CVE-2021-43138
- Source
- https://cve.org/CVERecord?id=CVE-2021-43138
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43138.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-43138
- Aliases
- Downstream
- Related
- Published
- 2022-04-06T17:15:08.650Z
- Modified
- 2026-04-16T00:07:17.481614964Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
- Database specific
{ "unresolved_ranges": [ { "source": "CPE_FIELD", "cpe": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "extracted_events": [ { "last_affected": "36" } ] }, { "source": "CPE_FIELD", "cpe": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "extracted_events": [ { "last_affected": "37" } ] } ] }- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
- https://github.com/caolan/async/blob/master/lib/internal/iterator.js
- https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js
- https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d
- https://github.com/caolan/async/compare/v2.6.3...v2.6.4
- https://github.com/caolan/async/pull/1828
- https://jsfiddle.net/oz5twjd9/
Affected packages
Git / github.com/caolan/async
Affected ranges
- Type
- GIT
- Repo
- https://github.com/caolan/async
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedFixed
- Database specific
{ "source": [ "CPE_FIELD", "REFERENCES" ], "cpe": "cpe:2.3:a:async_project:async:*:*:*:*:*:*:*:*", "extracted_events": [ { "introduced": "0" }, { "fixed": "2.6.4" }, { "introduced": "3.0.0" }, { "fixed": "3.2.2" } ] }
Affected versions
0.*
0.2.10
0.2.6
0.2.7
0.2.8
0.2.9
0.3.0
0.4.0
0.4.1
0.5.0
0.6.0
0.6.1
0.6.2
0.7.0
0.8.0
0.9.0
0.9.1
0.9.2
1.*
1.0.0
1.1.0
1.2.0
1.2.1
v0.*
v0.1.0
v0.1.1
v0.1.15
v0.1.17
v0.1.19
v0.1.2
v0.1.20
v0.1.21
v0.1.22
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v1.*
v1.2.0
v1.3.0
v1.4.0
v1.4.2
v1.5.0
v1.5.1
v1.5.2
v2.*
v2.0.0
v2.0.0-alpha.0
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.0-rc.3
v2.0.0-rc.4
v2.0.0-rc.5
v2.0.0-rc.6
v2.0.1
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.2.0
v2.3.0
v2.4.0
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v3.*
v3.0.0
v3.0.1
v3.1.0
v3.1.1
v3.2.0
v3.2.1