CVE-2019-1000014

Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via Victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 3.8.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
VendorProductVersion
erlangrebar3
3.7.0 ≤
𝑥
≤ 3.7.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rebar
bookworm
2.6.4-3
fixed
bullseye
2.6.4-3
fixed
sid
2.6.4-4
fixed
trixie
2.6.4-4
fixed
rebar3
sid
3.19.0-1
fixed
trixie
3.19.0-1
fixed
bookworm
3.19.0-1
fixed
References
https://github.com/erlang/rebar3/pull/1986
https://github.com/erlang/rebar3/pull/1986