Описание
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
A flaw was found in nodejs-ini. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Отчет
Node.JS packages in Red Hat Enterprise Linux and Red Hat Software Collections included the vulnerable dependency packaged in "nodejs-npm" component. Processing malicious files using npm could potentially trigger this vulnerability. The "ini" package bundled with npm was not in the library path where it could be included directly in other programs. The nodejs-nodemon packages in Red Hat Enterprise Linux and Red Hat Software Collections are affected by this vulnerability as they bundle the nodejs-ini library. Usage of that library is governed by nodemon itself, so applications started by nodemon are not impacted. Further, nodemon is a developer tool not intended to be used in production. The ini package is included in Red Hat Quay by protractor and webpack-cli, both of which are dev dependencies.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 9 | nodejs | Not affected | ||
| Red Hat Quay 3 | yarnpkg-ini | Not affected | ||
| Red Hat Software Collections | rh-nodejs10-nodejs-nodemon | Out of support scope | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:0548 | 16.02.2021 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:0549 | 16.02.2021 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:0551 | 16.02.2021 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:5171 | 16.12.2021 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2022:0350 | 01.02.2022 |
| Red Hat Enterprise Linux 8.4 Extended Update Support | nodejs | Fixed | RHSA-2022:0246 | 25.01.2022 |
| Red Hat Enterprise Linux 9 | nodejs-nodemon | Fixed | RHSA-2022:6595 | 20.09.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
This affects the package ini before 1.3.6. If an attacker submits a ma ...
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
Уязвимость библиотеки ini прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым изменением атрибутов прототипа объекта, позволяющая нарушителю реализовать атаку типа «загрязнение прототипа»
EPSS
7.3 High
CVSS3