Описание
Null Byte Injection in Plug.Static
Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions. We recommend all applications that provide file upload functionality and serve those uploaded files locally with Plug.Static to upgrade immediately or include the fix below. If uploaded files are rather stored and served from S3 or any other cloud storage, you are not affected.
Пакеты
plug
< 1.0.4
1.0.4
plug
>= 1.1.0, < 1.1.7
1.1.7
plug
>= 1.2.0, < 1.2.3
1.2.3
plug
>= 1.3.0, < 1.3.2
1.3.2
Связанные уязвимости
Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to null byte injection in the Plug.Static component, which may allow users to bypass filetype restrictions.