CVE-2017-20166 — CRITICAL (9.8)

Vulnerability Description

Ecto 2.2.0 lacks a certain protection mechanism associated with the interaction between is_nil and raise.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Ecto Project	Ecto	2.2.0

Related Weaknesses (CWE)

CWE-754

References

https://github.com/advisories/GHSA-2xxx-fhc8-9qvqThird Party Advisory
https://github.com/elixir-ecto/ecto/commit/db55b0cba6525c24ebddc88ef9ae0c1c00620PatchThird Party Advisory
https://github.com/elixir-ecto/ecto/pull/2125ExploitThird Party Advisory
https://groups.google.com/forum/#%21topic/elixir-ecto/0m4NPfg_MMU
https://github.com/advisories/GHSA-2xxx-fhc8-9qvqThird Party Advisory
https://github.com/elixir-ecto/ecto/commit/db55b0cba6525c24ebddc88ef9ae0c1c00620PatchThird Party Advisory
https://github.com/elixir-ecto/ecto/pull/2125ExploitThird Party Advisory
https://groups.google.com/forum/#%21topic/elixir-ecto/0m4NPfg_MMU

FAQ

What is CVE-2017-20166?

CVE-2017-20166 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Ecto 2.2.0 lacks a certain protection mechanism associated with the interaction between is_nil and raise.

How severe is CVE-2017-20166?

CVE-2017-20166 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-20166?

Check the references section above for vendor advisories and patch information. Affected products include: Ecto Project Ecto.