CVE-2021-43138 - Privilege escalation vulnerability

Severity: High2022-10-13

Security Advisories


In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

The Oxygen products incorporate Async as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v4.1.6 and olderHigh Oxygen Content Fusion 5.0 build 2022052605





Severity: High

CVSS Score: 7.8

The Async third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-43138 vulnerability description.

Starting with Oxygen Content Fusion v5.0 Async library was updated to v3.2.2 which fixes this vulnerability.

List of Security Advisories