{"id":"CVE-2020-13802","details":"Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.","modified":"2026-04-16T04:41:24.375931875Z","published":"2020-09-02T17:15:11.500Z","references":[{"type":"ADVISORY","url":"https://github.com/vulnbe/poc-rebar3.git"},{"type":"ADVISORY","url":"https://vuln.be/post/rebar3-command-injection/"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/159027/Rebar3-3.13.2-Command-Injection.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/erlang/rebar3","events":[{"introduced":"7ec2ba05fb4997c1a6bdac37a572ac7d0f13f946"},{"last_affected":"73c36138ffbca4851331878791156845047761d2"}],"database_specific":{"versions":[{"introduced":"3.1.0"},{"last_affected":"3.13.2"}]}}],"versions":["3.1.0","3.1.1","3.11.0","3.11.1","3.12.0","3.13.0","3.13.2","3.2.0","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","3.4.5","3.4.6","3.4.7","3.5.0","3.5.1","3.5.2","3.5.3","3.6.0","3.6.1","3.6.2","3.7.0","3.7.0-rc1","3.7.0-rc2","3.7.1","3.7.2","3.7.3","3.7.4","3.7.5","3.8.0","3.9.0","3.9.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.0.0-beta3"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0.0-beta4"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13802.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}