CVE-2020-7788

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2020-7788
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2020-12-11 11:15:00 UTC
Updated2022-12-02 19:40:00 UTC
DescriptionThis affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Risk And Classification

Problem Types: CWE-1321

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 9.0 All All All
Operating System Debian Debian Linux 9.0 All All All
Application Ini Project Ini All All All All
Application Ini Project Ini All All All All

References

ReferenceSourceLinkTags
[SECURITY] [DLA 2503-1] node-ini security update MLIST lists.debian.org Mailing List, Third Party Advisory
Prototype Pollution in ini | Snyk MISC snyk.io Exploit, Third Party Advisory
do not allow invalid hazardous string as section name · npm/ini@56d2805 · GitHub MISC github.com Patch, Third Party Advisory
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Eugene Lim

LEGACY: Government Technology Agency Cyber Security Group

Legacy QID Mappings

  • 159554 Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2021-5171)
  • 159622 Oracle Enterprise Linux Security Update for nodejs:14 (ELSA-2022-0350)
  • 160111 Oracle Enterprise Linux Security Update for nodejs and nodejs-nodemon (ELSA-2022-6595)
  • 239590 Red Hat Update for rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:3281)
  • 239591 Red Hat Update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:3280)
  • 239970 Red Hat Update for nodejs:16 security (RHSA-2021:5171)
  • 240037 Red Hat Update for nodejs:14 security (RHSA-2022:0246)
  • 240051 Red Hat Update for nodejs:14 security (RHSA-2022:0350)
  • 240676 Red Hat Update for nodejs and nodejs-nodemon (RHSA-2022:6595)
  • 377388 Alibaba Cloud Linux Security Update for nodejs:14 (ALINUX3-SA-2021:0016)
  • 377422 Alibaba Cloud Linux Security Update for nodejs:14 (ALINUX3-SA-2022:0014)
  • 940231 AlmaLinux Security Update for nodejs:10 (ALSA-2021:0548)
  • 940253 AlmaLinux Security Update for nodejs:12 (ALSA-2021:0549)
  • 940254 AlmaLinux Security Update for nodejs:14 (ALSA-2021:0551)
  • 940355 AlmaLinux Security Update for nodejs:16 (ALSA-2021:5171)
  • 940448 AlmaLinux Security Update for nodejs:14 (ALSA-2022:0350)
  • 940678 AlmaLinux Security Update for nodejs and nodejs-nodemon (ALSA-2022:6595)
  • 960322 Rocky Linux Security Update for nodejs:16 (RLSA-2021:5171)
  • 960531 Rocky Linux Security Update for nodejs and nodejs-nodemon (RLSA-2022:6595)
  • 960749 Rocky Linux Security Update for nodejs:14 (RLSA-2021:0551)
  • 960803 Rocky Linux Security Update for nodejs:12 (RLSA-2021:0549)
  • 960843 Rocky Linux Security Update for nodejs:10 (RLSA-2021:0548)
  • 960863 Rocky Linux Security Update for nodejs:14 (RLSA-2022:0350)
  • 983801 Nodejs (npm) Security Update for ini (GHSA-qqgx-2p2h-9c37)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report