CVE-2021-23337
Command Injection vulnerability in lodash
What is CVE-2021-23337 About?
This vulnerability affects `lodash` versions prior to 4.17.21, allowing for Command Injection through its template function. An attacker can inject arbitrary commands into the system. Exploitation requires providing malicious input to the template function.
Affected Software
- lodash
- <4.17.21
- lodash-es
- <4.17.21
- lodash.template
- <=4.5.0
- lodash-template
- <=1.0.0
- lodash-rails
- <4.17.21
Technical Details
The `lodash` library, in versions prior to 4.17.21, is susceptible to Command Injection via its `template` function. This occurs because the `template` function likely evaluates or processes strings that can be influenced by user input without adequate sanitization or escaping. When an attacker supplies a specially crafted string containing shell commands or other executable code as input to the `template` function, the library's internal parsing or execution mechanism interprets and executes these commands. This bypasses intended execution flow and allows for the injection of arbitrary commands into the underlying system.
What is the Impact of CVE-2021-23337?
Successful exploitation may allow attackers to execute arbitrary commands on the host operating system. This could lead to full system compromise, data modification or exfiltration, and disruption of service.
What is the Exploitability of CVE-2021-23337?
Exploitation of this Command Injection vulnerability requires an attacker to provide malicious input to the `lodash` template function. The complexity is moderate, as it depends on the application's usage of the `template` function and whether it processes untrusted user input. There are no specific authentication or privilege requirements inherent to the vulnerability itself; an attacker only needs the ability to influence the input processed by the `template` function. This could be local or remote, depending on application architecture. The primary risk factor is applications that use `lodash`'s template function with unsanitized, user-provided data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23337?
About the Fix from Resolved Security
This patch adds validation to the variable option in _.template, disallowing characters that could alter JavaScript function parameter definitions, such as parentheses, comma, equals, braces, brackets, comments, and whitespace. This change prevents attackers from injecting arbitrary code via crafted variable values, thus fixing the vulnerability described in CVE-2021-23337.
Available Upgrade Options
- lodash
- <4.17.21 → Upgrade to 4.17.21
- lodash-rails
- <4.17.21 → Upgrade to 4.17.21
- lodash-es
- <4.17.21 → Upgrade to 4.17.21
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
- https://security.netapp.com/advisory/ntap-20210312-0006
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujul2022.html
What are Similar Vulnerabilities to CVE-2021-23337?
Similar Vulnerabilities: CVE-2018-3721 , CVE-2019-15822 , CVE-2020-28469 , CVE-2021-23419 , CVE-2021-29418
