Upstream information

CVE-2019-1000014 at MITRE

Description

Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via Victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 3.8.0.

SUSE information

CVSS v3 Scores
  National Vulnerability Database SUSE
Base Score 8.8 7.5
Vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Access Vector Network Network
Access Complexity Low High
Privileges Required None Low
User Interaction Required None
Scope Unchanged Unchanged
Confidentiality Impact High High
Integrity Impact High High
Availability Impact High High
SUSE Bugzilla entry: 1124316 [RESOLVED / INVALID]

No SUSE Security Announcements cross referenced.