PT-2020-2800 · Iniparser · Iniparser

Published

2020-04-01

Updated

2020-06-10

CVE-2020-7617

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ini-parser versions 0.0.2 and earlier ini-parser through 0.0.2

Description The issue is caused by an uncontrolled resource consumption in the parse function of the ini-parser package, which can lead to arbitrary code execution. The library can be tricked into adding or modifying properties of Object.prototype using a ' proto ' payload, allowing an attacker to add or modify existing properties that will exist on all objects.

Recommendations For ini-parser versions 0.0.2 and earlier, consider using an alternative package until a fix is made available. For ini-parser through 0.0.2, consider using an alternative package until a fix is made available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Prototype Pollution

Code Injection

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321CWE-94CWE-915CWE-400

Related Identifiers

BDU:2020-02928

CVE-2020-7617

GHSA-96R7-MRQF-JHCC

SNYK-JS-INIPARSER-564122

Affected Products

Iniparser

PT-2020-2800 · Iniparser · Iniparser

CVE-2020-7617

Weakness Enumeration

Related Identifiers

Affected Products

References · 9