Skip to content
This repository was archived by the owner on Jul 18, 2024. It is now read-only.

Affected from CVE-2021-43138 #9

Open
thha2 opened this issue Apr 14, 2022 · 0 comments
Open

Affected from CVE-2021-43138 #9

thha2 opened this issue Apr 14, 2022 · 0 comments

Comments

@thha2
Copy link

thha2 commented Apr 14, 2022

CVE-2021-43138

A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.

CWE-1321

CVSSv2:
Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
Base Score: HIGH (7.8)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:
MISC - https://github.com/caolan/async/blob/master/lib/internal/iterator.js
MISC - https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js
MISC - caolan/async@e1ecdbf
MISC - https://jsfiddle.net/oz5twjd9/
Vulnerable Software & Versions:

cpe:2.3:a:async_project:async:::::::: versions up to (excluding) 3.2.2
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thha2