VDB
CVE-2020-28472
CVE-2020-28472
PUBLISHED
CVSS 7.300000190734863 HIGH
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
EPSS 1.66% · 82.4th percentile
Risk Scores
CVSS 3.1
7.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
EPSS Score
1.66%
82.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| amazon | aws_shared_configuration_file_loader | 1.0.0, 1.0.0, 1.0.0 |
| n/a | @aws-sdk/shared-ini-file-loader | * |
| npm | aws-sdk | 0 |
| n/a | aws-sdk | unspecified |
| aws-sdk | shared-ini-file-loader | 0 |
| amazon | aws_sdk_for_javascipt | 0 |
Exploit Intelligence
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426 (nist-nvd)
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425 (nist-nvd)
- https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424 (nist-nvd)
- https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304 (nist-nvd)
- https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9 (circl)
- https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611 (circl)
Timeline
- Jan 19, 2021 CVE Published
- Apr 6, 2021 CVE Updated
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304 url
- https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424 url
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425 url
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426 url
- https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9 url
- https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611 url
- https://nvd.nist.gov/vuln/detail/CVE-2020-28472 advisory