Bug 2126276 (CVE-2021-43138)

Summary: CVE-2021-43138 async: Prototype Pollution in async
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, aileenc, alazarot, anstephe, aoconnor, asoldano, balejosg, bbaranow, bcoca, bdettelb, bmaxwell, bniver, brian.stansberry, caillon+fedoraproject, cdewolf, chazlett, chousekn, cluster-maint, cmeyers, darran.lofthouse, davidn, dkreling, dmitry, dosoudil, dwhatley, dymurray, eclipseo, emingora, epel-packagers-sig, eric.wittmann, etirelli, extras-orphan, fjuma, flucifre, fmuellner, fzatlouk, gblomqui, gecko-bugs-nobody, gmalinko, gmeno, go-sig, gparvin, grafana-maint, ibek, ibolton, idevat, iweiss, janstey, jburrell, jcammara, jcantril, jhardy, jhorak, jkurik, jmatthew, jmontleo, jobarker, jochrist, jpavlik, jramanat, jrokos, jross, jshaughn, jwendell, jwon, kai-engert-fedora, kde-sig, klember, kmalyjur, kverlaen, lemenkov, lgao, link, mabashia, manisandro, mbenjamin, me, mgoodwin, mhackett, michel, mlisik, mnovotny, mokumar, mosmerov, mpospisi, mrunge, msochure, msvehla, mwringe, nathans, nboldt, ngompa13, njean, nodejs-sig, nonamedotc, notting, nwallace, ocs-bugs, omular, openstack-sig, osapryki, oskutka, pabelanger, pahickey, pantinor, pdelbell, peholase, periklis, pjindal, pmackay, rcernich, rdieter, relrod, rgodfrey, rguimara, rpetrell, rrajasek, rstancel, scorneli, sdoran, sgallagh, slucidi, smaestri, smcdonal, sostapov, sseago, stcannon, stransky, thrcka, tkuratom, tm, tojeline, tom.jenkinson, tpopela, twalsh, tzimanyi, vereddy, vkumar, yselkowi, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: async 3.2.2, async 2.6.4 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-12 00:29:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2126992, 2126995, 2126315, 2126316, 2126317, 2126318, 2126320, 2126321, 2126322, 2126341, 2126459, 2126460, 2126461, 2126462, 2126463, 2126464, 2126991, 2126993, 2126994, 2126996, 2126997, 2126998, 2126999, 2127000, 2127001, 2127002, 2127003, 2127004, 2127005, 2127006, 2127007, 2127008, 2127009, 2130144, 2212560    
Bug Blocks: 2126194    

Description Avinash Hanwate 2022-09-13 04:56:27 UTC 
A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.

https://github.com/advisories/GHSA-fwr7-v2mv-hh25
Comment 7 Avinash Hanwate 2022-09-15 05:00:01 UTC 
Created breeze-icon-theme tracking bugs for this issue:

Affects: epel-8 [bug 2126995]
Affects: fedora-all [bug 2126997]


Created cockatrice tracking bugs for this issue:

Affects: fedora-all [bug 2126998]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2126999]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2127000]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-7 [bug 2126993]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2127001]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-all [bug 2127002]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2127003]


Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2126994]
Affects: fedora-all [bug 2127004]


Created python-engineio tracking bugs for this issue:

Affects: fedora-all [bug 2127005]


Created seamonkey tracking bugs for this issue:

Affects: epel-8 [bug 2126996]
Affects: fedora-all [bug 2127006]


Created workrave tracking bugs for this issue:

Affects: fedora-all [bug 2127007]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2127008]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2127009]
Comment 28 errata-xmlrpc 2023-02-09 02:17:56 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693
Comment 29 Product Security DevOps Team 2023-02-12 00:29:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-43138
Comment 30 errata-xmlrpc 2023-06-15 20:56:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.2 for RHEL 8

Via RHSA-2023:3645 https://access.redhat.com/errata/RHSA-2023:3645