Vulnerability Name:

CVE-2021-43138 (CCN-223605)

Assigned:2021-10-27
Published:2021-10-27
Updated:2023-02-23
Summary:Async could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution in the mapValues() method. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-43138

Source: XF
Type: UNKNOWN
async-cve202143138-code-exec(223605)

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Release Notes, Third Party Advisory
cve@mitre.org

Source: CCN
Type: Async GIT Repository
Fix prototype pollution vulnerability

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Exploit, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: CCN
Type: SNYK-JS-ASYNC-2441827
Prototype Pollution

Source: CCN
Type: IBM Security Bulletin 6584209 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Source: CCN
Type: IBM Security Bulletin 6596915 (Cloud Pak for Business Automation)
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2022

Source: CCN
Type: IBM Security Bulletin 6598765 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6600747 (Business Automation Workflow)
Remote code execution vulnerability affect IBM Business Automation Workflow - CVE-2021-43138

Source: CCN
Type: IBM Security Bulletin 6600749 (Cloud Pak for Automation)
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2022

Source: CCN
Type: IBM Security Bulletin 6601137 (App Connect Enterprise)
IBM Integration Bus and IBM App Connect Enterprise are vulnerable to arbitrary code execution due to async ( CVE-2021-43138) and nconf (CVE-2022-21803)

Source: CCN
Type: IBM Security Bulletin 6604011 (VM Recovery Manager DR for Power Systems)
Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI

Source: CCN
Type: IBM Security Bulletin 6607047 (Robotic Process Automation)
IBM Robotic Process Automation is vulnerable to arbitrary code execution due to async (CVE-2021-43138)

Source: CCN
Type: IBM Security Bulletin 6610082 (Db2 On Openshift)
Multiple vulnerabilities affect IBM Db2 On Openshift, IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6614909 (Spectrum Discover)
IBM Spectrum Discover is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6828527 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758)

Source: CCN
Type: IBM Security Bulletin 6956539 (MobileFirst Platform Foundation)
Multiple vulnerabilities found with third-party libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6966400 (Engineering Workflow Management)
IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-43138

Source: CCN
Type: IBM Security Bulletin 6987049 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container IntegrationServer operands that run Designer flows may be vulnerable to arbitrary code execution due to [CVE-2021-43138]

Source: CCN
Type: IBM Security Bulletin 6997107 (Engineering Requirements Quality Assistant)
There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises

Source: CCN
Type: IBM Security Bulletin 7008939 (Security Verify Governance)
Multiple vulnerabilities fixed in IBM Security Verify Governance - Identity Manager Virtual Appliance

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-43138

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:async_project:async:3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:async_project:async:3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:async_project:async:3.1.1:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:19.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:19.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:19.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:engineering_workflow_management:7.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:engineering_workflow_management:7.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:3.5:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.1:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:db2_warehouse:4.5:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8169
    P
    		Security update for SUSE Manager Client Tools (Important)
    2023-06-21
    BACK
    async_project async 3.2.1
    async_project async 3.2.0
    async_project async 3.1.1
    ibm business automation workflow 18.0.0.0
    ibm business automation workflow 18.0.0.1
    ibm app connect 11.0.0.0
    ibm integration bus 10.0.0.0
    ibm business automation workflow 18.0.0.2
    ibm business automation workflow 19.0.0.1
    ibm business automation workflow 19.0.0.2
    ibm cloud transformation advisor 2.0.1
    ibm cloud pak for automation 19.0.3
    ibm business automation workflow 19.0.0.3
    ibm mobilefirst platform foundation 8.0.0.0
    ibm cloud pak for automation 20.0.1
    ibm cloud pak for automation 20.0.2
    ibm business automation workflow 20.0.0.1
    ibm business automation workflow 20.0.0.2
    ibm engineering workflow management 7.0.1
    ibm engineering workflow management 7.0.2
    ibm cloud pak for automation 20.0.3
    ibm cloud pak for automation 21.0.1
    ibm app connect enterprise 12.0.1.0
    ibm cloud pak for automation 21.0.2 -
    ibm business automation workflow 21.0.2
    ibm cognos analytics 11.2.0
    ibm cognos analytics 11.1.7
    ibm cognos analytics 11.2.1
    ibm cloud pak for automation 19.0.1
    ibm db2 warehouse 3.5 -
    ibm db2 warehouse 4.0 -
    ibm business automation workflow 21.0.3
    ibm robotic process automation 21.0.0
    ibm cloud pak for automation 19.0.2
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm robotic process automation 21.0.1
    ibm robotic process automation 21.0.2
    ibm app connect enterprise 12.0.4.0
    ibm app connect enterprise certified container 4.1
    ibm business automation workflow 22.0.1 -
    ibm app connect enterprise certified container 4.2
    ibm security verify governance 10.0
    ibm db2 warehouse 4.5 -