Description

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Remediation

References

https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1

https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html

https://snyk.io/vuln/SNYK-JS-INI-1048974

Related Vulnerabilities

CVE-2018-20677 Vulnerability in maven package org.webjars.bowergithub.jasny:bootstrap

CVE-2021-21141 Vulnerability in maven package org.webjars.npm:electron

CVE-2022-1291 Vulnerability in maven package org.webjars.npm:github-com-hhurz-tableexport-jquery-plugin

CVE-2022-25940 Vulnerability in maven package org.webjars.npm:lite-server

CVE-2021-27516 Vulnerability in maven package org.webjars.bower:urijs

Severity

Critical

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Mailing List Exploit