CVE-2020-28472
HIGH@aws-sdk/shared-ini-file-loader <1.0.0-rc.9 - Prototype Pollution
Title source: llmDescription
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
References (6)
Core 6
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426
Patch, Third Party Advisory x_refsource_misc
https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9
Patch, Third Party Advisory x_refsource_misc
https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611
Scores
CVSS v3
7.3
EPSS
0.0166
EPSS Percentile
82.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
Status
published
Products (4)
amazon/aws_sdk_for_javascipt
< 2.814.0
amazon/aws_shared_configuration_file_loader
1.0.0 alpha1 (19 CPE variants)
aws-sdk/shared-ini-file-loader
0 - 1.0.0-rc.9npm
npm/aws-sdk
0 - 2.814.0npm
Published
Jan 19, 2021
Tracked Since
Feb 18, 2026