Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTk2cjctbXJxZi1qaGNj
Prototype Pollution in ini-parser
All versions of ini-parser
are vulnerable to prototype pollution. The parse
function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Permalink: https://github.com/advisories/GHSA-96r7-mrqf-jhccJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTk2cjctbXJxZi1qaGNj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-96r7-mrqf-jhcc, CVE-2020-7617
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7617
- https://github.com/rawiroaisen/node-ini-parser/blob/master/index.js#L14
- https://snyk.io/vuln/SNYK-JS-INIPARSER-564122
- https://www.npmjs.com/advisories/1508
- https://github.com/advisories/GHSA-96r7-mrqf-jhcc
Blast Radius: 23.2
Affected Packages
npm:ini-parser
Dependent packages: 12Dependent repositories: 233
Downloads: 3,811 last month
Affected Version Ranges: <= 0.0.2
No known fixed version
All affected versions: 0.0.1, 0.0.2