This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. Reference: https://snyk.io/vuln/SNYK-JS-INI-1048974 Upstream patch: https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1
Created nodejs-ini tracking bugs for this issue: Affects: epel-7 [bug 1907446] Affects: fedora-32 [bug 1907445]
Statement: Node.JS packages in Red Hat Enterprise Linux and Red Hat Software Collections included the vulnerable dependency packaged in "nodejs-npm" component. Processing malicious files using npm could potentially trigger this vulnerability. The "ini" package bundled with npm was not in the library path where it could be included directly in other programs. The ini package is included in Red Hat Quay by protractor and webpack-cli, both of which are dev dependencies.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0421 https://access.redhat.com/errata/RHSA-2021:0421
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7788
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0485 https://access.redhat.com/errata/RHSA-2021:0485
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0521 https://access.redhat.com/errata/RHSA-2021:0521
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0548 https://access.redhat.com/errata/RHSA-2021:0548
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0549 https://access.redhat.com/errata/RHSA-2021:0549
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0551 https://access.redhat.com/errata/RHSA-2021:0551
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595