CVE-2024-39249 - Vulnerability Details

Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Advanced Cluster Security Rhdh Trusted Profile Analyzer

No data.

Package	CPE	Advisory	Released Date
Red Hat Advanced Cluster Security 4.5
advanced-cluster-security/rhacs-central-db-rhel8:4.5.3-3	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.5.3-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-collector-slim-rhel8:4.5.3-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.5.3-3	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.5.3-3	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.5.3-3	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.5.3-3	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.5.3-3	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.5.3-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.5.3-3	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.3-3	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.3-3	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.3-3	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:7443	2024-10-01T00:00:00Z
Red Hat Advanced Cluster Security 4.6
advanced-cluster-security/rhacs-main-rhel8:4.6.0-6	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2024:10775	2024-12-04T00:00:00Z
Red Hat Developer Hub 1.3 on RHEL 9
rhdh/rhdh-hub-rhel9:1.3-100	cpe:/a:redhat:rhdh:1.3::el9	RHBA-2024:7523	2024-10-02T00:00:00Z
Red Hat Trusted Profile Analyzer 1.1
registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:9142fe58fad28a8b469b17bdd84fe6bbcb6830811a3b31c671142ce109739455	cpe:/a:redhat:trusted_profile_analyzer:1.1::el9	RHSA-2024:6235	2024-09-03T00:00:00Z

References

Link	Providers
https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41
https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6
https://github.com/caolan/async/issues/1975#issuecomment-2204528153
https://github.com/zunak/CVE-2024-39249
https://github.com/zunak/CVE-2024-39249/issues/1
https://nvd.nist.gov/vuln/detail/CVE-2024-39249
https://www.cve.org/CVERecord?id=CVE-2024-39249

History

Thu, 20 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhdh
CPEs		cpe:/a:redhat:rhdh:1.3::el9
Vendors & Products		Redhat rhdh

Wed, 04 Dec 2024 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:advanced_cluster_security:4.6::el8

Fri, 01 Nov 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat trusted Profile Analyzer
CPEs		cpe:/a:redhat:trusted_profile_analyzer:1.1::el9
Vendors & Products		Redhat trusted Profile Analyzer

Tue, 01 Oct 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat advanced Cluster Security
CPEs		cpe:/a:redhat:advanced_cluster_security:4.5::el8
Vendors & Products		Redhat Redhat advanced Cluster Security

Mon, 26 Aug 2024 16:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-07-01T00:00:00

Updated: 2024-08-26T14:46:02.177Z

Reserved: 2024-06-21T00:00:00

Link: CVE-2024-39249

Vulnrichment

Updated: 2024-08-02T04:19:20.645Z

NVD

Status : Awaiting Analysis

Published: 2024-07-01T20:15:02.877

Modified: 2024-11-21T09:27:22.130

Link: CVE-2024-39249

Redhat

Severity : Moderate

Publid Date: 2024-07-01T00:00:00Z

Links: CVE-2024-39249 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-39249", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-26T14:46:02.177Z", "dateReserved": "2024-06-21T00:00:00", "datePublished": "2024-07-01T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-09T05:22:14.622585"}, "descriptions": [{"lang": "en", "value": "Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input."}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6"}, {"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41"}, {"url": "https://github.com/zunak/CVE-2024-39249"}, {"url": "https://github.com/zunak/CVE-2024-39249/issues/1"}, {"url": "https://github.com/caolan/async/issues/1975#issuecomment-2204528153"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.645Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6", "tags": ["x_transferred"]}, {"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41", "tags": ["x_transferred"]}, {"url": "https://github.com/zunak/CVE-2024-39249", "tags": ["x_transferred"]}, {"url": "https://github.com/zunak/CVE-2024-39249/issues/1", "tags": ["x_transferred"]}, {"url": "https://github.com/caolan/async/issues/1975#issuecomment-2204528153", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1333", "lang": "en", "description": "CWE-1333 Inefficient Regular Expression Complexity"}]}], "affected": [{"vendor": "async_project", "product": "async", "cpes": ["cpe:2.3:a:async_project:async:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.6.4", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThanOrEqual": "3.2.5", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-26T14:42:17.511262Z", "id": "CVE-2024-39249", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T14:46:02.177Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6", "tags": ["x_transferred"]}, {"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41", "tags": ["x_transferred"]}, {"url": "https://github.com/zunak/CVE-2024-39249", "tags": ["x_transferred"]}, {"url": "https://github.com/zunak/CVE-2024-39249/issues/1", "tags": ["x_transferred"]}, {"url": "https://github.com/caolan/async/issues/1975#issuecomment-2204528153", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.645Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-39249", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-26T14:42:17.511262Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:async_project:async:*:*:*:*:*:*:*:*"], "vendor": "async_project", "product": "async", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.6.4"}, {"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.2.5"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T14:45:45.630Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6"}, {"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41"}, {"url": "https://github.com/zunak/CVE-2024-39249"}, {"url": "https://github.com/zunak/CVE-2024-39249/issues/1"}, {"url": "https://github.com/caolan/async/issues/1975#issuecomment-2204528153"}], "descriptions": [{"lang": "en", "value": "Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-09T05:22:14.622585"}}}, "cveMetadata": {"cveId": "CVE-2024-39249", "state": "PUBLISHED", "dateUpdated": "2024-08-26T14:46:02.177Z", "dateReserved": "2024-06-21T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-01T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input."}, {"lang": "es", "value": "Async <= 2.6.4 y <= 3.2.5 son vulnerables a ReDoS (Denegaci\u00f3n de servicio de expresi\u00f3n regular) mientras analiza la funci\u00f3n en la funci\u00f3n de autoinyecci\u00f3n."}], "id": "CVE-2024-39249", "lastModified": "2024-11-21T09:27:22.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-01T20:15:02.877", "references": [{"source": "cve@mitre.org", "url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41"}, {"source": "cve@mitre.org", "url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6"}, {"source": "cve@mitre.org", "url": "https://github.com/caolan/async/issues/1975#issuecomment-2204528153"}, {"source": "cve@mitre.org", "url": "https://github.com/zunak/CVE-2024-39249"}, {"source": "cve@mitre.org", "url": "https://github.com/zunak/CVE-2024-39249/issues/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/caolan/async/issues/1975#issuecomment-2204528153"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/zunak/CVE-2024-39249"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/zunak/CVE-2024-39249/issues/1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.5.3-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.5.3-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-collector-slim-rhel8:4.5.3-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.5.3-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.5.3-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.5.3-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.5.3-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.5.3-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.5.3-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.5.3-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.3-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.3-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:7443", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.3-3", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:10775", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.6.0-6", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHBA-2024:7523", "cpe": "cpe:/a:redhat:rhdh:1.3::el9", "package": "rhdh/rhdh-hub-rhel9:1.3-100", "product_name": "Red Hat Developer Hub 1.3 on RHEL 9", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2024:6235", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.1::el9", "package": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:9142fe58fad28a8b469b17bdd84fe6bbcb6830811a3b31c671142ce109739455", "product_name": "Red Hat Trusted Profile Analyzer 1.1", "release_date": "2024-09-03T00:00:00Z"}], "bugzilla": {"description": "nodejs-async: Regular expression denial of service while parsing function in autoinject", "id": "2295035", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295035"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-1333", "details": ["Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.", "A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input."], "name": "CVE-2024-39249", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Will not fix", "package_name": "async", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Will not fix", "package_name": "mta/mta-ui-rhel9", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Not affected", "package_name": "mta/mta-cli-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Not affected", "package_name": "mta/mta-ui-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Not affected", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Will not fix", "package_name": "multicluster-engine/console-mce-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Will not fix", "package_name": "multicluster-engine/multicluster-engine-console-mce-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:network_observ_optr:1", "fix_state": "Will not fix", "package_name": "network-observability/network-observability-console-plugin-rhel9", "product_name": "Network Observability Operator"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Will not fix", "package_name": "workload-availability/node-remediation-console-rhel8", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Will not fix", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "async", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "openresty", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-central-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Will not fix", "package_name": "aap-cloud-ui-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "async", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "polkit", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "polkit", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "polkit", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "async", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "async", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "async", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Will not fix", "package_name": "odh-dashboard-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-monitoring-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-core-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-client-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Will not fix", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Will not fix", "package_name": "devspaces/dashboard-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Will not fix", "package_name": "devspaces/pluginregistry-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Will not fix", "package_name": "devspaces/udi-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Will not fix", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Will not fix", "package_name": "container-native-virtualization/kubevirt-console-plugin-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "async", "product_name": "Red Hat Process Automation 7"}], "public_date": "2024-07-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-39249\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39249\nhttps://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41\nhttps://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6\nhttps://github.com/zunak/CVE-2024-39249"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object