CVE-2021-41720

NameCVE-2021-41720
Description** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-lodash (PTS)stretch4.16.6+dfsg-2vulnerable
buster4.17.11+dfsg-2+deb10u1vulnerable
bullseye4.17.21+dfsg+~cs8.31.173-1vulnerable
bookworm, sid4.17.21+dfsg+~cs8.31.196.20210220-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-lodashsource(unstable)(unfixed)unimportant

Notes

https://github.com/lodash/lodash/issues/5261
Disputed security impact and validitity of the issue

Search for package or bug name: Reporting problems