Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13OThtLTJ4cWctOWN2as06lw
Remote Code Execution in paginator
There is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the paginate() function.
Impact
There is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the paginate() function. This will potentially affect all current users of Paginator prior to version >= 1.0.0.
Patches
The vulnerability has been patched in version 1.0.0 and all users should upgrade to this version immediately. Note that this patched version uses a dependency that requires an Elixir version >=1.5.
Credits
Thank you to Peter Stöckli.
Permalink: https://github.com/advisories/GHSA-w98m-2xqg-9cvjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13OThtLTJ4cWctOWN2as06lw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
Identifiers: GHSA-w98m-2xqg-9cvj, CVE-2020-15150
References:
- https://github.com/duffelhq/paginator/security/advisories/GHSA-w98m-2xqg-9cvj
- https://nvd.nist.gov/vuln/detail/CVE-2020-15150
- https://github.com/duffelhq/paginator/commit/bf45e92602e517c75aea0465efc35cd661d9ebf8
- https://github.com/duffelhq/paginator/blob/ccf0f37fa96347cc8c8a7e9eb2c64462cec4b2dc/README.md#security-considerations
- https://hex.pm/packages/paginator
- https://github.com/advisories/GHSA-w98m-2xqg-9cvj
Blast Radius: 0.0
Affected Packages
hex:paginator
Dependent packages: 5Dependent repositories: 48
Downloads: 2,315,753 total
Affected Version Ranges: < 1.0.0
Fixed in: 1.0.0
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.6.0
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.2.0