CVEFinder.io

CVE-2021-23337

⚠️ high
πŸ” Scan for this CVE
Summary

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVSS Score
7.2
High
EPSS Score
0.7
Exploit Probability
Published Date
2021-02-15
First Seen: 2026-01-05
πŸ“Š Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 55.5% of all 315,637 vulnerabilities in our database.

#140,364
Above average severity
Severity Percentile
Last Modified 2024-11-21
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-94

πŸ“¦ Affected Products 45

Vendor Product Status Affected Versions
oracle peoplesoft_enterprise_peopletools Affected
v8.58
oracle peoplesoft_enterprise_peopletools Affected
v8.59
netapp system_manager Affected
v9.0
oracle jd_edwards_enterpriseone_tools Affected
< 9.2.6.1
oracle retail_customer_management_and_segmentation_foundation Affected
v19.0
oracle communications_services_gatekeeper Affected
v7.0
oracle health_sciences_data_management_workbench Affected
v2.5.2.1
oracle health_sciences_data_management_workbench Affected
v3.0.0.0
oracle primavera_gateway Affected
≥ 17.12.0 ≤ 17.12.11
oracle primavera_gateway Affected
≥ 18.8.0 ≤ 18.8.12
oracle primavera_gateway Affected
≥ 19.12.0 ≤ 19.12.11
oracle primavera_gateway Affected
≥ 20.12.0 ≤ 20.12.7
oracle primavera_unifier Affected
≥ 17.7 ≤ 17.12
oracle primavera_unifier Affected
v18.8
oracle primavera_unifier Affected
v19.12
oracle primavera_unifier Affected
v20.12
oracle communications_session_border_controller Affected
v8.4
oracle communications_session_border_controller Affected
v9.0
lodash lodash Affected
< 4.17.21
netapp active_iq_unified_manager Affected
v-
oracle enterprise_communications_broker Affected
v3.2.0
oracle enterprise_communications_broker Affected
v3.3.0
oracle banking_extensibility_workbench Affected
v14.2.0
oracle banking_extensibility_workbench Affected
v14.3.0
oracle banking_extensibility_workbench Affected
v14.5.0
oracle communications_design_studio Affected
v7.4.2.0.0
oracle banking_corporate_lending_process_management Affected
v14.2.0
oracle banking_corporate_lending_process_management Affected
v14.3.0
oracle banking_corporate_lending_process_management Affected
v14.5.0
oracle banking_trade_finance_process_management Affected
v14.2.0
oracle banking_trade_finance_process_management Affected
v14.3.0
oracle banking_trade_finance_process_management Affected
v14.5.0
oracle banking_credit_facilities_process_management Affected
v14.2.0
oracle banking_credit_facilities_process_management Affected
v14.3.0
oracle banking_credit_facilities_process_management Affected
v14.5.0
netapp cloud_manager Affected
v-
oracle communications_cloud_native_core_policy Affected
v1.11.0
oracle banking_supply_chain_finance Affected
v14.2.0
oracle banking_supply_chain_finance Affected
v14.3.0
oracle banking_supply_chain_finance Affected
v14.5.0
oracle communications_cloud_native_core_binding_support_function Affected
v1.9.0
siemens sinec_ins Affected
< 1.0
siemens sinec_ins Affected
v1.0
oracle financial_services_crime_and_compliance_management_studio Affected
v8.0.8.2.0
oracle financial_services_crime_and_compliance_management_studio Affected
v8.0.8.3.0

πŸ”— References 13

https://cert-portal.siemens.com/productcert/pdf/ssa-...
Patch Third Party Advisory
https://github.com/lodash/lodash/blob/ddfd9b11a0126d...
Broken Link
https://security.netapp.com/advisory/ntap-20210312-0...
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUB...
Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LODASH-1040724
Exploit Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch Third Party Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-2950 πŸ”Ά medium 6.5 0.1 Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. ... 2026-03-31
CVE-2026-4800 ⚠️ high 8.1 0.1 Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variabl... 2026-03-31
CVE-2025-13465 πŸ”Ά medium 5.3 0.0 Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetΒ and _.omitΒ functions. An at... 2026-01-21
CVE-2026-21934 πŸ”Ά medium 5.4 0.0 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Push Notifications). Su... 2026-01-20
CVE-2026-21938 πŸ”Ά medium 6.1 0.0 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported vers... 2026-01-20
CVE-2026-21951 πŸ”Ά medium 6.1 0.0 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Integration Broker). Su... 2026-01-20
These CVEs affect the same products