{"containers": {"cna": {"affected": [{"product": "ini", "vendor": "n/a", "versions": [{"lessThan": "1.3.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Eugene Lim"}, {"lang": "en", "value": "Government Technology Agency Cyber Security Group"}], "datePublic": "2020-12-11T00:00:00", "descriptions": [{"lang": "en", "value": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "LOW", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 6.9, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Prototype Pollution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-21T16:06:11", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"}, {"name": "[debian-lts-announce] 20201221 [SECURITY] [DLA 2503-1] node-ini security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"}], "title": "Prototype Pollution", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2020-12-11T10:43:26.139627Z", "ID": "CVE-2020-7788", "STATE": "PUBLIC", "TITLE": "Prototype Pollution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ini", "version": {"version_data": [{"version_affected": "<", "version_value": "1.3.6"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Eugene Lim"}, {"lang": "eng", "value": "Government Technology Agency Cyber Security Group"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Prototype Pollution"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-INI-1048974", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"}, {"name": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", "refsource": "MISC", "url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"}, {"name": "[debian-lts-announce] 20201221 [SECURITY] [DLA 2503-1] node-ini security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:41:01.567Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"}, {"name": "[debian-lts-announce] 20201221 [SECURITY] [DLA 2503-1] node-ini security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7788", "datePublished": "2020-12-11T10:45:14.077606Z", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-09-16T23:41:44.616Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ini_project:ini:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "93EF44F5-672B-4AF8-8C37-888F3065C28E", "versionEndExcluding": "1.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context."}, {"lang": "es", "value": "Esto afecta al paquete ini versiones anteriores a 1.3.6.&#xa0;Si un atacante env\u00eda un archivo INI malicioso a una aplicaci\u00f3n que lo analiza con ini.parse, contaminar\u00e1 el prototipo de la aplicaci\u00f3n.&#xa0;Esto puede ser explotado a\u00fan m\u00e1s dependiendo del contexto"}], "id": "CVE-2020-7788", "lastModified": "2022-12-02T19:40:15.550", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2020-12-11T11:15:11.447", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0548", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:10-8030020210118191659.229f0a1c", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-02-16T00:00:00Z"}, {"advisory": "RHSA-2021:0549", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:12-8030020210129141730.229f0a1c", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-02-16T00:00:00Z"}, {"advisory": "RHSA-2021:0551", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:14-8030020210126165503.229f0a1c", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-02-16T00:00:00Z"}, {"advisory": "RHSA-2021:5171", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:16-8050020211206113934.c5368500", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-12-16T00:00:00Z"}, {"advisory": "RHSA-2022:0350", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:14-8050020211213115342.c5368500", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-02-01T00:00:00Z"}, {"advisory": "RHSA-2022:0246", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "nodejs:14-8040020211213111158.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-01-25T00:00:00Z"}, {"advisory": "RHSA-2022:6595", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs-nodemon-0:2.0.19-1.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-09-20T00:00:00Z"}, {"advisory": "RHSA-2021:0421", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs14-nodejs-0:14.15.4-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.20.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-15T00:00:00Z"}, {"advisory": "RHSA-2021:3280", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs14-nodejs-nodemon-0:2.0.3-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.22.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:0421", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs14-nodejs-0:14.15.4-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.20.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-15T00:00:00Z"}, {"advisory": "RHSA-2021:0421", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs14-nodejs-0:14.15.4-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.20.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0521", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.23.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-15T00:00:00Z"}, {"advisory": "RHSA-2021:3280", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs14-nodejs-nodemon-0:2.0.3-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.22.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-26T00:00:00Z"}], "bugzilla": {"description": "nodejs-ini: Prototype pollution via malicious INI file", "id": "1907444", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907444"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-400", "details": ["This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", "A flaw was found in nodejs-ini. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context."], "name": "CVE-2020-7788", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "yarnpkg-ini", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Out of support scope", "package_name": "rh-nodejs10-nodejs-nodemon", "product_name": "Red Hat Software Collections"}], "public_date": "2020-12-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7788\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7788"], "statement": "Node.JS packages in Red Hat Enterprise Linux and Red Hat Software Collections included the vulnerable dependency packaged in \"nodejs-npm\" component. Processing malicious files using npm could potentially trigger this vulnerability. The \"ini\" package bundled with npm was not in the library path where it could be included directly in other programs.\nThe nodejs-nodemon packages in Red Hat Enterprise Linux and Red Hat Software Collections are affected by this vulnerability as they bundle the nodejs-ini library. Usage of that library is governed by nodemon itself, so applications started by nodemon are not impacted. Further, nodemon is a developer tool not intended to be used in production.\nThe ini package is included in Red Hat Quay by protractor and webpack-cli, both of which are dev dependencies.", "threat_severity": "Moderate", "upstream_fix": "nodejs-ini 1.3.6"}