PT-2017-10763 · Elixir · Elixir Plug

Published

2017-07-13

Updated

2022-04-12

CVE-2017-1000053

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Elixir Plug versions prior to 1.0.4 Elixir Plug versions prior to 1.1.7 Elixir Plug versions prior to 1.2.3 Elixir Plug versions prior to 1.3.2

Description The issue concerns arbitrary code execution in the deserialization functions of Plug.Session. The default serialization used by Plug session may result in code execution in certain situations. However, this can only be exploited if the attacker has access to the secret key as well as the signing/encryption salts.

Recommendations For versions prior to 1.0.4, update to version 1.0.4 or later. For versions prior to 1.1.7, update to version 1.1.7 or later. For versions prior to 1.2.3, update to version 1.2.3 or later. For versions prior to 1.3.2, update to version 1.3.2 or later. As a general precaution, consider changing the secret key base and salts if they are suspected to have been leaked.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2017-1000053

GHSA-5V4M-C73V-C7GQ

Affected Products

Elixir Plug

PT-2017-10763 · Elixir · Elixir Plug

CVE-2017-1000053

Weakness Enumeration

Related Identifiers

Affected Products

References · 5