7.8

CVE-2021-43138

Exploit

async <= 2.6.3 and 3-3.2.2 - Prototype Pollution

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Mögliche Gegenmaßnahme
Insert Special Characters: Update to version 1.0.5, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Async ProjectAsync Version < 2.6.4
Async ProjectAsync Version >= 3.0.0 < 3.2.2
FedoraprojectFedora Version36
FedoraprojectFedora Version37
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Insert Special Characters
Version *-1.0.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.35% 0.871
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

https://security.netapp.com/advisory/ntap-20240621-0006/
https://github.com/caolan/async/blob/master/lib/internal/iterator.js
Third Party Advisory
https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js
Third Party Advisory
https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264
Third Party Advisory
Release Notes
https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d
Patch
Third Party Advisory
https://github.com/caolan/async/compare/v2.6.3...v2.6.4
Patch
Third Party Advisory
https://github.com/caolan/async/pull/1828
Patch
Third Party Advisory
https://jsfiddle.net/oz5twjd9/
Third Party Advisory
Exploit
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
https://www.wordfence.com/threat-intel/vulnerabilities/id/361315ff-99ef-4fb2-946f-8ccc307bd3be
Third Party Advisory