Vulnerability Description
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ini Project | Ini | < 1.3.6 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/12/msg00032.htmlMailing ListThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-INI-1048974ExploitThird Party Advisory
- https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/12/msg00032.htmlMailing ListThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-INI-1048974ExploitThird Party Advisory
FAQ
What is CVE-2020-7788?
CVE-2020-7788 is a vulnerability with a CVSS score of 7.3 (HIGH). This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be ...
How severe is CVE-2020-7788?
CVE-2020-7788 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-7788?
Check the references section above for vendor advisories and patch information. Affected products include: Ini Project Ini, Debian Debian Linux.