Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/lodash-es@4.17.21
Typenpm
Namespace
Namelodash-es
Version4.17.21
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version4.17.23
Latest_non_vulnerable_version4.17.23
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-aecq-1mad-n7h1
vulnerability_id VCID-aecq-1mad-n7h1
summary 
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions.

Steps to reproduce (provided by reporter Liyuan Chen):
```js
var lo = require('lodash');

function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
```
references
0
reference_url https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
reference_id
reference_type
scores
url https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
1
reference_url https://github.com/github/advisory-database/pull/6139
reference_id
reference_type
scores
url https://github.com/github/advisory-database/pull/6139
2
reference_url https://github.com/lodash/lodash
reference_id
reference_type
scores
url https://github.com/lodash/lodash
3
reference_url https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
reference_id
reference_type
scores
url https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
4
reference_url https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
reference_id
reference_type
scores
url https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
5
reference_url https://github.com/lodash/lodash/pull/5065
reference_id
reference_type
scores
url https://github.com/lodash/lodash/pull/5065
6
reference_url https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
reference_id
reference_type
scores
url https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
7
reference_url https://security.netapp.com/advisory/ntap-20210312-0006
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210312-0006
8
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
9
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
10
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
11
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
12
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
13
reference_url https://snyk.io/vuln/SNYK-JS-LODASH-1018905
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JS-LODASH-1018905
14
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpujan2022.html
15
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
url https://www.oracle.com//security-alerts/cpujul2021.html
16
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpujul2022.html
17
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpuoct2021.html
18
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-28500
reference_id CVE-2020-28500
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-28500
19
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml
reference_id CVE-2020-28500.YML
reference_type
scores
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml
20
reference_url https://github.com/advisories/GHSA-29mw-wpgm-hmr9
reference_id GHSA-29mw-wpgm-hmr9
reference_type
scores
url https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fixed_packages
0
url pkg:npm/lodash-es@4.17.21
purl pkg:npm/lodash-es@4.17.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash-es@4.17.21
aliases CVE-2020-28500, GHSA-29mw-wpgm-hmr9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-aecq-1mad-n7h1
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/lodash-es@4.17.21