HIGH 8.1

GHSA-5v4m-c73v-c7gq

Arbitrary Code Execution in Cookie Serialization

Details

The default serialization used by Plug session may result in code execution in certain situations. Keep in mind, however, the session cookie is signed and this attack can only be exploited if the attacker has access to your secret key as well as your signing/encryption salts. We recommend users to change their secret key base and salts if they suspect they have been leaked, regardless of this vulnerability.

Are you affected?

Enter the version of the package you're using.

Affected packages

Hex / plug

Introduced in: 0 Fixed in: 1.0.4

Fix mix deps.update plug

Hex / plug

Introduced in: 1.1.0 Fixed in: 1.1.7

Fix mix deps.update plug

Hex / plug

Introduced in: 1.2.0 Fixed in: 1.2.3

Fix mix deps.update plug

Hex / plug

Introduced in: 1.3.0 Fixed in: 1.3.2

Fix mix deps.update plug

References

https://nvd.nist.gov/vuln/detail/CVE-2017-1000053 [ADVISORY]
https://elixirforum.com/t/security-releases-for-plug/3913 [WEB]
https://github.com/elixir-plug/plug [PACKAGE]