Description

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Remediation

References

https://snyk.io/vuln/SNYK-JS-INI-1048974

https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1

https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html

Related Vulnerabilities

CVE-2023-45857 Vulnerability in maven package org.webjars.bowergithub.axios:axios

CVE-2020-7765 Vulnerability in npm package @firebase/util

CVE-2023-36478 Vulnerability in maven package org.eclipse.jetty.http3:http3-qpack

CVE-2021-32641 Vulnerability in npm package auth0-lock

CVE-2022-4520 Vulnerability in maven package org.wso2.carbon.registry:org.wso2.carbon.registry.search.ui

Severity

Critical

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Patch Mailing List