VDB

CVE-2020-28472

CVE-2020-28472 PUBLISHED CVSS 7.300000190734863 HIGH

This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.

EPSS 1.66% · 82.4th percentile

Risk Scores

CVSS 3.1
7.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
EPSS Score
1.66%
82.4th percentile

Affected Products

VendorProductVersions
amazonaws_shared_configuration_file_loader1.0.0, 1.0.0, 1.0.0
n/a@aws-sdk/shared-ini-file-loader*
npmaws-sdk0
n/aaws-sdkunspecified
aws-sdkshared-ini-file-loader0
amazonaws_sdk_for_javascipt0

Timeline

  • Jan 19, 2021 CVE Published
  • Apr 6, 2021 CVE Updated
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Dec 27, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 1, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›