Improper Input Validation in plug

Do your applications use this vulnerable package? Test your applications

Overview

plug is a specification and conveniences for composable modules between web applications.

Affected versions of this package are vulnerable to Improper Input Validation. Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions and upload arbitrary code.

Remediation

Upgrade plug to version 1.3.2, 1.2.3, 1.1.7, 1.0.4 or higher.

References

Elixir Forum
GitHub Commit

Attack Vector

Network
Attack Complexity

Low
Privileges Required

Low
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

High
Availability

High

Credit: Griffin Byatt, Chip Durland, Raviv Cohen, Matthew Diaz
CVE: CVE-2017-1000052
CWE: CWE-20 CWE-74
Snyk ID: SNYK-HEX-PLUG-1088063
Disclosed: 28 Feb, 2017
Published: 30 Mar, 2021

Improper Input Validation
Affecting plug package, versions >=1.3.0 <1.3.2 || >=1.2.0-rc.0 <1.2.3 || >=1.1.0 <1.1.7 || <1.0.4

Overview

Remediation

References

CVSS Score

Improper Input Validation Affecting plug package, versions >=1.3.0 <1.3.2 || >=1.2.0-rc.0 <1.2.3 || >=1.1.0 <1.1.7 || <1.0.4

Overview

Remediation

References

Improper Input Validation
Affecting plug package, versions >=1.3.0 <1.3.2 || >=1.2.0-rc.0 <1.2.3 || >=1.1.0 <1.1.7 || <1.0.4