Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01djRtLWM3M3YtYzdncc06ng

Arbitrary Code Execution in Cookie Serialization

The default serialization used by Plug session may result in code execution
in certain situations. Keep in mind, however, the session cookie is signed
and this attack can only be exploited if the attacker has access to your
secret key as well as your signing/encryption salts. We recommend users to
change their secret key base and salts if they suspect they have been leaked,
regardless of this vulnerability.

Permalink: https://github.com/advisories/GHSA-5v4m-c73v-c7gq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01djRtLWM3M3YtYzdncc06ng
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago


CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-5v4m-c73v-c7gq, CVE-2017-1000053
References:

Affected Packages

hex:plug
Dependent packages: 859
Dependent repositories: 15,508
Downloads: 122,949,949 total
Affected Version Ranges: >= 1.3.0, < 1.3.2, >= 1.2.0, < 1.2.3, >= 1.1.0, < 1.1.7, < 1.0.4
Fixed in: 1.3.2, 1.2.3, 1.1.7, 1.0.4
All affected versions: 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1
All unaffected versions: 1.0.4, 1.0.5, 1.0.6, 1.1.7, 1.1.8, 1.1.9, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.14.0, 1.14.1, 1.14.2, 1.15.0, 1.15.1, 1.15.2, 1.15.3