PT-2021-11539 · Amazon · @Aws-Sdk/Shared-Ini-File-Loader+1

Eugene Lim

Published

2021-01-19

Updated

2021-11-16

CVE-2020-28472

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: @aws-sdk/shared-ini-file-loader versions prior to 1.0.0-rc.9 aws-sdk versions prior to 2.814.0

Description: The issue arises when an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles. This can lead to prototype pollution on the application, which can be exploited further depending on the context.

Recommendations: For @aws-sdk/shared-ini-file-loader versions prior to 1.0.0-rc.9, update to version 1.0.0-rc.9 or later. For aws-sdk versions prior to 2.814.0, update to version 2.814.0 or later. As a temporary workaround, consider restricting the use of the loadSharedConfigFiles function until a patch is available.

Exploit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

CVE-2020-28472

GHSA-RRC9-GQF8-8RWG

SNYK-JAVA-ORGWEBJARSBOWER-1059426

SNYK-JAVA-ORGWEBJARSNPM-1059425

SNYK-JS-AWSSDK-1059424

SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304

Affected Products

@Aws-Sdk/Shared-Ini-File-Loader

Aws Sdk

PT-2021-11539 · Amazon · @Aws-Sdk/Shared-Ini-File-Loader+1

CVE-2020-28472

Weakness Enumeration

Related Identifiers

Affected Products

References · 12