Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:hex/pow_assent@0.2.4
Typehex
Namespace
Namepow_assent
Version0.2.4
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.4.4
Latest_non_vulnerable_version0.4.4
Affected_by_vulnerabilities
0
url VCID-x4x4-mzaz-xkg3
vulnerability_id VCID-x4x4-mzaz-xkg3
summary 
### Impact

The use of `String.to_atom/1` in PowAssent is susceptible to denial of
service attacks. In `PowAssent.Phoenix.AuthorizationController` a value is
fetched from the user provided params, and `String.to_atom/1` is used to
convert the binary value to an atom so it can be used to fetch the provider
configuration value. This is unsafe as it's user provided data, and can be
used to fill up the whole atom table of ~1M which will cause the app to
crash.

### Workarounds

A plug can be used to validate `conn.params["provider"]` before it reaches
the `PowAssent.Phoenix.AuthorizationController`.

### References

http://erlang.org/doc/efficiency_guide/commoncaveats.html#list_to_atom-1
references
0
reference_url http://erlang.org/doc/efficiency_guide/commoncaveats.html#list_to_atom-1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://erlang.org/doc/efficiency_guide/commoncaveats.html#list_to_atom-1
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-16764
reference_id
reference_type
scores
0
value 0.00441
scoring_system epss
scoring_elements 0.6366
published_at 2026-06-11T12:55:00Z
1
value 0.00441
scoring_system epss
scoring_elements 0.63761
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-16764
2
reference_url https://github.com/pow-auth/pow_assent
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pow-auth/pow_assent
3
reference_url https://github.com/pow-auth/pow_assent/commit/026105eeecc0e3c2f807e7109e745ea93c0fd9cf
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pow-auth/pow_assent/commit/026105eeecc0e3c2f807e7109e745ea93c0fd9cf
4
reference_url https://github.com/pow-auth/pow_assent/security/advisories/GHSA-368c-xvrv-x986
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pow-auth/pow_assent/security/advisories/GHSA-368c-xvrv-x986
5
reference_url https://hex.pm/packages/pow_assent
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hex.pm/packages/pow_assent
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-16764
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-16764
fixed_packages
0
url pkg:hex/pow_assent@0.4.4
purl pkg:hex/pow_assent@0.4.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.4.4
aliases CVE-2019-16764, GHSA-5653-437f-5hmc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x4x4-mzaz-xkg3
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.2.4