GCVE - cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Erlang (`0c61e1c5-26cc-5ac0-8df6-fe98ca9fab3c`)
Product	Rebar3 (`e69b0600-e68a-51f8-9945-e9eea2d302bd`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/erlang/rebar3`	purl2cpe	2026-06-01 10:16:09.300425

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-21619`	vulnerable	2026-06-08 07:49:16.613593	Unsafe Deserialization of Erlang Terms in hex_core Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0. Published: 2026-02-27T17:57:11.513Z Updated: 2026-05-27T15:40:33.166Z Open on db.gcve.eu Reference links https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96 https://cna.erlef.org/cves/CVE-2026-21619.html https://osv.dev/vulnerability/EEF-CVE-2026-21619 https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13 https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-13802`	vulnerable	2026-06-08 05:18:01.109083	Details available Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification. Published: 2020-09-02T16:30:27.000Z Updated: 2024-08-04T12:25:16.571Z Open on db.gcve.eu Reference links http://packetstormsecurity.com/files/159027/Rebar3-3.13.2-Command-Injection.html https://vuln.be/post/rebar3-command-injection/ https://github.com/vulnbe/poc-rebar3.git	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-1000014`	vulnerable	2026-06-08 05:12:21.349343	Details available Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via Victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 3.8.0. Published: 2019-02-04T21:00:00.000Z Updated: 2024-08-05T03:00:19.261Z Open on db.gcve.eu Reference links https://github.com/erlang/rebar3/pull/1986	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.