ByteOS Network

NVD Vulnerability Details :

CVE-2020-28441

Analyzed

Source-report@snyk.io

Published At-25 Jul, 2022 | 14:15

Updated At-01 Aug, 2022 | 12:35

This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary	3.1	7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Type: Primary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 7.3

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CPE Matches

conf-cfg-ini_project>>conf-cfg-ini>>Versions before 1.2.2(exclusive)

cpe:2.3:a:conf-cfg-ini_project:conf-cfg-ini:*:*:*:*:*:node.js:*:*

Weaknesses

CWE ID	Type	Source
CWE-1321	Primary	nvd@nist.gov

CWE ID: CWE-1321

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://github.com/loge5/conf-cfg-ini/commit/3a88a6c52c31eb6c0f033369eed40aa168a636ea	report@snyk.io	Patch Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-CONFCFGINI-1048973	report@snyk.io	Exploit Third Party Advisory

Hyperlink: https://github.com/loge5/conf-cfg-ini/commit/3a88a6c52c31eb6c0f033369eed40aa168a636ea

Source: report@snyk.io

Resource:

Patch

Third Party Advisory

Hyperlink: https://security.snyk.io/vuln/SNYK-JS-CONFCFGINI-1048973

Source: report@snyk.io

Resource:

Exploit

Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History