GHSA-5v4m-c73v-c7gq

Suggest an improvement
Source
https://github.com/advisories/GHSA-5v4m-c73v-c7gq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-5v4m-c73v-c7gq/GHSA-5v4m-c73v-c7gq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5v4m-c73v-c7gq
Aliases
Published
2022-04-12T21:23:43Z
Modified
2023-11-08T03:58:42.208516Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Arbitrary Code Execution in Cookie Serialization
Details

The default serialization used by Plug session may result in code execution in certain situations. Keep in mind, however, the session cookie is signed and this attack can only be exploited if the attacker has access to your secret key as well as your signing/encryption salts. We recommend users to change their secret key base and salts if they suspect they have been leaked, regardless of this vulnerability.

Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2022-04-12T21:23:43Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.4

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
1.1.0
Fixed
1.1.7

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
1.2.0
Fixed
1.2.3

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
1.3.0
Fixed
1.3.2