CVE-2021-43138

async <= 2.6.3 and 3-3.2.2 - Prototype Pollution

highImproperly Controlled Modification of Dynamically-Determined Object Attributes

7.8

CVSS Score

7.8

CVSS Score

high

Severity

1.0.5

Patched in

656d

Time to patch

Description

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. Some WordPress plugins and themes use this dependency though that doesn’t necessarily mean the plugin itself is vulnerable to exploitation.

CVSS Vector Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

High

Confidentiality

High

Integrity

High

Availability

Technical Details

Affected versions<=1.0.4

PublishedApril 7, 2022

Last updatedJanuary 22, 2024

Affected plugininsert-special-characters

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/361315ff-99ef-4fb2-946f-8ccc307bd3be?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database