CVE-2020-28472: 
JavaScript vulnerability analysis and mitigation

CVE-2020-28472 affects the AWS SDK packages @aws-sdk/shared-ini-file-loader before version 1.0.0-rc.9 and aws-sdk before version 2.814.0. The vulnerability was discovered by Eugene Lim from the Government Technology Agency Cyber Security Group and was disclosed on January 14, 2021. This security issue involves a Prototype Pollution vulnerability that occurs when parsing INI files with the loadSharedConfigFiles function (NVD, Snyk).

The vulnerability allows an attacker to pollute the prototype of an application by submitting a malicious INI file that is parsed using the loadSharedConfigFiles function. When the application processes this file, properties can be injected into existing JavaScript language construct prototypes. The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) from NVD and 7.3 (HIGH) from Snyk, indicating its severe nature (NVD, Snyk).

The exploitation of this vulnerability can lead to several serious consequences. It can cause denial of service by triggering JavaScript exceptions when Object holds generic functions that are implicitly called for various operations. Additionally, it can enable remote code execution if the codebase evaluates and executes specific attributes of an object. The vulnerability can also allow property injection, where attackers can pollute properties used for security purposes, potentially leading to privilege escalation (Snyk).

The vulnerability has been patched in aws-sdk version 2.814.0 and @aws-sdk/shared-ini-file-loader version 1.0.0-rc.9. Users should upgrade to these versions or later. For those unable to upgrade immediately, recommended preventive measures include freezing the prototype using Object.freeze(Object.prototype), implementing schema validation for JSON input, avoiding unsafe recursive merge functions, and using objects without prototypes or using Map instead of Object (Snyk).