CVE-2020-7788

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Prototype Pollution
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
snykCNA
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
ini_projectini
𝑥
< 1.3.6
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-ini
bullseye
2.0.0-1
fixed
sid
3.0.1-2
fixed
trixie
3.0.1-2
fixed
bookworm
3.0.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-ini
noble
needed
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
groovy
ignored
focal
needed
bionic
needed
xenial
needed
trusty
needed
Common Weakness Enumeration
References
https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1
https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html
https://snyk.io/vuln/SNYK-JS-INI-1048974
https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1
https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html
https://snyk.io/vuln/SNYK-JS-INI-1048974