Lucene search

SnykCVELIST:CVE-2020-28461

HistoryJul 25, 2022 - 2:06 p.m.

CVE-2020-28461 Prototype Pollution

2022-07-2514:06:46

snyk

www.cve.org

cve-2020-28461

js-ini package

prototype pollution

parse

malicious ini file

application security

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

57.1%

JSON

This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.

CNA Affected

[
  {
    "product": "js-ini",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "1.3.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/Sdju/js-ini/commit/fa17efb7e3a7c9464508a254838d4c231784931e

security.snyk.io/vuln/SNYK-JS-JSINI-1048970

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

57.1%

JSON

Related for CVELIST:CVE-2020-28461