CVE-2020-13802 – CVE-2020-13802 allows remote attackers to execu... (How to Fix)

Q: What is the severity of CVE-2020-13802?

CVE-2020-13802 has a CVSS score of 9.8 (CRITICAL). CVE-2020-13802 allows remote attackers to execute arbitrary operating system commands on systems running vulnerable Rebar3 versions by injecting malicious commands through the URL parameter of dependency specifications. This affects all users of Rebar3 versions 3.0.0-beta.3 through 3.13.2 who fetch dependencies from untrusted sources.

📋 TL;DR

CVE-2020-13802 allows remote attackers to execute arbitrary operating system commands on systems running vulnerable Rebar3 versions by injecting malicious commands through the URL parameter of dependency specifications. This affects all users of Rebar3 versions 3.0.0-beta.3 through 3.13.2 who fetch dependencies from untrusted sources.

💻 Affected Systems

Products:

Rebar3

Versions: 3.0.0-beta.3 to 3.13.2

Operating Systems: All operating systems where Rebar3 runs

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when fetching dependencies from repositories with malicious URL parameters.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/administrator privileges, allowing data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Arbitrary command execution with the privileges of the Rebar3 process, potentially leading to data exfiltration, cryptocurrency mining, or lateral movement within the network.

🟢

If Mitigated

Limited impact due to network segmentation, least privilege execution, and dependency source validation.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely by tricking users into fetching dependencies from malicious repositories.

🏢 Internal Only: MEDIUM - Internal exploitation requires attackers to control internal dependency sources or social engineer users.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public proof-of-concept exploits exist, making exploitation trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.13.3 and later

Vendor Advisory: https://github.com/erlang/rebar3/releases/tag/3.13.3

Restart Required: No

Instructions:

1. Update Rebar3 using: rebar3 local upgrade 2. Verify installation with: rebar3 version 3. Ensure all projects use the updated version

🔧 Temporary Workarounds

Validate Dependency Sources

all

Only fetch dependencies from trusted, verified repositories and avoid using untrusted URLs in dependency specifications.

Run with Reduced Privileges

linux

Execute Rebar3 with minimal system privileges to limit potential damage from command injection.

sudo -u lowprivilegeuser rebar3 compile

🧯 If You Can't Patch

Implement strict network segmentation to isolate Rebar3 systems from sensitive resources
Deploy application allowlisting to prevent execution of unauthorized commands

🔍 How to Verify

Check if Vulnerable:

Check Rebar3 version with: rebar3 version. If version is between 3.0.0-beta.3 and 3.13.2 inclusive, the system is vulnerable.

Check Version:

rebar3 version

Verify Fix Applied:

After updating, verify version is 3.13.3 or higher using: rebar3 version

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in system logs
Rebar3 processes spawning unexpected child processes
Network connections to suspicious repositories

Network Indicators:

Outbound connections to unexpected domains during dependency fetching
Unusual payloads in HTTP requests to dependency repositories

SIEM Query:

process_name:"rebar3" AND (child_process:* OR cmdline:* OR network_connection:*)

📊 Metadata

CVE ID: CVE-2020-13802

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: September 2, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/159027/Rebar3-3.13.2-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/vulnbe/poc-rebar3.git Third Party Advisory
https://vuln.be/post/rebar3-command-injection/ Third Party Advisory
http://packetstormsecurity.com/files/159027/Rebar3-3.13.2-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/vulnbe/poc-rebar3.git Third Party Advisory
https://vuln.be/post/rebar3-command-injection/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13802, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Rebar3 by Erlang

Rebar3 by Erlang

Rebar3 by Erlang

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Validate Dependency Sources

Run with Reduced Privileges

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities