Update dependency ini to 1.3.6 [SECURITY] #105

renovate · 2021-04-26T17:25:46Z

This PR contains the following updates:

Package	Change
ini	`1.3.5` -> `1.3.6`

GitHub Vulnerability Alerts

CVE-2020-7788

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

Update dependency ini to 1.3.6 [SECURITY]

d98213a

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency ini to 1.3.6 [SECURITY] #105

Update dependency ini to 1.3.6 [SECURITY] #105

renovate bot commented Apr 26, 2021 •

edited

Update dependency ini to 1.3.6 [SECURITY] #105

Are you sure you want to change the base?

Update dependency ini to 1.3.6 [SECURITY] #105

Conversation

renovate bot commented Apr 26, 2021 • edited

GitHub Vulnerability Alerts

CVE-2020-7788

Overview

Patches

Steps to reproduce

Configuration

renovate bot commented Apr 26, 2021 •

edited