Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-fwr7-v2mv-hh25] Prototype Pollution in async #1771

Closed
wants to merge 1 commit into from
Closed

[GHSA-fwr7-v2mv-hh25] Prototype Pollution in async #1771

wants to merge 1 commit into from

Conversation

westonsteimel
Copy link

Updates

  • Affected products

Comments
Apologies as I couldn't find much information on this one, but the NVD entry does suggest that prior to 2.x should be considered affected as well (I understand that isn't always particularly reliable though). I did see this comment which suggested perhaps the vulnerability doesn't actually apply to prior versions, but I wasn't really sure so would appreciate any help in verifying that. Thanks for maintaining such a great dataset!

@github-actions github-actions bot changed the base branch from main to westonsteimel/advisory-improvement-1771 March 10, 2023 17:12
@ronwoch
Copy link

ronwoch commented Mar 10, 2023

@westonsteimel Thank you! The 1.5 documentation didn't mention the mapValues function at all, so I did some spelunking and found that it was added in this PR, so the vulnerable code did not exist prior to 2.x.

@westonsteimel
Copy link
Author

Ah great, thanks for taking a further look at this one. Much appreciated!

@github-actions github-actions bot deleted the westonsteimel-GHSA-fwr7-v2mv-hh25 branch March 10, 2023 19:14
@ronwoch
Copy link

ronwoch commented Mar 10, 2023

No problem!

westonsteimel added a commit to anchore/vulnerability-match-labels that referenced this pull request Mar 13, 2023
@westonsteimel
chore: npm async < v2 not vulnerable to CVE-2021-43138
9976670 
Per GHSA-fwr7-v2mv-hh25, versions prior to 2.0.0 are not vulnerable as
the method didn't exist in prior versions.  Full discussion on this one
at github/advisory-database#1771

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel westonsteimel mentioned this pull request Mar 13, 2023
Merged
westonsteimel added a commit to anchore/vulnerability-match-labels that referenced this pull request Mar 13, 2023
@westonsteimel
chore: npm async < v2 not vulnerable to CVE-2021-43138 (#56)
7ec8bd3 
Per GHSA-fwr7-v2mv-hh25, versions prior to 2.0.0 are not vulnerable as
the method didn't exist in prior versions.  Full discussion on this one
at github/advisory-database#1771

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@westonsteimel @ronwoch