GHSA-2q6v-32mr-8p8x

Suggest an improvement
Source
https://github.com/advisories/GHSA-2q6v-32mr-8p8x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-2q6v-32mr-8p8x/GHSA-2q6v-32mr-8p8x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2q6v-32mr-8p8x
Aliases
Published
2022-04-12T21:20:20Z
Modified
2023-11-08T03:58:42.147028Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Null Byte Injection in Plug.Static
Details

Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions. We recommend all applications that provide file upload functionality and serve those uploaded files locally with Plug.Static to upgrade immediately or include the fix below. If uploaded files are rather stored and served from S3 or any other cloud storage, you are not affected.

Database specific 
{
    "nvd_published_at": null,
    "github_reviewed_at": "2022-04-12T21:20:20Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-74"
    ]
}
References

Affected packages

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.4

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
1.1.0
Fixed
1.1.7

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
1.2.0
Fixed
1.2.3

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
1.3.0
Fixed
1.3.2