Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycTZ2LTMybXItOHA4eM06nQ
Null Byte Injection in Plug.Static
Plug.Static is used for serving static assets, and is vulnerable to null
byte injection. If file upload functionality is provided, this can allow
users to bypass filetype restrictions.
We recommend all applications that provide file upload functionality and
serve those uploaded files locally with Plug.Static to upgrade immediately
or include the fix below. If uploaded files are rather stored and served
from S3 or any other cloud storage, you are not affected.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycTZ2LTMybXItOHA4eM06nQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2q6v-32mr-8p8x, CVE-2017-1000052
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000052
- https://elixirforum.com/t/security-releases-for-plug/3913
- https://github.com/advisories/GHSA-2q6v-32mr-8p8x
Affected Packages
hex:plug
Dependent packages: 859Dependent repositories: 15,508
Downloads: 124,379,008 total
Affected Version Ranges: >= 1.3.0, < 1.3.2, >= 1.2.0, < 1.2.3, >= 1.1.0, < 1.1.7, < 1.0.4
Fixed in: 1.3.2, 1.2.3, 1.1.7, 1.0.4
All affected versions: 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1
All unaffected versions: 1.0.4, 1.0.5, 1.0.6, 1.1.7, 1.1.8, 1.1.9, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.14.0, 1.14.1, 1.14.2, 1.15.0, 1.15.1, 1.15.2, 1.15.3