critical
9.8
Advisory Published
Updated

CVE-2020-28472: Prototype Pollution

First published: Tue Jan 19 2021(Updated: )

This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.

Credit: report@snyk.io

Affected SoftwareAffected VersionHow to fix
AWS SDK for JavaScript<2.814.0
Amazon AWS Shared Configuration File Loader=1.0.0-alpha1
Amazon AWS Shared Configuration File Loader=1.0.0-alpha2
Amazon AWS Shared Configuration File Loader=1.0.0-alpha3
Amazon AWS Shared Configuration File Loader=1.0.0-beta1
Amazon AWS Shared Configuration File Loader=1.0.0-beta2
Amazon AWS Shared Configuration File Loader=1.0.0-beta3
Amazon AWS Shared Configuration File Loader=1.0.0-beta4
Amazon AWS Shared Configuration File Loader=1.0.0-gamma1
Amazon AWS Shared Configuration File Loader=1.0.0-gamma2
Amazon AWS Shared Configuration File Loader=1.0.0-gamma3
Amazon AWS Shared Configuration File Loader=1.0.0-gamma4
Amazon AWS Shared Configuration File Loader=1.0.0-gamma5
Amazon AWS Shared Configuration File Loader=1.0.0-gamma6
Amazon AWS Shared Configuration File Loader=1.0.0-gamma7
Amazon AWS Shared Configuration File Loader=1.0.0-gamma8
Amazon AWS Shared Configuration File Loader=1.0.0-rc1
Amazon AWS Shared Configuration File Loader=1.0.0-rc2
Amazon AWS Shared Configuration File Loader=1.0.0-rc3
Amazon AWS Shared Configuration File Loader=1.0.0-rc8

Remedy

https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9

Remedy

https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2020-28472?

    The severity of CVE-2020-28472 is classified as high due to its potential to lead to prototype pollution in affected applications.

  • How do I fix CVE-2020-28472?

    To fix CVE-2020-28472, upgrade the @aws-sdk/shared-ini-file-loader package to version 1.0.0-rc.9 or later and the aws-sdk package to version 2.814.0 or later.

  • Which versions are affected by CVE-2020-28472?

    CVE-2020-28472 affects versions of the @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9 and aws-sdk before 2.814.0.

  • What impact does CVE-2020-28472 have on applications?

    CVE-2020-28472 can allow an attacker to submit a malicious INI file that may lead to prototype pollution, compromising application integrity.

  • Are there any known exploits for CVE-2020-28472?

    While specific exploits for CVE-2020-28472 have not been publicly disclosed, the vulnerability's nature poses a significant risk if left unaddressed.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203