OpenSearch-Dashboards icon indicating copy to clipboard operation
OpenSearch-Dashboards copied to clipboard

Published 20 hours ago • verified publisher icon opensearch-project

CVE-2024-39249 (Medium) detected in multiple libraries

Open mend-for-github-com[bot] opened this issue 1 year ago • 0 comments

CVE-2024-39249 - Medium Severity Vulnerability

Vulnerable Libraries - async-3.2.3.js, async-3.2.3.min.js, async-3.2.3.tgz

async-3.2.3.js

Higher-order functions and common patterns for asynchronous code

Library home page: https://cdnjs.cloudflare.com/ajax/libs/async/3.2.3/async.js

Path to vulnerable library: /packages/osd-ui-framework/node_modules/async/dist/async.js

Dependency Hierarchy:

  • :x: async-3.2.3.js (Vulnerable Library)
async-3.2.3.min.js

Higher-order functions and common patterns for asynchronous code

Library home page: https://cdnjs.cloudflare.com/ajax/libs/async/3.2.3/async.min.js

Path to vulnerable library: /packages/osd-ui-framework/node_modules/async/dist/async.min.js

Dependency Hierarchy:

  • :x: async-3.2.3.min.js (Vulnerable Library)
async-3.2.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-3.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json,/node_modules/grunt/node_modules/async/package.json,/node_modules/@osd/ui-framework/node_modules/async/package.json

Dependency Hierarchy:

  • @osd/plugin-generator-1.0.0.tgz (Root Library)
    • ejs-3.1.10.tgz
      • jake-10.8.5.tgz
        • :x: async-3.2.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function.

Publish Date: 2024-07-01

URL: CVE-2024-39249

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-39249

Release Date: 2024-07-01

Fix Resolution: async - 3.0.1

mend-for-github-com[bot] avatar Jul 02 '24 17:07 mend-for-github-com[bot]