Vulnerability Details CVE-2021-43138
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 74.8%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 6.8
References
- https://github.com/caolan/async/blob/master/lib/internal/iterator.js
- https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js
- https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264
- https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d
- https://github.com/caolan/async/compare/v2.6.3...v2.6.4
- https://github.com/caolan/async/pull/1828
- https://jsfiddle.net/oz5twjd9/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://github.com/caolan/async/blob/master/lib/internal/iterator.js
- https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js
- https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264
- https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d
- https://github.com/caolan/async/compare/v2.6.3...v2.6.4
- https://github.com/caolan/async/pull/1828
- https://jsfiddle.net/oz5twjd9/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
- https://security.netapp.com/advisory/ntap-20240621-0006/
Products affected by CVE-2021-43138
-
cpe:2.3:a:async_project:async:0.1.0
-
cpe:2.3:a:async_project:async:0.1.1
-
cpe:2.3:a:async_project:async:0.1.15
-
cpe:2.3:a:async_project:async:0.1.17
-
cpe:2.3:a:async_project:async:0.1.19
-
cpe:2.3:a:async_project:async:0.1.2
-
cpe:2.3:a:async_project:async:0.1.20
-
cpe:2.3:a:async_project:async:0.1.21
-
cpe:2.3:a:async_project:async:0.1.22
-
cpe:2.3:a:async_project:async:0.1.23
-
cpe:2.3:a:async_project:async:0.1.24
-
cpe:2.3:a:async_project:async:0.1.3
-
cpe:2.3:a:async_project:async:0.1.4
-
cpe:2.3:a:async_project:async:0.1.5
-
cpe:2.3:a:async_project:async:0.1.6
-
cpe:2.3:a:async_project:async:0.2.0
-
cpe:2.3:a:async_project:async:0.2.1
-
cpe:2.3:a:async_project:async:0.2.10
-
cpe:2.3:a:async_project:async:0.2.2
-
cpe:2.3:a:async_project:async:0.2.3
-
cpe:2.3:a:async_project:async:0.2.4
-
cpe:2.3:a:async_project:async:0.2.5
-
cpe:2.3:a:async_project:async:0.2.6
-
cpe:2.3:a:async_project:async:0.2.7
-
cpe:2.3:a:async_project:async:0.2.8
-
cpe:2.3:a:async_project:async:0.2.9
-
cpe:2.3:a:async_project:async:0.3.0
-
cpe:2.3:a:async_project:async:0.4.0
-
cpe:2.3:a:async_project:async:0.4.1
-
cpe:2.3:a:async_project:async:0.5.0
-
cpe:2.3:a:async_project:async:0.6.0
-
cpe:2.3:a:async_project:async:0.6.1
-
cpe:2.3:a:async_project:async:0.6.2
-
cpe:2.3:a:async_project:async:0.7.0
-
cpe:2.3:a:async_project:async:0.8.0
-
cpe:2.3:a:async_project:async:0.9.0
-
cpe:2.3:a:async_project:async:0.9.1
-
cpe:2.3:a:async_project:async:0.9.2
-
cpe:2.3:a:async_project:async:1.0.0
-
cpe:2.3:a:async_project:async:1.1.0
-
cpe:2.3:a:async_project:async:1.1.1
-
cpe:2.3:a:async_project:async:1.2.0
-
cpe:2.3:a:async_project:async:1.2.1
-
cpe:2.3:a:async_project:async:1.3.0
-
cpe:2.3:a:async_project:async:1.4.0
-
cpe:2.3:a:async_project:async:1.4.1
-
cpe:2.3:a:async_project:async:1.4.2
-
cpe:2.3:a:async_project:async:1.5.0
-
cpe:2.3:a:async_project:async:1.5.1
-
cpe:2.3:a:async_project:async:1.5.2
-
cpe:2.3:a:async_project:async:2.0.0
-
cpe:2.3:a:async_project:async:2.0.1
-
cpe:2.3:a:async_project:async:2.1.0
-
cpe:2.3:a:async_project:async:2.1.1
-
cpe:2.3:a:async_project:async:2.1.2
-
cpe:2.3:a:async_project:async:2.1.3
-
cpe:2.3:a:async_project:async:2.1.4
-
cpe:2.3:a:async_project:async:2.1.5
-
cpe:2.3:a:async_project:async:2.2.0
-
cpe:2.3:a:async_project:async:2.3.0
-
cpe:2.3:a:async_project:async:2.4.0
-
cpe:2.3:a:async_project:async:2.4.1
-
cpe:2.3:a:async_project:async:2.5.0
-
cpe:2.3:a:async_project:async:2.6.0
-
cpe:2.3:a:async_project:async:2.6.1
-
cpe:2.3:a:async_project:async:2.6.2
-
cpe:2.3:a:async_project:async:2.6.3
-
cpe:2.3:a:async_project:async:3.0.0
-
cpe:2.3:a:async_project:async:3.0.1
-
cpe:2.3:a:async_project:async:3.1.0
-
cpe:2.3:a:async_project:async:3.1.1
-
cpe:2.3:a:async_project:async:3.2.0
-
cpe:2.3:a:async_project:async:3.2.1
-
cpe:2.3:o:fedoraproject:fedora:36
-
cpe:2.3:o:fedoraproject:fedora:37