEnd A flaw was found in nodejs-lodash. A Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions is possible. • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8 https://github.com/lodash/lodash/pull/5065 https://security.netapp.com/advisory/ntap-20210312-0006 https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM • CWE-400: Uncontrolled Resource Consumption •
CVE-2021-21290 – Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files
https://notcve.org/view.php?id=CVE-2021-21290
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. • https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5%40%3Cjira.kafka.apache.org%3E https://lists.apache.org/thread.html/r10308b625 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-378: Creation of Temporary File With Insecure Permissions CWE-379: Creation of Temporary File in Directory with Insecure Permissions CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2020-26217 – Remote Code Execution in XStream
https://notcve.org/view.php?id=CVE-2020-26217
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14. • https://github.com/Al1ex/CVE-2020-26217 https://github.com/novysodope/CVE-2020-26217-XStream-RCE-POC https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2 https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E https://lists.apache.org/ • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-502: Deserialization of Untrusted Data •
CVE-2020-8203 – WordPress Core < 5.8.1 - LoDash Update
https://notcve.org/view.php?id=CVE-2020-8203
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Un ataque de contaminación de prototipo cuando se utiliza _.zipObjectDeep en lodash versiones anteriores a 4.17.20 A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability. WordPress Core is vulnerable to prototype pollution in various versions less than 5.8.1 due to a vulnerability in the LoDash component which is identified as CVE-2020-8203. • https://github.com/ossf-cve-benchmark/CVE-2020-8203 https://github.com/lodash/lodash/issues/4874 https://hackerone.com/reports/712065 https://security.netapp.com/advisory/ntap-20200724-0006 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat. • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-770: Allocation of Resources Without Limits or Throttling CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •