CVE-2017-1000053 – plug

Package

Manager: erlang
Name: plug
Vulnerable Version: >=0 <1.0.4 || >=1.1.0 <1.1.7 || >=1.2.0 <1.2.3 || >=1.3.0 <1.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01151 pctl0.77694

Details

Arbitrary Code Execution in Cookie Serialization The default serialization used by Plug session may result in code execution in certain situations. Keep in mind, however, the session cookie is signed and this attack can only be exploited if the attacker has access to your secret key as well as your signing/encryption salts. We recommend users to change their secret key base and salts if they suspect they have been leaked, regardless of this vulnerability.

Metadata

Created: 2022-04-12T21:23:43Z
Modified: 2022-04-12T21:23:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-5v4m-c73v-c7gq/GHSA-5v4m-c73v-c7gq.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-5v4m-c73v-c7gq
Finding: F096
Auto approve: 1