Design/Logic Flaw

2019-02-0421:29:00

PRIOn knowledge base

www.prio-n.com

8.8 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.5%

JSON

Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 0.19.

CPENameOperatorVersion
hexge0.14.0
hexle0.18.2

CPE	Name	Operator	Version
	hex	ge	0.14.0
	hex	le	0.18.2

References

github.com/hexpm/hex/pull/646

github.com/hexpm/hex/pull/651