CVE-2020-7788

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-7788

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7788.json

Aliases

GHSA-qqgx-2p2h-9c37
SNYK-JS-INI-1048974

Related

ALSA-2021:0548
ALSA-2021:0549
ALSA-2021:0551
ALSA-2021:5171
ALSA-2022:0350
ALSA-2022:6595
DLA-2503-1
RLSA-2021:0548
RLSA-2021:0549
RLSA-2021:0551
RLSA-2021:5171
RLSA-2022:0350
RLSA-2022:6595

Published

2020-12-11T11:15:11Z

Modified

2023-11-29T08:35:44.919013Z

Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

References

https://snyk.io/vuln/SNYK-JS-INI-1048974
https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html
https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1

Affected packages

Git / github.com/npm/ini

Affected ranges

Type: GIT
Repo: https://github.com/npm/ini
Events: Introduced

0The exact introduced commit is unknown

Fixed

56d2805e07ccd94e2ba0984ac9240ff02d44b6f1

Affected versions

1.*

1.0.0

1.0.1

1.0.2

v1.*

v1.0.3

v1.0.4

v1.0.5

v1.1.0

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5