CVE-2020-13802
published 2020-09-02CVE-2020-13802: Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.75%
93.2th percentile
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | rebar3 | — | — |
| erlang | rebar3 | — | — |
| erlang | rebar3 | 3.1.0 – 3.13.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2020-13802 affects Rebar3 versions 3.0.0-beta.3 through 3.13.2; OS command injection is triggered via the URL parameter of a dependency specification in rebar.config or equivalent dependency declarations. ↗
- →The vulnerability allows remote code execution through the Erlang rebar3 build tool; monitor for unexpected process spawning from rebar3 during dependency resolution/fetching. ↗
- →Review the upstream fix in GitHub PR #2302 to understand the sanitization applied to URL parameters; use this to craft detection logic for unsanitized shell-metacharacter sequences in dependency URLs. ↗
- ·The injection vector is specifically the URL parameter within a dependency specification (e.g., in rebar.config); only dependency entries using a URL field are exploitable, not all rebar3 usage. ↗
- ·Scope is listed as local in the Debian security tracker, meaning exploitation requires the ability to influence the rebar3 dependency configuration (e.g., a malicious rebar.config or dependency URL). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fj2j-8cg9-vrj8: The rebar3 tool 3
ghsa_unreviewed·2022-05-24
CVE-2020-13802 [HIGH] GHSA-fj2j-8cg9-vrj8: The rebar3 tool 3
The rebar3 tool 3.0.0-beta.3 through 3.13.2 for Erlang allows remote code execution.
OSV
CVE-2020-13802: Rebar3 versions 3
osv·2020-09-02·CVSS 9.8
CVE-2020-13802 [CRITICAL] CVE-2020-13802: Rebar3 versions 3
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.
Debian
CVE-2020-13802: rebar3 - Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection vi...
vendor_debian·2020·CVSS 9.8
CVE-2020-13802 [CRITICAL] CVE-2020-13802: rebar3 - Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection vi...
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.
Scope: local
bookworm: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-13802 rebar3: OS command injection via URL parameter of dependency specification
bugzilla·2020-09-02·CVSS 9.8
CVE-2020-13802 [CRITICAL] CVE-2020-13802 rebar3: OS command injection via URL parameter of dependency specification
CVE-2020-13802 rebar3: OS command injection via URL parameter of dependency specification
The rebar3 tool 3.0.0-beta.3 through 3.13.2 for Erlang allows remote code execution.
Reference:
https://github.com/erlang/rebar3/pull/2302
Discussion:
Created erlang-rebar3 tracking bugs for this issue:
Affects: fedora-all [bug 1875044]
Bugzilla
CVE-2020-13802 erlang-rebar3: rebar3: OS command injection via URL parameter of dependency specification [fedora-all]
bugzilla·2020-09-02·CVSS 9.8
CVE-2020-13802 [CRITICAL] CVE-2020-13802 erlang-rebar3: rebar3: OS command injection via URL parameter of dependency specification [fedora-all]
CVE-2020-13802 erlang-rebar3: rebar3: OS command injection via URL parameter of dependency specification [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this i
http://packetstormsecurity.com/files/159027/Rebar3-3.13.2-Command-Injection.htmlhttps://github.com/vulnbe/poc-rebar3.githttps://vuln.be/post/rebar3-command-injection/http://packetstormsecurity.com/files/159027/Rebar3-3.13.2-Command-Injection.htmlhttps://github.com/vulnbe/poc-rebar3.githttps://vuln.be/post/rebar3-command-injection/
2020-09-02
Published