CVE-2020-7788

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-7788

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7788.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-7788

Aliases

GHSA-qqgx-2p2h-9c37
SNYK-JS-INI-1048974

Related

Published

2020-12-11T11:15:11Z

Modified

2024-09-18T03:11:33.392361Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

References

Affected packages

Debian:11 / node-ini

Package

Name: node-ini
Purl: pkg:deb/debian/node-ini?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / node-ini

Package

Name: node-ini
Purl: pkg:deb/debian/node-ini?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-ini

Package

Name: node-ini
Purl: pkg:deb/debian/node-ini?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/npm/ini

Affected ranges

Type: GIT
Repo: https://github.com/npm/ini
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

56d2805e07ccd94e2ba0984ac9240ff02d44b6f1

Affected versions

1.*

1.0.0

1.0.1

1.0.2

v1.*

v1.0.3

v1.0.4

v1.0.5

v1.1.0

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5