Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:hex/plug@1.2.0-rc.0
Typehex
Namespace
Nameplug
Version1.2.0-rc.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.2.5
Latest_non_vulnerable_version1.19.2
Affected_by_vulnerabilities
0
url VCID-2472-zjtv-afd6
vulnerability_id VCID-2472-zjtv-afd6
summary 
Plug.Static is used for serving static assets, and is vulnerable to null
byte injection. If file upload functionality is provided, this can allow
users to bypass filetype restrictions.

We recommend all applications that provide file upload functionality and
serve those uploaded files locally with Plug.Static to upgrade immediately
or include the fix below. If uploaded files are rather stored and served
from S3 or any other cloud storage, you are not affected.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-1000052
reference_id
reference_type
scores
0
value 0.00246
scoring_system epss
scoring_elements 0.4813
published_at 2026-06-11T12:55:00Z
1
value 0.00246
scoring_system epss
scoring_elements 0.48267
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-1000052
1
reference_url https://elixirforum.com/t/security-releases-for-plug/3913
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://elixirforum.com/t/security-releases-for-plug/3913
2
reference_url https://elixirforum.com/t/static-and-session-security-fixes-for-plug/3913
reference_id
reference_type
scores
url https://elixirforum.com/t/static-and-session-security-fixes-for-plug/3913
3
reference_url https://github.com/elixir-plug/plug
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/elixir-plug/plug
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-1000052
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-1000052
fixed_packages
0
url pkg:hex/plug@1.2.3
purl pkg:hex/plug@1.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9pgh-kne9-vyf6
resource_url http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.2.3
1
url pkg:hex/plug@1.3.2
purl pkg:hex/plug@1.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9pgh-kne9-vyf6
resource_url http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.3.2
aliases CVE-2017-1000052, GHSA-2q6v-32mr-8p8x
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2472-zjtv-afd6
1
url VCID-9pgh-kne9-vyf6
vulnerability_id VCID-9pgh-kne9-vyf6
summary Cookie headers were not validated
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-1000883
reference_id
reference_type
scores
0
value 0.0025
scoring_system epss
scoring_elements 0.48524
published_at 2026-06-11T12:55:00Z
1
value 0.0025
scoring_system epss
scoring_elements 0.48661
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-1000883
1
reference_url https://github.com/dependabot/elixir-security-advisories/blob/master/packages/plug/2017-04-17.yml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dependabot/elixir-security-advisories/blob/master/packages/plug/2017-04-17.yml
2
reference_url https://github.com/elixir-plug/plug
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/elixir-plug/plug
3
reference_url https://github.com/elixir-plug/plug/commit/8857f8ab4acf9b9c22e80480dae2636692f5f573
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/elixir-plug/plug/commit/8857f8ab4acf9b9c22e80480dae2636692f5f573
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-1000883
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-1000883
fixed_packages
0
url pkg:hex/plug@1.2.5
purl pkg:hex/plug@1.2.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.2.5
1
url pkg:hex/plug@1.3.5
purl pkg:hex/plug@1.3.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.3.5
aliases CVE-2018-1000883, GHSA-9h73-w7ch-rh73
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9pgh-kne9-vyf6
2
url VCID-t4rs-7hwa-9bdg
vulnerability_id VCID-t4rs-7hwa-9bdg
summary 
The default serialization used by Plug session may result in code execution
in certain situations. Keep in mind, however, the session cookie is signed
and this attack can only be exploited if the attacker has access to your
secret key as well as your signing/encryption salts. We recommend users to
change their secret key base and salts if they suspect they have been leaked,
regardless of this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-1000053
reference_id
reference_type
scores
0
value 0.01075
scoring_system epss
scoring_elements 0.78203
published_at 2026-06-11T12:55:00Z
1
value 0.01075
scoring_system epss
scoring_elements 0.7827
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-1000053
1
reference_url https://elixirforum.com/t/security-releases-for-plug/3913
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://elixirforum.com/t/security-releases-for-plug/3913
2
reference_url https://elixirforum.com/t/static-and-session-security-fixes-for-plug/3913
reference_id
reference_type
scores
url https://elixirforum.com/t/static-and-session-security-fixes-for-plug/3913
3
reference_url https://github.com/elixir-plug/plug
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/elixir-plug/plug
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-1000053
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-1000053
fixed_packages
0
url pkg:hex/plug@1.2.3
purl pkg:hex/plug@1.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9pgh-kne9-vyf6
resource_url http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.2.3
1
url pkg:hex/plug@1.3.2
purl pkg:hex/plug@1.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9pgh-kne9-vyf6
resource_url http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.3.2
aliases CVE-2017-1000053, GHSA-5v4m-c73v-c7gq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t4rs-7hwa-9bdg
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:hex/plug@1.2.0-rc.0