Description
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
Problem types
CWE-400 Uncontrolled Resource Consumption
CWE-502 Deserialization of Untrusted Data
Product status
eb327f8edfe45507351e38cc0805aa12fa647f0b (git) before cdf726095bca85ad2549d146df1e831ae93c2b13
0.1.0 (semver) before 0.12.1
pkg:hex/hex_core@0.1.0 (purl) before pkg:hex/hex_core@0.12.1
314546ac432229518714cc8e3336e916b9da6305 (git) before 636739f3322514e9303ca335fb630696fcbb3c95
2.3.0 (semver) before 2.3.2
pkg:otp/hex@2.3.0 (purl) before pkg:otp/hex@2.3.2
209c02ec57c2cc3207ee0174c3af3675b8dc8f79 (git) before 1d4478f527e373de0b225951e53115450e0d9b9d
3.9.1 (semver) before 3.27.0
pkg:otp/rebar3@3.9.1 (purl) before pkg:otp/rebar3@3.27.0
Credits
Michael Lubas / Paraxial.ia
Jonatan Männchen / EEF
Eric Meadows-Jönsson / Hex.pm
References
github.com/...x_core/security/advisories/GHSA-hx9w-f2w9-9g96
github.com/...ommit/cdf726095bca85ad2549d146df1e831ae93c2b13
github.com/...ommit/636739f3322514e9303ca335fb630696fcbb3c95
github.com/...ommit/1d4478f527e373de0b225951e53115450e0d9b9d