9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-28441

GHSA ID

GHSA-m6mg-jvjf-w44x

EPSS Score

0.29419%

CWE

CWE-1321

Published

7/26/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-28441

CVE-2020-28441: conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2

This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-28441

CVE-2020-28441:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-28441

GHSA ID

GHSA-m6mg-jvjf-w44x

EPSS Score

0.29419%

CWE

CWE-1321

Published

7/26/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
conf-cfg-ini	npm	< 1.2.2	1.2.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the decode function's handling of INI parsing. The patch adds validation checks for protected prototype-related keys (proto, defineGetter, etc.) in two critical areas: 1) When creating new sections, and 2) When processing key-value pairs. The vulnerable versions lacked these checks, allowing attackers to use specially crafted section headers or keys to modify the Object prototype. The commit diff clearly shows these security checks were added to the decode function, and the CVE description specifically mentions exploitation through the decode method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-28441: conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2

CVE-2020-28441:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2020-28441: conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

9.8

9.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI