PT-2017-10763 · Elixir · Elixir Plug
Publicado
2017-07-13
·
Atualizado
2022-04-12
·
CVE-2017-1000053
CVSS v3.1
8.1
Alta
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Elixir Plug versions prior to 1.0.4
Elixir Plug versions prior to 1.1.7
Elixir Plug versions prior to 1.2.3
Elixir Plug versions prior to 1.3.2
Description
The issue concerns arbitrary code execution in the deserialization functions of Plug.Session. The default serialization used by Plug session may result in code execution in certain situations. However, this can only be exploited if the attacker has access to the secret key as well as the signing/encryption salts.
Recommendations
For versions prior to 1.0.4, update to version 1.0.4 or later.
For versions prior to 1.1.7, update to version 1.1.7 or later.
For versions prior to 1.2.3, update to version 1.2.3 or later.
For versions prior to 1.3.2, update to version 1.3.2 or later.
As a general precaution, consider changing the secret key base and salts if they are suspected to have been leaked.
Correção
Deserialization of Untrusted Data
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Elixir Plug