CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2021-43138 – async <= 2.6.3 and 3-3.2.2 - Prototype Pollution
https://notcve.org/view.php?id=CVE-2021-43138
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. En Async antes de la versión 2.6.4 y 3.x antes de la versión 3.2.2, un usuario malicioso puede obtener privilegios a través del método mapValues(), también conocido como contaminación del prototipo lib/internal/iterator.js createObjectIterator A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method. In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. Some WordPress plugins and themes use this dependency though that doesn’t necessarily mean the plugin itself is vulnerable to exploitation. • https://github.com/caolan/async/blob/master/lib/internal/iterator.js https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264 https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d https://github.com/caolan/async/compare/v2.6.3...v2.6.4 https://github.com/caolan/async/pull/1828 https://jsfiddle.net/oz5twjd9 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject& • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41167 – Unlimited requests in modern-async
https://notcve.org/view.php?id=CVE-2021-41167
modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but, in practice, they don't. Any code calling these functions will be written thinking they would limit the concurrency but they won't. This could lead to potential security issues in other projects. • https://github.com/nicolas-van/modern-async/commit/0010d28de1b15d51db3976080e26357fa7144436 https://github.com/nicolas-van/modern-async/issues/5 https://github.com/nicolas-van/modern-async/security/advisories/GHSA-3pcq-34w5-p4g2 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36444
https://notcve.org/view.php?id=CVE-2020-36444
An issue was discovered in the async-coap crate through 2020-12-08 for Rust. Send and Sync are implemented for ArcGuard<RC, T> without trait bounds on RC. Se ha detectado un problema en la crate async-coap hasta el 08-12-2020 para Rust. Send y Sync están implementados para la función ArcGuard(RC, T) sin trait bounds en RC • https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/async-coap/RUSTSEC-2020-0124.md https://rustsec.org/advisories/RUSTSEC-2020-0124.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28490 – Command Injection
https://notcve.org/view.php?id=CVE-2020-28490
The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: git.reset('atouch HACKEDb') El paquete async-git versiones anteriores a 1.13.2, es vulnerable a una inyección de comandos por medio de metacaracteres de shell (retrocesos). Por ejemplo: git.reset('atouch HACKEDb') • https://github.com/omrilotan/async-git/commit/d1950a5021f4e19d92f347614be0d85ce991510d https://github.com/omrilotan/async-git/pull/14 https://snyk.io/vuln/SNYK-JS-ASYNCGIT-1064877 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2021-3190
https://notcve.org/view.php?id=CVE-2021-3190
The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. El paquete async-git versiones anteriores a 1.13.2 para Node.js, permite una Inyección de Comandos del Sistema Operativo por medio de metacaracteres de shell, como es demostrado por git.reset y git.tag • https://advisory.checkmarx.net/advisory/CX-2021-4772 https://github.com/omrilotan/async-git/pull/13 https://github.com/omrilotan/async-git/pull/13/commits/611823bd97dd41e9e8127c38066868ff9dcfa57a https://github.com/omrilotan/async-git/pull/13/commits/a5f45f58941006c4cc1699609383b533d9b92c6a https://github.com/omrilotan/async-git/pull/14 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •