Homepage
About Snyk

Origin Validation Error Affecting phoenix package, versions <1.6.14

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.07% (34th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-HEX-PHOENIX-6592760
  • published 9 Apr 2024
  • disclosed 17 Oct 2022
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 17 Oct 2022

CVE-2022-42975 Open this link in a new tab
CWE-346 Open this link in a new tab

How to fix?

Upgrade phoenix to version 1.6.14 or higher.

Overview

phoenix is a Phoenix is a web development framework written in Elixir which implements the server-side Model View Controller (MVC) pattern. Many of its components and concepts will seem familiar to those of us with experience in other web frameworks like Ruby on Rails or Python's Django.

Phoenix provides the best of both worlds - high developer productivity and high application performance. It also has some interesting new twists like channels for implementing realtime features and pre-compiled templates for blazing speed.

Affected versions of this package are vulnerable to Origin Validation Error due to socket/transport.ex mishandling check_origin wildcarding.

Note:

LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.4 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

7.5 high