GHSA-9h73-w7ch-rh73

Suggest an improvement
Source
https://github.com/advisories/GHSA-9h73-w7ch-rh73
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-9h73-w7ch-rh73/GHSA-9h73-w7ch-rh73.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9h73-w7ch-rh73
Aliases
Published
2022-04-12T21:26:27Z
Modified
2025-12-10T00:42:04.775893Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Header Injection
Details

Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie value, Headers can be added. This attack appear to be exploitable via Crafting a value to be sent as a cookie. This vulnerability appears to have been fixed in >= 1.3.5 or ~> 1.2.5 or ~> 1.1.9 or ~> 1.0.6.

Database specific 
{
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-12T21:26:27Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "nvd_published_at": null
}
References

Affected packages

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.6

Affected versions

0.*

0.4.1
0.4.2
0.4.3
0.4.4
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.7.0
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.10.0
0.11.0
0.11.1
0.11.2
0.11.3
0.12.0
0.12.1
0.12.2
0.13.0
0.13.1
0.14.0

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
1.1.0
Fixed
1.1.9

Affected versions

1.*

1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
1.2.0
Fixed
1.2.5

Affected versions

1.*

1.2.0
1.2.1
1.2.2
1.2.3
1.2.4

Hex / plug

Package

Name
plug
Purl
pkg:hex/plug

Affected ranges

Type
SEMVER
Events
Introduced
1.3.0
Fixed
1.3.5

Affected versions

1.*

1.3.0
1.3.1
1.3.2
1.3.3
1.3.4