Package Registry Verification Vulnerability in Hex Package Manager
CVE-2019-1000013

8.8HIGH

Key Information:

Vendor: Hex
Status: Hex Core
Vendor: CVE Published:; 4 February 2019

Summary

The Hex Package Manager, specifically version 0.3.0 and earlier of hex_core, is vulnerable to a signing oracle issue in its package registry verification process. This vulnerability allows for undetected modifications to packages, which could lead to the execution of malicious code. Attackers can exploit this by tricking users into fetching compromised packages from malicious mirrors. The issue has been resolved in version 0.4.0, underscoring the importance of using updated software to maintain security.

References

https://github.com/hexpm/hex_core/pull/51

x_refsource_MISC

https://github.com/hexpm/hex_core/pull/48

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 4, 2019
Vulnerability Reserved
Jan 15, 2019