CVEs-PoC/2021/CVE-2021-23337.md

### [CVE-2021-23337](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337)
![](https://img.shields.io/static/v1?label=Product&message=Lodash&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=prior%20to%204.17.21%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Command%20Injection&color=brightgreen)

### Description

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

### POC

#### Reference
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Brook-5686/Node_JS_2
- https://github.com/ELHADANITAHA/OWASP-JSP-TP
- https://github.com/Eleson-Souza/security-scan-pipeline
- https://github.com/HotDB-Community/HotDB-Engine
- https://github.com/Icare741/TPTrivy
- https://github.com/JimmyJohnLakeCook/lodash-backport
- https://github.com/LSEG-API-Samples/Example.EWA.TypeScript.WebApplication
- https://github.com/MathisLeDev/-Guide-Trivy-Scanner-de-S-curit-
- https://github.com/Mr-Neutr0n/trivy-mcp-server
- https://github.com/NaorEven/dependabot-demo
- https://github.com/NidalShaterM/trivy-security-scan
- https://github.com/Refinitiv-API-Samples/Example.EWA.TypeScript.WebApplication
- https://github.com/SocketDev/API_Scripts
- https://github.com/Undertone-student-org/booking-system
- https://github.com/Yashd23/SafePrompt-Plugin
- https://github.com/Yashrajsinh012/Cogisive_extension
- https://github.com/Yashrajsinh012/cognisive_extension
- https://github.com/alexandert2105/GitHub-curso-completo
- https://github.com/andisfar/LaunchQtCreator
- https://github.com/andrewbearsley/lacework-sca-scan-example
- https://github.com/anthonykirby/lora-packet
- https://github.com/aryanxsh/example-vulnerable-repo
- https://github.com/cduplantis/blank
- https://github.com/cyber-tinkerer/test-repo-with-vulns
- https://github.com/dedcrowd/Raporlar
- https://github.com/deosha/secscan
- https://github.com/digiALERT1/Node_JS_2
- https://github.com/futurecreationstvl/Node-JS-2
- https://github.com/graydonhope/VulnerabilityScanner
- https://github.com/hunthack3r/Raporlar
- https://github.com/iamthamanic/WOARU-WorkaroundUltra
- https://github.com/ifunky/demo-site
- https://github.com/m0d0ri205/SBOM-CVE-Lister-for-npm
- https://github.com/marcosrg9/YouTubeTV
- https://github.com/p-rog/cve-analyser
- https://github.com/paarthpatel10/CipherSight
- https://github.com/samoylenko/sample-vulnerable-app-nodejs-express
- https://github.com/samoylenko/vulnerable-app-nodejs-express
- https://github.com/seal-community/patches
- https://github.com/shunmugadigialert/nodejs2
- https://github.com/shunmugadigialert/nodejs2Ai
- https://github.com/sivendar2/angular-vuln
- https://github.com/spashx/cyclonedx2cytoscape
- https://github.com/squidx232/loadtest
- https://github.com/sreejithinfysec/nodejs2
- https://github.com/subhashbohra/DevSecOps_Platform
- https://github.com/sunil5637/patchsecurityscanner-cli
- https://github.com/the-scan-project/tsp-vulnerable-app-nodejs-express
- https://github.com/the-scan-project/vulnerable-app-nodejs-express
- https://github.com/tomjfrog-org/frogbot-npm-demo
- https://github.com/tomjfrog/frogbot-demo
- https://github.com/vulncheck-oss/action
- https://github.com/zenzue/supply-chain-cve-checker