Miggo Logo
Miggo Vulnerability Database
CVE-2017-20166

CVE-2017-20166: Ecto lacks a protection mechanism

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2017-20166
GHSA ID
GHSA-4r2f-6fm9-2qgh
EPSS Score
0.31944%
CWE
-
Published
1/10/2023
Updated
1/29/2023
KEV Status
No
Technology
TechnologyErlang

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ectoerlang= 2.2.02.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the reverted commit 8e1b378 which modified query_for_get_by to handle nil values with is_nil. The patch diff shows this function was responsible for processing WHERE clauses in get_by queries. By automatically converting {key, nil} tuples to is_nil(field(x, ^key)) without proper validation, it circumvented Ecto's security measures that normally require explicit is_nil usage. This matches the advisory's description of lacking protection mechanisms between is_nil and raise, and the revert commit message explicitly cites security implications for nil handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**to *.*.* l**ks * **rt*in prot**tion m****nism *sso*i*t** wit* t** int*r**tion **tw**n `is_nil` *n* `r*is*`.

Reasoning

T** vuln*r**ility st*ms *rom t** r*v*rt** *ommit ******* w*i** mo*i*i** qu*ry_*or_**t_*y to **n*l* nil v*lu*s wit* is_nil. T** p*t** *i** s*ows t*is *un*tion w*s r*sponsi*l* *or pro**ssin* W**R* *l*us*s in **t_*y qu*ri*s. *y *utom*ti**lly *onv*rtin*