SCA: security update for modern-async (GHSA-3pcq-34w5-p4g2)

high Tenable Self-Hosted Container Security Plugin ID 409625

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- modern-async is an open source JavaScript tooling library for asynchronous operations using async/await
and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and
forEachLimit. They should limit the concurrency of some actions but, in practice, they don't. Any code
calling these functions will be written thinking they would limit the concurrency but they won't. This
could lead to potential security issues in other projects. The problem has been patched in 1.0.4. There is
no workaround. (CVE-2021-41167)

See Also

https://github.com/advisories/GHSA-3pcq-34w5-p4g2

Plugin Details

Severity: High

ID: 409625

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2021-41167

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/21/2021

Vulnerability Publication Date: 10/20/2021

Reference Information

CVE: CVE-2021-41167