High severityOSV Advisory· Published Feb 4, 2019· Updated Aug 5, 2024
CVE-2019-1000013
CVE-2019-1000013
Description
Hex package manager hex_core version 0.3.0 and earlier contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 0.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hex_coreHex | < 0.4.0 | 0.4.0 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-q3cc-rr2c-87r6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1000013ghsaADVISORY
- github.com/hexpm/hex_core/pull/48ghsax_refsource_MISCWEB
- github.com/hexpm/hex_core/pull/51ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.