Elixir Advisory Database
The Elixir Advisory Database is a repository of security advisories filed against published Elixir packages.
This is also an experimental web API for the database.
The database is a list of directories that match the names of Elixir libraries on [hex.pm]. Within each directory are one or more advisory files for the Elixir library.
packages/: plug/: 2017-02-28.yml 2017-02-28_2.yml
Each advisory file contains the advisory information in YAML format:
--- id: 8268e120-60b4-4efb-b9ca-4e3faca0cca6 package: plug disclosure_date: 2017-02-28 cve: 2017-1000052 link: https://elixirforum.com/t/static-and-session-security-fixes-for-plug/3913 title: | Null Byte Injection in Plug.Static description: | Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions. We recommend all applications that provide file upload functionality and serve those uploaded files locally with Plug.Static to upgrade immediately or include the fix below. If uploaded files are rather stored and served from S3 or any other cloud storage, you are not affected. patched_versions: - ~> 1.3.2 - ~> 1.2.3 - ~> 1.1.7 - ~> 1.0.4 unaffected_versions: - "< 1.0.0"
There is linting in place to enforce the following schema for each advisory:
||String||A version 4 UUID (use https://www.uuidgenerator.net/version4).|
||String||Name of the affected package.|
||Date||Date the vulnerability was publicly disclosed (here or elsewhere).|
||String/Null||(Optional) CVE assigned to the vulnerability.|
||String||Link to the original disclosure / more details.|
||String||Title of the vulnerability. This should be a (very) short description.|
||String||Description of the vulnerability.|
||Array||Array of Elixir requirement strings specifying patched versions.|
||Array||Array of Elixir requirement strings specifying unaffected versions.|
Do you know about a vulnerability that isn't listed in this database? Open an issue or submit a PR.
All content in this repository is placed in the public domain.