{"id":"CVE-2020-28472","details":"This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.","aliases":["GHSA-rrc9-gqf8-8rwg"],"modified":"2026-05-15T12:03:14.799122757Z","published":"2021-01-19T11:15:13.027Z","related":["SNYK-JAVA-ORGWEBJARSBOWER-1059426","SNYK-JAVA-ORGWEBJARSNPM-1059425","SNYK-JS-AWSSDK-1059424","SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:alpha1:*:*:*:node.js:*:*","cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:alpha2:*:*:*:node.js:*:*","cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:alpha3:*:*:*:node.js:*:*","cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:beta1:*:*:*:node.js:*:*","cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:beta2:*:*:*:node.js:*:*","cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:beta3:*:*:*:node.js:*:*","cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:beta4:*:*:*:node.js:*:*","cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:rc1:*:*:*:node.js:*:*","cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:rc2:*:*:*:node.js:*:*","cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:rc3:*:*:*:node.js:*:*","cpe:2.3:a:amazon:aws_shared_configuration_file_loader:1.0.0:rc8:*:*:*:node.js:*:*"],"extracted_events":[{"last_affected":"1.0.0-alpha1"},{"last_affected":"1.0.0-alpha2"},{"last_affected":"1.0.0-alpha3"},{"last_affected":"1.0.0-beta1"},{"last_affected":"1.0.0-beta2"},{"last_affected":"1.0.0-beta3"},{"last_affected":"1.0.0-beta4"},{"last_affected":"1.0.0-rc1"},{"last_affected":"1.0.0-rc2"},{"last_affected":"1.0.0-rc3"},{"last_affected":"1.0.0-rc8"}],"source":"CPE_FIELD","vendor_product":"amazon:aws_shared_configuration_file_loader"}]},"references":[{"type":"FIX","url":"https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9"},{"type":"FIX","url":"https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}