{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8?format=json","vulnerability_id":"VCID-x4x4-mzaz-xkg3","summary":"### Impact\n\nThe use of `String.to_atom/1` in PowAssent is susceptible to denial of\nservice attacks. In `PowAssent.Phoenix.AuthorizationController` a value is\nfetched from the user provided params, and `String.to_atom/1` is used to\nconvert the binary value to an atom so it can be used to fetch the provider\nconfiguration value. This is unsafe as it's user provided data, and can be\nused to fill up the whole atom table of ~1M which will cause the app to\ncrash.\n\n### Workarounds\n\nA plug can be used to validate `conn.params[\"provider\"]` before it reaches\nthe `PowAssent.Phoenix.AuthorizationController`.\n\n### References\n\nhttp://erlang.org/doc/efficiency_guide/commoncaveats.html#list_to_atom-1","aliases":[{"alias":"CVE-2019-16764"},{"alias":"GHSA-5653-437f-5hmc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/170?format=json","purl":"pkg:hex/pow_assent@0.4.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.4.4"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/141?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha"},{"url":"http://public2.vulnerablecode.io/api/packages/142?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/143?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.2"},{"url":"http://public2.vulnerablecode.io/api/packages/144?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.3"},{"url":"http://public2.vulnerablecode.io/api/packages/145?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.4"},{"url":"http://public2.vulnerablecode.io/api/packages/146?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.5"},{"url":"http://public2.vulnerablecode.io/api/packages/147?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.6"},{"url":"http://public2.vulnerablecode.io/api/packages/148?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.7"},{"url":"http://public2.vulnerablecode.io/api/packages/149?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.8"},{"url":"http://public2.vulnerablecode.io/api/packages/150?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.9"},{"url":"http://public2.vulnerablecode.io/api/packages/151?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.10"},{"url":"http://public2.vulnerablecode.io/api/packages/152?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.11"},{"url":"http://public2.vulnerablecode.io/api/packages/153?format=json","purl":"pkg:hex/pow_assent@0.1.0-alpha.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-alpha.12"},{"url":"http://public2.vulnerablecode.io/api/packages/154?format=json","purl":"pkg:hex/pow_assent@0.1.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/155?format=json","purl":"pkg:hex/pow_assent@0.1.0-rc.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-rc.1"},{"url":"http://public2.vulnerablecode.io/api/packages/156?format=json","purl":"pkg:hex/pow_assent@0.1.0-rc.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0-rc.2"},{"url":"http://public2.vulnerablecode.io/api/packages/157?format=json","purl":"pkg:hex/pow_assent@0.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/158?format=json","purl":"pkg:hex/pow_assent@0.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/159?format=json","purl":"pkg:hex/pow_assent@0.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.2.1"},{"url":"http://public2.vulnerablecode.io/api/packages/160?format=json","purl":"pkg:hex/pow_assent@0.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/161?format=json","purl":"pkg:hex/pow_assent@0.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/162?format=json","purl":"pkg:hex/pow_assent@0.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.2.4"},{"url":"http://public2.vulnerablecode.io/api/packages/163?format=json","purl":"pkg:hex/pow_assent@0.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/164?format=json","purl":"pkg:hex/pow_assent@0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/165?format=json","purl":"pkg:hex/pow_assent@0.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.3.2"},{"url":"http://public2.vulnerablecode.io/api/packages/166?format=json","purl":"pkg:hex/pow_assent@0.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/167?format=json","purl":"pkg:hex/pow_assent@0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/168?format=json","purl":"pkg:hex/pow_assent@0.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/169?format=json","purl":"pkg:hex/pow_assent@0.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4x4-mzaz-xkg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.4.3"}],"references":[{"reference_url":"http://erlang.org/doc/efficiency_guide/commoncaveats.html#list_to_atom-1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://erlang.org/doc/efficiency_guide/commoncaveats.html#list_to_atom-1"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16764","reference_id":"","reference_type":"","scores":[{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.6366","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16764"},{"reference_url":"https://github.com/pow-auth/pow_assent","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pow-auth/pow_assent"},{"reference_url":"https://github.com/pow-auth/pow_assent/commit/026105eeecc0e3c2f807e7109e745ea93c0fd9cf","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pow-auth/pow_assent/commit/026105eeecc0e3c2f807e7109e745ea93c0fd9cf"},{"reference_url":"https://github.com/pow-auth/pow_assent/security/advisories/GHSA-368c-xvrv-x986","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pow-auth/pow_assent/security/advisories/GHSA-368c-xvrv-x986"},{"reference_url":"https://hex.pm/packages/pow_assent","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hex.pm/packages/pow_assent"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16764","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16764"}],"weaknesses":[{"cwe_id":400,"name":"Uncontrolled Resource Consumption","description":"The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"0.0","risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x4x4-mzaz-xkg3"}