Miggo Logo

CVE-2020-28441: conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.29419%
Published
7/26/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
conf-cfg-ininpm< 1.2.21.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the decode function's handling of INI parsing. The patch adds validation checks for protected prototype-related keys (proto, defineGetter, etc.) in two critical areas: 1) When creating new sections, and 2) When processing key-value pairs. The vulnerable versions lacked these checks, allowing attackers to use specially crafted section headers or keys to modify the Object prototype. The commit diff clearly shows these security checks were added to the decode function, and the CVE description specifically mentions exploitation through the decode method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** *on*-***-ini ***or* *.*.*. I* *n *tt**k*r su*mits * m*li*ious INI *il* to *n *ppli**tion t**t p*rs*s it wit* ***o**, t**y will pollut* t** prototyp* on t** *ppli**tion. T*is **n ** *xploit** *urt**r **p*n*in* on t** *ont*xt.

Reasoning

T** vuln*r**ility st*ms *rom t** ***o** *un*tion's **n*lin* o* INI p*rsin*. T** p*t** ***s v*li**tion ****ks *or prot**t** prototyp*-r*l*t** k*ys (__proto__, __***in***tt*r__, *t*.) in two *riti**l *r**s: *) W**n *r**tin* n*w s**tions, *n* *) W**n pr