로그인 회원가입 EN

HIGH 7.8

GHSA-2q6v-32mr-8p8x

Null Byte Injection in Plug.Static

상세

Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions. We recommend all applications that provide file upload functionality and serve those uploaded files locally with Plug.Static to upgrade immediately or include the fix below. If uploaded files are rather stored and served from S3 or any other cloud storage, you are not affected.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

최초 영향 버전: 0 수정 버전: 1.0.4

수정 mix deps.update plug

최초 영향 버전: 1.1.0 수정 버전: 1.1.7

수정 mix deps.update plug

최초 영향 버전: 1.2.0 수정 버전: 1.2.3

수정 mix deps.update plug

최초 영향 버전: 1.3.0 수정 버전: 1.3.2

수정 mix deps.update plug

참고

https://nvd.nist.gov/vuln/detail/CVE-2017-1000052 [ADVISORY]
https://elixirforum.com/t/security-releases-for-plug/3913 [WEB]
https://github.com/elixir-plug/plug [PACKAGE]