CVE-2019-16764

Name: CVE-2019-16764
Creator: NVD / NIST
Published: 2019-11-25T17:15:11.713+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.5/10EPSS 1.08%

Last modified Jun 17, 2026

CVE-2019-16764 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. The use of `String.to_atom/1` in PowAssent is susceptible to denial of service attacks. In `PowAssent.Phoenix.AuthorizationController` a value is fetched from the user provided params, and `String.to_atom/1` is used to convert the binary value to an atom so it can be used to fetch the provider configuration value. EPSS estimates a 1.08% chance of exploitation in the next 30 days.

Description

The use of `String.to_atom/1` in PowAssent is susceptible to denial of service attacks. In `PowAssent.Phoenix.AuthorizationController` a value is fetched from the user provided params, and `String.to_atom/1` is used to convert the binary value to an atom so it can be used to fetch the provider configuration value. This is unsafe as it is user provided data, and can be used to fill up the whole atom table of ~1M which will cause the app to crash.

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

1.08%

60.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-400

Affected Software

Vendor	Product	Versions
Powauth	Powassent	< 0.4.4

References

http://erlang.org/doc/efficiency_guide/commoncaveats.html#list_to_atom-1Product
https://github.com/pow-auth/pow_assent/commit/026105eeecc0e3c2f807e7109e745ea93c0fd9cfPatch
https://github.com/pow-auth/pow_assent/security/advisories/GHSA-368c-xvrv-x986Third Party Advisory
https://hex.pm/packages/pow_assentRelease Notes
http://erlang.org/doc/efficiency_guide/commoncaveats.html#list_to_atom-1Product
https://github.com/pow-auth/pow_assent/commit/026105eeecc0e3c2f807e7109e745ea93c0fd9cfPatch
https://github.com/pow-auth/pow_assent/security/advisories/GHSA-368c-xvrv-x986Third Party Advisory
https://hex.pm/packages/pow_assentRelease Notes

Timeline

Published: Nov 25, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-16764?

How severe is CVE-2019-16764?

CVE-2019-16764 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 1.08% probability of exploitation in the next 30 days.

How do I fix CVE-2019-16764?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-16764?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST