CVE-2017-1000052 – plug

Package

Manager: erlang
Name: plug
Vulnerable Version: >=0 <1.0.4 || >=1.1.0 <1.1.7 || >=1.2.0 <1.2.3 || >=1.3.0 <1.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00246 pctl0.47765

Details

Null Byte Injection in Plug.Static Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions. We recommend all applications that provide file upload functionality and serve those uploaded files locally with Plug.Static to upgrade immediately or include the fix below. If uploaded files are rather stored and served from S3 or any other cloud storage, you are not affected.

Metadata

Created: 2022-04-12T21:20:20Z
Modified: 2022-04-12T21:20:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-2q6v-32mr-8p8x/GHSA-2q6v-32mr-8p8x.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-2q6v-32mr-8p8x
Finding: F184
Auto approve: 1