cbcvebase.
CVE-2020-13802
published 2020-09-02

CVE-2020-13802: Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.75%
93.2th percentile
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianrebar3
erlangrebar3
erlangrebar33.1.0 – 3.13.2

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2020-13802 affects Rebar3 versions 3.0.0-beta.3 through 3.13.2; OS command injection is triggered via the URL parameter of a dependency specification in rebar.config or equivalent dependency declarations.
  • The vulnerability allows remote code execution through the Erlang rebar3 build tool; monitor for unexpected process spawning from rebar3 during dependency resolution/fetching.
  • Review the upstream fix in GitHub PR #2302 to understand the sanitization applied to URL parameters; use this to craft detection logic for unsanitized shell-metacharacter sequences in dependency URLs.
  • ·The injection vector is specifically the URL parameter within a dependency specification (e.g., in rebar.config); only dependency entries using a URL field are exploitable, not all rebar3 usage.
  • ·Scope is listed as local in the Debian security tracker, meaning exploitation requires the ability to influence the rebar3 dependency configuration (e.g., a malicious rebar.config or dependency URL).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.