GHSA-w98m-2xqg-9cvj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w98m-2xqg-9cvj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-w98m-2xqg-9cvj/GHSA-w98m-2xqg-9cvj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w98m-2xqg-9cvj
- Aliases
- Published
- 2022-04-12T19:36:39Z
- Modified
- 2023-11-08T04:02:31.311362Z
- Summary
- Remote Code Execution in paginator
- Details
-
There is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the
paginate()function.Impact
There is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the
paginate()function. This will potentially affect all current users ofPaginatorprior to version >= 1.0.0.Patches
The vulnerability has been patched in version 1.0.0 and all users should upgrade to this version immediately. Note that this patched version uses a dependency that requires an Elixir version >=1.5.
Credits
Thank you to Peter Stöckli.
- Database specific
{ "nvd_published_at": "2020-09-01T17:15:00Z", "cwe_ids": [], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-04-12T19:36:39Z" }- References
-
- https://github.com/duffelhq/paginator/security/advisories/GHSA-w98m-2xqg-9cvj
- https://nvd.nist.gov/vuln/detail/CVE-2020-15150
- https://github.com/duffelhq/paginator/commit/bf45e92602e517c75aea0465efc35cd661d9ebf8
- https://github.com/duffelhq/paginator
- https://github.com/duffelhq/paginator/blob/ccf0f37fa96347cc8c8a7e9eb2c64462cec4b2dc/README.md#security-considerations
- https://hex.pm/packages/paginator
Affected packages
Hex / paginator
Package
- Name
- paginator
- Purl
- pkg:hex/paginator