Erlang/OTP Rebar3 Package Registry Vulnerability
CVE-2019-1000014

8.8HIGH

Key Information:

Vendor: Erlang
Status: Rebar3
Vendor: CVE Published:; 4 February 2019

What is CVE-2019-1000014?

The Erlang/OTP Rebar3 versions 3.7.0 through 3.7.5 are affected by a Signing oracle vulnerability in the package registry verification process. This flaw can allow unauthorized modifications to packages, leading to potential code execution risks if vulnerable packages are fetched from untrusted or compromised sources. It is crucial for users to upgrade to version 3.8.0 or later, where this issue has been resolved.

References

https://github.com/erlang/rebar3/pull/1986

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 4, 2019
Vulnerability Reserved
Jan 15, 2019