PT-2018-9599 · Elixir · Plug

Published

2018-12-20

Updated

2022-04-12

CVE-2018-1000883

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions: Elixir Plug Plug versions prior to 1.0.6 Elixir Plug Plug versions prior to 1.1.9 Elixir Plug Plug versions prior to 1.2.5 Elixir Plug Plug versions prior to 1.3.5

Description: The issue is related to a Header Injection vulnerability in the Connection component. This can be exploited by crafting a specific value to be sent as a cookie, allowing headers to be added. The vulnerability appears to be exploitable via sending a crafted cookie value.

Recommendations: For versions prior to 1.0.6, update to version 1.0.6 or later. For versions prior to 1.1.9, update to version 1.1.9 or later. For versions prior to 1.2.5, update to version 1.2.5 or later. For versions prior to 1.3.5, update to version 1.3.5 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2018-1000883

GHSA-9H73-W7CH-RH73

Affected Products

Plug

PT-2018-9599 · Elixir · Plug

CVE-2018-1000883

Weakness Enumeration

Related Identifiers

Affected Products

References · 6