CVE-2021-43138 — Prototype Pollution in Project Async

CWE-1321 — Prototype Pollution5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.7%

top 28.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Async Project Async Fedoraproject Fedora Debian Node-async

Timeline

PublishedApr 6

Latest updateApr 7

Description

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDasync_project/async3.0.0 — 3.2.2+1

▶npmasync_project/async3.0.0 — 3.2.2+1

▶debiandebian/node-async

Also affects: Fedora 36, 37

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Prototype Pollution in async↗2022-04-07

▶

OSV

Prototype Pollution in async↗2022-04-07

▶

📋Vendor Advisories

Red Hat

async: Prototype Pollution in async↗2022-04-07

▶

Debian

CVE-2021-43138: node-async - In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileg...↗2021

▶