CVE-2020-28472: Prototype Pollution
First published: Tue Jan 19 2021(Updated: )
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Amazon Aws Sdk For Javascipt | <2.814.0 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-alpha1 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-alpha2 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-alpha3 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-beta1 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-beta2 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-beta3 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-beta4 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-gamma1 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-gamma2 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-gamma3 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-gamma4 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-gamma5 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-gamma6 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-gamma7 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-gamma8 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-rc1 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-rc2 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-rc3 | |
| Amazon Aws Shared Configuration File Loader | =1.0.0-rc8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9
- https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425
- https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424
- https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304
- collector/nvd-index
- agent/references
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/author
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/amazon
- canonical/amazon aws sdk for javascipt
- canonical/amazon aws shared configuration file loader
- version/amazon aws shared configuration file loader/1.0.0-alpha1
- version/amazon aws shared configuration file loader/1.0.0-alpha2
- version/amazon aws shared configuration file loader/1.0.0-alpha3
- version/amazon aws shared configuration file loader/1.0.0-beta1
- version/amazon aws shared configuration file loader/1.0.0-beta2
- version/amazon aws shared configuration file loader/1.0.0-beta3
- version/amazon aws shared configuration file loader/1.0.0-beta4
- version/amazon aws shared configuration file loader/1.0.0-gamma1
- version/amazon aws shared configuration file loader/1.0.0-gamma2
- version/amazon aws shared configuration file loader/1.0.0-gamma3
- version/amazon aws shared configuration file loader/1.0.0-gamma4
- version/amazon aws shared configuration file loader/1.0.0-gamma5
- version/amazon aws shared configuration file loader/1.0.0-gamma6
- version/amazon aws shared configuration file loader/1.0.0-gamma7
- version/amazon aws shared configuration file loader/1.0.0-gamma8
- version/amazon aws shared configuration file loader/1.0.0-rc1
- version/amazon aws shared configuration file loader/1.0.0-rc2
- version/amazon aws shared configuration file loader/1.0.0-rc3
- version/amazon aws shared configuration file loader/1.0.0-rc8