Main Vulnerability Database SB2020121120

SB2020121120 - Prototype pollution in INI for Node.js

Published: December 11, 2020 Updated: September 5, 2022

Security Bulletin ID SB2020121120

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Prototype pollution (CVE-ID: CVE-2020-7788)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation when handling INI files. A remote attacker can pass a specially crafted INI file to the application and perform prototype pollution attacks.

Remediation

Install update from vendor's website.

References

https://snyk.io/vuln/SNYK-JS-INI-1048974
https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1
https://github.com/advisories/GHSA-qqgx-2p2h-9c37