CVE-2020-28472
high-risk
Published 2021-01-19
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
Do I need to act?
~
1.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.3/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Aws Sdk For Javascipt
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Aws Shared Configuration File Loader
Affected Vendors
References (12)
50
/ 100
high-risk
Severity
26/34 · High
Exploitability
4/34 · Minimal
Exposure
20/34 · Moderate