CVE-2021-43138 — HIGH (7.8)

Q: What is CVE-2021-43138?

CVE-2021-43138 is a vulnerability with a CVSS score of 7.8 (HIGH). In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Q: How severe is CVE-2021-43138?

CVE-2021-43138 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-43138?

Check the references section above for vendor advisories and patch information. Affected products include: Async Project Async, Fedoraproject Fedora.

Vulnerability Description

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Async Project	Async	< 2.6.4
Fedoraproject	Fedora	36

Related Weaknesses (CWE)

CWE-1321

References

https://github.com/caolan/async/blob/master/lib/internal/iterator.jsThird Party Advisory
https://github.com/caolan/async/blob/master/lib/mapValuesLimit.jsThird Party Advisory
https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264Release NotesThird Party Advisory
https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66dPatchThird Party Advisory
https://github.com/caolan/async/compare/v2.6.3...v2.6.4PatchThird Party Advisory
https://github.com/caolan/async/pull/1828PatchThird Party Advisory
https://jsfiddle.net/oz5twjd9/ExploitThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.netapp.com/advisory/ntap-20240621-0006/
https://github.com/caolan/async/blob/master/lib/internal/iterator.jsThird Party Advisory
https://github.com/caolan/async/blob/master/lib/mapValuesLimit.jsThird Party Advisory
https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264Release NotesThird Party Advisory
https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66dPatchThird Party Advisory
https://github.com/caolan/async/compare/v2.6.3...v2.6.4PatchThird Party Advisory

FAQ

What is CVE-2021-43138?

CVE-2021-43138 is a vulnerability with a CVSS score of 7.8 (HIGH). In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

How severe is CVE-2021-43138?

CVE-2021-43138 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-43138?

Check the references section above for vendor advisories and patch information. Affected products include: Async Project Async, Fedoraproject Fedora.