CVE-2020-7788

Published: Dic 11, 2020 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2020-1502 Aliases: GHSA-qqgx-2p2h-9c37

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: low

Availability: low

HIGH 7,5

Source: [email protected]

Access Vector: network

Access Complexity: low

Authentication: none

Confidentiality: partial

Integrity: partial

Availability: partial

Description

AI Translation Available

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0029

Percentile

0,5th

Updated

EPSS Score Trend (Last 90 Days)

1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Incomplete

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability

Potential Impacts:

Read Application Data Modify Application Data Dos: Crash, Exit, Or Restart

Applicable Platforms

Languages: JavaScript

View CWE Details

Application

Ini by Ini Project

Product Information

Vendor Ini Project

Product Ini

Version Range Affected

To 1.3.6 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:ini_project:ini:*:*:*:*:*:node.js:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Debian Linux by Debian

Product Information

Vendor Debian

Product Debian Linux

Version 9.0

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac…

Patch Third Party Advisory

https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1

https://lists.debian.org/debian-lts-announce/2020/12/msg000…

Mailing List Third Party Advisory

https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html

https://snyk.io/vuln/SNYK-JS-INI-1048974

Exploit Third Party Advisory

https://snyk.io/vuln/SNYK-JS-INI-1048974

https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac…

Patch Third Party Advisory

https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1

https://lists.debian.org/debian-lts-announce/2020/12/msg000…

Mailing List Third Party Advisory

https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html

https://snyk.io/vuln/SNYK-JS-INI-1048974

Exploit Third Party Advisory

https://snyk.io/vuln/SNYK-JS-INI-1048974

CVE-2020-7788

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Common Consequences

Applicable Platforms

Ini by Ini Project

Product Information

Debian Linux by Debian

Product Information

Iscriviti alla newsletter