HIGH 7.8

GHSA-2q6v-32mr-8p8x

Null Byte Injection in Plug.Static

Details

Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions. We recommend all applications that provide file upload functionality and serve those uploaded files locally with Plug.Static to upgrade immediately or include the fix below. If uploaded files are rather stored and served from S3 or any other cloud storage, you are not affected.

Are you affected?

Enter the version of the package you're using.

Affected packages

Hex / plug

Introduced in: 0 Fixed in: 1.0.4

Fix mix deps.update plug

Hex / plug

Introduced in: 1.1.0 Fixed in: 1.1.7

Fix mix deps.update plug

Hex / plug

Introduced in: 1.2.0 Fixed in: 1.2.3

Fix mix deps.update plug

Hex / plug

Introduced in: 1.3.0 Fixed in: 1.3.2

Fix mix deps.update plug

References

https://nvd.nist.gov/vuln/detail/CVE-2017-1000052 [ADVISORY]
https://elixirforum.com/t/security-releases-for-plug/3913 [WEB]
https://github.com/elixir-plug/plug [PACKAGE]