CVE-2021-43138 (High) detected in multiple libraries #1440
Assignees
Labels
cve
Security vulnerabilities detected by Dependabot or Mend
high severity
High severity CVE
Mend: dependency security vulnerability
Security vulnerability detected by Mend
v2.0.0
Comments
mend-for-github.aaakk.us.kg
bot
added
the
Mend: dependency security vulnerability
tmarkley
added
high severity
tmarkley
pushed a commit
to tmarkley/OpenSearch-Dashboards
that referenced
this issue
Apr 13, 2022
* Resolves older versions: v0.9.2, v1.5.2, v2.6.3
* There are known breaking changes, so this manual resolution carries
some risk.
* [CHANGELOG](https://github.com/caolan/async/blob/v3.2.3/CHANGELOG.md)
* Addresses CVE-2021-43138.
* This requires a manual resolution because `@elastic/[email protected]`,
`[email protected]`, `[email protected]`, and
`[email protected]` have downstream dependencies on older
versions of `async` and none of them have newer versions to fix this.
* Bumps `getos` from v3.1.0 to v3.2.1.
* Bumps `@elastic/makelogs` from v6.0.0 to v6.1.0.
* Bumps `archiver` from v3.1.1 to v5.3.0 and `@types/archiver` from
v3.1.0 to v5.3.1.
* Used in the build script, which runs successfully.
* Breaking changes include removing support for older versions of
Node.js as well as no longer supporting absolute path glob patterns,
which are not used in our repository.
* [CHANGELOG](https://github.com/archiverjs/node-archiver/blob/5.3.0/CHANGELOG.md)
* Bumps `webpack-dev-server` from v4.7.4 to v4.8.1.
* Removes `grunt-contrib-watch` dependency since it is unused.
* Removes unnecessary `@types/react` resolution.
Resolves opensearch-project#1440
Signed-off-by: Tommy Markley <[email protected]>
tmarkley
pushed a commit
to tmarkley/OpenSearch-Dashboards
that referenced
this issue
Apr 13, 2022
* Resolves older versions: v0.9.2, v1.5.2, v2.6.3
* There are known breaking changes, so this manual resolution carries
some risk.
* [CHANGELOG](https://github.com/caolan/async/blob/v3.2.3/CHANGELOG.md)
* Addresses CVE-2021-43138.
* This requires a manual resolution because `@elastic/[email protected]`,
`[email protected]`, `[email protected]`, and
`[email protected]` have downstream dependencies on older
versions of `async` and none of them have newer versions to fix this.
* Bumps `getos` from v3.1.0 to v3.2.1.
* Bumps `@elastic/makelogs` from v6.0.0 to v6.1.0.
* Bumps `archiver` from v3.1.1 to v5.3.0 and `@types/archiver` from
v3.1.0 to v5.3.1.
* Used in the build script, which runs successfully.
* Breaking changes include removing support for older versions of
Node.js as well as no longer supporting absolute path glob patterns,
which are not used in our repository.
* [CHANGELOG](https://github.com/archiverjs/node-archiver/blob/5.3.0/CHANGELOG.md)
* Bumps `webpack-dev-server` from v4.7.4 to v4.8.1.
* Removes `grunt-contrib-watch` dependency since it is unused.
* Removes unnecessary `@types/react` resolution.
Resolves opensearch-project#1440
Signed-off-by: Tommy Markley <[email protected]>
tmarkley
pushed a commit
that referenced
this issue
Apr 15, 2022
* Resolves older versions: v0.9.2, v1.5.2, v2.6.3
* There are known breaking changes, so this manual resolution carries
some risk.
* [CHANGELOG](https://github.com/caolan/async/blob/v3.2.3/CHANGELOG.md)
* Addresses CVE-2021-43138.
* This requires a manual resolution because `@elastic/[email protected]`,
`[email protected]`, `[email protected]`, and
`[email protected]` have downstream dependencies on older
versions of `async` and none of them have newer versions to fix this.
* Bumps `getos` from v3.1.0 to v3.2.1.
* Bumps `@elastic/makelogs` from v6.0.0 to v6.1.0.
* Bumps `archiver` from v3.1.1 to v5.3.0 and `@types/archiver` from
v3.1.0 to v5.3.1.
* Used in the build script, which runs successfully.
* Breaking changes include removing support for older versions of
Node.js as well as no longer supporting absolute path glob patterns,
which are not used in our repository.
* [CHANGELOG](https://github.com/archiverjs/node-archiver/blob/5.3.0/CHANGELOG.md)
* Bumps `webpack-dev-server` from v4.7.4 to v4.8.1.
* Removes `grunt-contrib-watch` dependency since it is unused.
* Removes unnecessary `@types/react` resolution.
Resolves #1440
Signed-off-by: Tommy Markley <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2021-43138 - High Severity Vulnerability
async-1.5.2.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Dependency Hierarchy:
async-0.9.2.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-0.9.2.tgz
Dependency Hierarchy:
async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Dependency Hierarchy:
Found in base branch: main
A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.
Publish Date: 2022-04-06
URL: CVE-2021-43138
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution: async - v3.2.2
The text was updated successfully, but these errors were encountered: