Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1013352?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1013352?format=api", "purl": "pkg:apk/alpine/wolfssl@5.6.6-r0?arch=x86_64&distroversion=v3.22&reponame=community", "type": "apk", "namespace": "alpine", "name": "wolfssl", "version": "5.6.6-r0", "qualifiers": { "arch": "x86_64", "distroversion": "v3.22", "reponame": "community" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "5.7.0-r0", "latest_non_vulnerable_version": "5.7.2-r0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95893?format=api", "vulnerability_id": "VCID-u24a-2khf-uyba", "summary": "wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6937", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63293", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.633", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63284", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63285", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63219", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63248", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63214", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63265", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63283", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6937" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6937", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6937" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059357", "reference_id": "1059357", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059357" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/7029", "reference_id": "7029", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-24T15:13:21Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/7029" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1013352?format=api", "purl": "pkg:apk/alpine/wolfssl@5.6.6-r0?arch=x86_64&distroversion=v3.22&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/wolfssl@5.6.6-r0%3Farch=x86_64&distroversion=v3.22&reponame=community" } ], "aliases": [ "CVE-2023-6937" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u24a-2khf-uyba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95891?format=api", "vulnerability_id": "VCID-zhf4-y8v8-gubn", "summary": "wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS=\"-DWOLFSSL_STATIC_RSA\" The define “WOLFSSL_STATIC_RSA” enables static RSA cipher suites, which is not recommended, and has been disabled by default since wolfSSL 3.6.6. Therefore the default build since 3.6.6, even with \"--enable-all\", is not vulnerable to the Marvin Attack. The vulnerability is specific to static RSA cipher suites, and expected to be padding-independent. The vulnerability allows an attacker to decrypt ciphertexts and forge signatures after probing with a large number of test observations. However the server’s private key is not exposed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6935", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54642", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54592", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.5463", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54643", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54626", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54604", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54615", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54584", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54635", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6935" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6935", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6935" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059357", "reference_id": "1059357", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059357" }, { "reference_url": "https://people.redhat.com/~hkario/marvin/", "reference_id": "marvin", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-12T12:48:11Z/" } ], "url": "https://people.redhat.com/~hkario/marvin/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1013352?format=api", "purl": "pkg:apk/alpine/wolfssl@5.6.6-r0?arch=x86_64&distroversion=v3.22&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/wolfssl@5.6.6-r0%3Farch=x86_64&distroversion=v3.22&reponame=community" } ], "aliases": [ "CVE-2023-6935" ], "risk_score": 1.5, "exploitability": "0.5", "weighted_severity": "3.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zhf4-y8v8-gubn" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/wolfssl@5.6.6-r0%3Farch=x86_64&distroversion=v3.22&reponame=community" }