Lucene search

GoogleOSV:GHSA-M939-VRFP-9V8P

HistoryJul 26, 2022 - 12:01 a.m.

js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`

2022-07-2600:01:05

Google

osv.dev

prorotype pollution

js-ini

malicious ini files

parse

application security

exploitation

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

57.1%

JSON

This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.

References

github.com/Sdju/js-ini

github.com/Sdju/js-ini/commit/fa17efb7e3a7c9464508a254838d4c231784931e

nvd.nist.gov/vuln/detail/CVE-2020-28461

security.snyk.io/vuln/SNYK-JS-JSINI-1048970

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

57.1%

JSON

Related for OSV:GHSA-M939-VRFP-9V8P