CVE-2020-28472
📋 TL;DR
This is a prototype pollution vulnerability in AWS SDK JavaScript libraries that allows attackers to modify object prototypes by submitting malicious INI configuration files. Applications using affected versions of @aws-sdk/shared-ini-file-loader or aws-sdk to parse INI files are vulnerable. The impact depends on how the polluted prototypes are used in the application context.
💻 Affected Systems
- @aws-sdk/shared-ini-file-loader
- aws-sdk
📦 What is this software?
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
Aws Shared Configuration File Loader by Amazon
View all CVEs affecting Aws Shared Configuration File Loader →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution, data exfiltration, or complete application compromise through prototype pollution leading to arbitrary code execution.
Likely Case
Application instability, denial of service, or data manipulation through prototype pollution affecting application behavior.
If Mitigated
Limited impact with proper input validation and file source restrictions, potentially only causing application errors.
🎯 Exploit Status
Exploitation requires the application to process attacker-submitted INI files. The complexity depends on how the application uses the parsed configuration data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: @aws-sdk/shared-ini-file-loader: 1.0.0-rc.9 or later; aws-sdk: 2.814.0 or later
Vendor Advisory: https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9
Restart Required: Yes
Instructions:
1. Update @aws-sdk/shared-ini-file-loader to version 1.0.0-rc.9 or later using npm update @aws-sdk/shared-ini-file-loader. 2. Update aws-sdk to version 2.814.0 or later using npm update aws-sdk. 3. Restart all affected applications and services.
🔧 Temporary Workarounds
Input validation for INI files
allImplement strict validation of INI file sources and content before processing with loadSharedConfigFiles
Disable INI file loading
allConfigure applications to not use INI configuration files if not required
🧯 If You Can't Patch
- Implement strict access controls on INI file upload/input sources
- Use application-level sandboxing or isolation for INI file parsing processes
🔍 How to Verify
Check if Vulnerable:
Check package.json for @aws-sdk/shared-ini-file-loader version <1.0.0-rc.9 or aws-sdk version <2.814.0Check Version:
npm list @aws-sdk/shared-ini-file-loader && npm list aws-sdkVerify Fix Applied:
Verify package.json shows @aws-sdk/shared-ini-file-loader >=1.0.0-rc.9 or aws-sdk >=2.814.0📡 Detection & Monitoring
Log Indicators:
- Unexpected application crashes or errors when processing INI files
- Unusual file upload activity to INI parsing endpoints
Network Indicators:
- HTTP requests with INI file uploads to vulnerable endpoints
SIEM Query:
source="application_logs" AND ("loadSharedConfigFiles" OR "INI parsing") AND (error OR crash)🔗 References
- https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9
- https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425
- https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424
- https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304
- https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9
- https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425
- https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424
- https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304
