CVE-2020-28472

{"id": "CVE-2020-28472", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-01-19T11:15:13.027", "references": [{"url": "https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9", "tags": ["Patch", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611", "tags": ["Patch", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context."}, {"lang": "es", "value": "Esto afecta al paquete @aws-sdk/shared-ini-file-loader versiones anteriores a 1.0.0-rc.9; el paquete aws-sdk versiones anteriores a 2.814.0. Si un atacante env\u00eda un archivo INI malicioso hacia una aplicaci\u00f3n que lo analiza con la funci\u00f3n loadSharedConfigFiles, contaminar\u00e1 el prototipo de la aplicaci\u00f3n. Esto puede ser explotado a\u00fan m\u00e1s dependiendo del contexto"}], "lastModified": "2024-11-21T05:22:51.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:amazon:aws_sdk_for_javascipt:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "4B9D15C1-7835-40B7-86A0-BEC86A09377B", "versionEndExcluding": "2.814.0"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:alpha1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E4CC8788-7AEE-4613-B931-A69DA0630877"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:alpha2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8ED57E34-4BEC-4BB3-98B1-B98BA1E0ADD9"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:alpha3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "AA8CF45E-E139-46EB-A651-636EC6496359"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:beta1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "74038A5B-4691-460B-85F6-E5CD819EE40B"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:beta2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E7D3816B-AF57-4882-B2C9-5E9525384389"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:beta3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9F0D0480-6C83-4965-A28C-7A454BF7B746"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:beta4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "AE2DBB1D-F20D-4D84-A55B-9407C175A5A4"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:gamma1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DC401A8E-508D-44A0-AE88-6DF6D2A8B385"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:gamma2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "14D7C530-E946-4F93-AD45-5FB44DA84D44"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:gamma3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "2508E88C-3C1C-494F-AA87-78C50BBD375D"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:gamma4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CCD4DCF2-AE3D-4F48-BD70-1EE4E901A6F4"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:gamma5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "FC1163F8-369C-47DA-B2BA-B928E7677C7F"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:gamma6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CA2BAEC0-C485-45F4-B949-F4BD0DE4DAA0"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:gamma7:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C789D328-FEC7-4686-B266-AF6A5E0D5F53"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:gamma8:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "920F1CDF-2DDB-4676-AA90-6D0BE69C5C69"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:rc1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "32E0E5F4-87AB-4A23-8ADE-021E9FAD1EF5"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:rc2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8ECDEF82-7A6B-414A-9D4E-9DE60791659D"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:rc3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7F4C56E0-3038-402C-9BA5-495B0AF4045B"}, {"criteria": "cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:rc8:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CAEDBEC9-7C13-4634-BC34-E13698BEDC6F"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}