First published: Wed Apr 06 2022(Updated: )
A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the `mapValues()` method.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/async | <3.2.2 | 3.2.2 |
redhat/async | <2.6.4 | 2.6.4 |
Async Project Async | <2.6.4 | |
Async Project Async | >=3.0.0<3.2.2 | |
Fedoraproject Fedora | =36 | |
Fedoraproject Fedora | =37 | |
npm/async | >=2.0.0<2.6.4 | 2.6.4 |
npm/async | >=3.0.0<3.2.2 | 3.2.2 |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-43138.
The severity level of CVE-2021-43138 is high with a CVSS score of 7.8.
A remote attacker can exploit CVE-2021-43138 by persuading a victim to open a specially-crafted file, allowing them to execute arbitrary code on the system.
The async package versions up to and excluding 3.2.2 and 2.6.4 are affected by CVE-2021-43138.
To fix the vulnerability in async package with CVE-2021-43138, update to version 3.2.2 (for versions 3.x) or 2.6.4 (for versions 2.x).