Podatność Uncontrolled Resource Consumption oraz Deserialization of Untrusted Data w modułach hex_api bibliotek hexpm hex_core, hexpm hex i erlang rebar3 pozwala na Object Injection oraz Excessive Allocation. Podatność dotyczy plików src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl oraz funkcji hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. Problem obejmuje hex_core: od 0.1.0 do 0.12.1 (nie włącznie); hex: od 2.3.0 do 2.3.2 (nie włącznie); rebar3: od 3.9.1 do 3.27.0 (nie włącznie).
▸ Pokaż oryginał (EN)
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XErlang Rebar3
APPErlang3.9.1 – 3.27.0 (bez)Hex
APPHex2.3.0 – 2.3.2 (bez)Hex Core
APPHex0.1.0 – 0.12.1 (bez)
Powiązane podatności
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency ...
Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows ...
Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry ...
Hex package manager hex_core version 0.3.0 and earlier contains a Signing oracle vulnerability in Package regi...
Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracle vulnerability in Package registry veri...