GHSA-rrc9-gqf8-8rwg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rrc9-gqf8-8rwg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-rrc9-gqf8-8rwg/GHSA-rrc9-gqf8-8rwg.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-rrc9-gqf8-8rwg
- Aliases
- Published
- 2021-11-16T21:26:43Z
- Modified
- 2025-01-08T07:27:16.219042Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Prototype Pollution via file load in aws-sdk and @aws-sdk/shared-ini-file-loader
- Details
-
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
- Database specific
{ "nvd_published_at": "2021-01-19T11:15:00Z", "github_reviewed_at": "2021-04-06T20:37:10Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-1321" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-28472
- https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611
- https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425
- https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424
- https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304
Affected packages
npm / aws-sdk
Package
- Name
- aws-sdk
- View open source insights on deps.dev
- Purl
- pkg:npm/aws-sdk
npm / @aws-sdk/shared-ini-file-loader
Package
- Name
- @aws-sdk/shared-ini-file-loader
- View open source insights on deps.dev
- Purl
- pkg:npm/%40aws-sdk/shared-ini-file-loader