PT-2019-11265 · Hex · Hex Core

Published

2019-02-04

Updated

2022-05-13

CVE-2019-1000013

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: hex core versions 0.3.0 and earlier

Description: The issue concerns a Signing oracle vulnerability in Package registry verification, which can lead to package modifications not being detected. This allows for code execution when a victim fetches packages from a malicious or compromised mirror.

Recommendations: For hex core versions 0.3.0 and earlier, update to version 0.4.0 to resolve the issue.

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345

Related Identifiers

CVE-2019-1000013

GHSA-Q3CC-RR2C-87R6

Affected Products

Hex Core

PT-2019-11265 · Hex · Hex Core

CVE-2019-1000013

Weakness Enumeration

Related Identifiers

Affected Products

References · 6