CVE-2019-16764

EPSS 0.44%
Veröffentlicht 25.11.2019 17:15:11
Zuletzt bearbeitet 21.11.2024 04:31:08
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

The use of `String.to_atom/1` in PowAssent is susceptible to denial of service attacks. In `PowAssent.Phoenix.AuthorizationController` a value is fetched from the user provided params, and `String.to_atom/1` is used to convert the binary value to an atom so it can be used to fetch the provider configuration value. This is unsafe as it is user provided data, and can be used to fill up the whole atom table of ~1M which will cause the app to crash.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Powauth ≫ Powassent Version < 0.4.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.44%	0.625

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

http://erlang.org/doc/efficiency_guide/commoncaveats.html#list_to_atom-1

Product

https://github.com/pow-auth/pow_assent/commit/026105eeecc0e3c2f807e7109e745ea93c0fd9cf

Patch

https://github.com/pow-auth/pow_assent/security/advisories/GHSA-368c-xvrv-x986

Third Party Advisory

https://hex.pm/packages/pow_assent

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2019-16764

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-16764

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-16764

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2019-16764