CVE-2020-7788 — Prototype Pollution in Project INI

CWE-1321 — Prototype Pollution CWE-400 — Uncontrolled Resource Consumption6 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 47.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

INI Project INI Debian Node-ini Debian Linux

Timeline

PublishedDec 11

Description

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5ini_project/iniunspecified — 1.3.6

▶NVDini_project/ini< 1.3.6

▶debiandebian/node-ini< node-ini 2.0.0-1 (bookworm)

▶npmini_project/ini< 1.3.6

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2020-7788: This affects the package ini before 1↗2020-12-11

▶

GHSA

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse↗2020-12-10

▶

OSV

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse↗2020-12-10

▶

📋Vendor Advisories

Red Hat

nodejs-ini: Prototype pollution via malicious INI file↗2020-12-08

▶

Debian

CVE-2020-7788: node-ini - This affects the package ini before 1.3.6. If an attacker submits a malicious IN...↗2020

▶