VulnerableCode Package Details - pkg:hex/plug@0.13.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-2472-zjtv-afd6 Aliases: CVE-2017-1000052 GHSA-2q6v-32mr-8p8x	Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions. We recommend all applications that provide file upload functionality and serve those uploaded files locally with Plug.Static to upgrade immediately or include the fix below. If uploaded files are rather stored and served from S3 or any other cloud storage, you are not affected.	1.0.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.1.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.2.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.3.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-9pgh-kne9-vyf6 Aliases: CVE-2018-1000883 GHSA-9h73-w7ch-rh73	Cookie headers were not validated	1.0.6 Affected by 0 other vulnerabilities. 1.1.9 Affected by 0 other vulnerabilities. 1.2.5 Affected by 0 other vulnerabilities. 1.3.5 Affected by 0 other vulnerabilities.
VCID-t4rs-7hwa-9bdg Aliases: CVE-2017-1000053 GHSA-5v4m-c73v-c7gq	The default serialization used by Plug session may result in code execution in certain situations. Keep in mind, however, the session cookie is signed and this attack can only be exploited if the attacker has access to your secret key as well as your signing/encryption salts. We recommend users to change their secret key base and salts if they suspect they have been leaked, regardless of this vulnerability.	1.0.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.1.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.2.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.3.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-2472-zjtv-afd6
Aliases:
CVE-2017-1000052
GHSA-2q6v-32mr-8p8x

Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions. We recommend all applications that provide file upload functionality and serve those uploaded files locally with Plug.Static to upgrade immediately or include the fix below. If uploaded files are rather stored and served from S3 or any other cloud storage, you are not affected.

1.0.4
Affected by 1 other vulnerability.

1.1.7
Affected by 1 other vulnerability.

1.2.3
Affected by 1 other vulnerability.

1.3.2
Affected by 1 other vulnerability.

VCID-9pgh-kne9-vyf6
Aliases:
CVE-2018-1000883
GHSA-9h73-w7ch-rh73

Cookie headers were not validated

1.0.6
Affected by 0 other vulnerabilities.

1.1.9
Affected by 0 other vulnerabilities.

1.2.5
Affected by 0 other vulnerabilities.

1.3.5
Affected by 0 other vulnerabilities.

VCID-t4rs-7hwa-9bdg
Aliases:
CVE-2017-1000053
GHSA-5v4m-c73v-c7gq

The default serialization used by Plug session may result in code execution in certain situations. Keep in mind, however, the session cookie is signed and this attack can only be exploited if the attacker has access to your secret key as well as your signing/encryption salts. We recommend users to change their secret key base and salts if they suspect they have been leaked, regardless of this vulnerability.