Signing Oracle Vulnerability in Hex Package Manager Affects Hex.pm Software
CVE-2019-1000012

8.8HIGH

Key Information:

Vendor

Hex

Status
Hex
Vendor
CVE Published:
4 February 2019

What is CVE-2019-1000012?

The Hex Package Manager, versions 0.14.0 through 0.18.2, is susceptible to a signing oracle vulnerability that compromises package registry verification. This flaw enables potential code execution as modifications to packages may go undetected. Attackers can exploit this vulnerability by tricking victims into fetching packages from malicious or compromised mirrors. The issue has been addressed in version 0.19, ensuring improved security and integrity in package management.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/hexpm/hex/pull/651
x_refsource_MISC
https://github.com/hexpm/hex/pull/646
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.