[#31632] - [4.0] Upstream Security issue
- Fixed in Code Base
- 11 Dec 2020
- Medium
- Build: 4.0-dev
- # 31632
- Diff
- brianteeman:ini
User tests: Successful: Unsuccessful:
Bumps ini from 1.3.5 to 1.3.7. This update includes a security fix.
Sourced from The GitHub Security Advisory Database.
Vulnerabilities fixed
Prototype Pollution
Overview
The
ininpm package before version 1.3.6 has a Prototype Pollution vulnerability.If an attacker submits a malicious INI file to an application that parses it with
ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.Patches
This has been patched in 1.3.6
Steps to reproduce
payload.ini
[__proto__] polluted = "polluted"poc.js:
var fs = require('fs') </tr></table> ... (truncated)
Affected versions: < 1.3.6
Commits
Maintainer changes
This version was pushed to npm by isaacs, a new releaser for ini since your current version.
Votes
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change |
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-12-11 11:52:57 |
| Closed_By | ⇒ | wilsonge | |
| Labels |
Added:
NPM Resource Changed
?
|
||
thanks
@mattpilleul completely unrelated to this PR which was already merged yesterday. Please open a new issue
@mattpilleul completely unrelated to this PR which was already merged yesterday. Please open a new issue
Sorry mate ! Just removed my comments
Thanks!