7.8
CWE
1321
Advisory Published
Advisory Published
Updated

CVE-2021-43138

First published: Wed Apr 06 2022(Updated: )

A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the `mapValues()` method.

Credit: cve@mitre.org cve@mitre.org cve@mitre.org

Affected SoftwareAffected VersionHow to fix
redhat/async<3.2.2
3.2.2
redhat/async<2.6.4
2.6.4
Async Project Async<2.6.4
Async Project Async>=3.0.0<3.2.2
Fedoraproject Fedora=36
Fedoraproject Fedora=37
npm/async>=2.0.0<2.6.4
2.6.4
npm/async>=3.0.0<3.2.2
3.2.2
IBM Cognos Analytics<=12.0.0-12.0.3
IBM Cognos Analytics<=11.2.0-11.2.4 FP4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the vulnerability ID of this flaw in async package?

    The vulnerability ID is CVE-2021-43138.

  • What is the severity level of CVE-2021-43138?

    The severity level of CVE-2021-43138 is high with a CVSS score of 7.8.

  • How can a remote attacker exploit CVE-2021-43138?

    A remote attacker can exploit CVE-2021-43138 by persuading a victim to open a specially-crafted file, allowing them to execute arbitrary code on the system.

  • Which versions of the async package are affected by CVE-2021-43138?

    The async package versions up to and excluding 3.2.2 and 2.6.4 are affected by CVE-2021-43138.

  • How can I fix the vulnerability in async package with CVE-2021-43138?

    To fix the vulnerability in async package with CVE-2021-43138, update to version 3.2.2 (for versions 3.x) or 2.6.4 (for versions 2.x).

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203