CVE-2020-28472 Information

Jun 07, 2022 cve

Description

This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles they will pollute the prototype on the application. This can be exploited further depending on the context.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425 https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426 https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611 https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: