{"id":"CVE-2019-1000012","details":"Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 0.19.","modified":"2026-03-14T09:30:45.246266Z","published":"2019-02-04T21:29:01.097Z","references":[{"type":"FIX","url":"https://github.com/hexpm/hex/pull/646"},{"type":"FIX","url":"https://github.com/hexpm/hex/pull/651"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hexpm/hex","events":[{"introduced":"cd6111d29b67bb9db8e6844bef568e65ca4c32a1"},{"last_affected":"b5cb84be040dd5b130dde67f6debe41e9e4f328e"}],"database_specific":{"versions":[{"introduced":"0.14.0"},{"last_affected":"0.18.2"}]}}],"versions":["v0.14.0","v0.14.1","v0.15.0","v0.16.0","v0.16.1","v0.17.0","v0.17.1","v0.17.2","v0.17.3","v0.17.4","v0.17.5","v0.17.6","v0.17.7","v0.18.0","v0.18.1","v0.18.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-1000012.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}