CVE-2020-28472
Prototype Pollution vulnerability in aws-sdk (npm)
What is CVE-2020-28472 About?
This vulnerability affects @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9 and aws-sdk before 2.814.0, arising from a prototype pollution flaw when parsing malicious INI files. Successful exploitation allows an attacker to poison object prototypes, which can lead to further attacks such as remote code execution depending on the application's context. Its ease of exploitation depends on how an application handles and parses untrusted INI files.
Affected Software
- aws-sdk
- <2.814.0
- @aws-sdk/shared-ini-file-loader
- <1.0.0-rc.9
Technical Details
The vulnerability lies in the loadSharedConfigFiles function within @aws-sdk/shared-ini-file-loader (and consequently aws-sdk). If a malicious INI file is supplied to an application that uses this function, the parsing process can lead to prototype pollution. Specifically, attacker-controlled keys or values within the INI file can be used to modify the Object.prototype, or other prototypes, by exploiting weaknesses in how JavaScript object properties are assigned during parsing. For instance, an attacker could craft an INI entry like __proto__.maliciousProperty=value to inject arbitrary properties into the global Object prototype, which would then be inherited by all subsequent objects. This can alter program behavior in unexpected ways, potentially leading to denial of service, information disclosure, or even remote code execution if other parts of the application rely on or mishandle these polluted properties.
What is the Impact of CVE-2020-28472?
Successful exploitation may allow attackers to alter application logic, bypass security controls, lead to denial of service, or potentially achieve arbitrary code execution via compromised object prototypes.
What is the Exploitability of CVE-2020-28472?
Exploitation requires an attacker to submit a specially crafted malicious INI file to an application that processes it using the vulnerable loadSharedConfigFiles function. The complexity of exploitation varies; it depends on the application's input validation and how it handles INI file uploads or inputs. No authentication is inherently required if the application accepts untrusted INI files, making it a remote attack vector. The primary prerequisite is the ability to provide input that the application will parse as an INI file using the affected libraries. The risk factor is significantly increased if the application directly processes user-supplied INI files without sanitization or if subsequent code in the application relies on integrity of object prototypes.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-28472?
Available Upgrade Options
- @aws-sdk/shared-ini-file-loader
- <1.0.0-rc.9 → Upgrade to 1.0.0-rc.9
- aws-sdk
- <2.814.0 → Upgrade to 2.814.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425
- https://nvd.nist.gov/vuln/detail/CVE-2020-28472
- https://osv.dev/vulnerability/GHSA-rrc9-gqf8-8rwg
- https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304
- https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424
- https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425
- https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426
- https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304
What are Similar Vulnerabilities to CVE-2020-28472?
Similar Vulnerabilities: CVE-2019-11358 , CVE-2019-7609 , CVE-2020-28478 , CVE-2020-28458 , CVE-2021-23337
