Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1055077?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1055077?format=api", "purl": "pkg:deb/debian/botan@1.6.5-3", "type": "deb", "namespace": "debian", "name": "botan", "version": "1.6.5-3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.19.3+dfsg-1+deb12u1", "latest_non_vulnerable_version": "2.19.3+dfsg-1+deb12u1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93671?format=api", "vulnerability_id": "VCID-31pb-3pss-ybg3", "summary": "A side-channel issue was discovered in Botan before 2.9.0. An attacker capable of precisely measuring the time taken for ECC key generation may be able to derive information about the high bits of the secret key, as the function to derive the public point from the secret scalar uses an unblinded Montgomery ladder whose loop iteration count depends on the bitlength of the secret. This issue affects only key generation, not ECDSA signatures or ECDH key agreement.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20187", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65481", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65485", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65496", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65368", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65417", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65444", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65406", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65459", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.6547", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65489", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65476", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65448", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20187" }, { "reference_url": "https://botan.randombit.net/news.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://botan.randombit.net/news.html" }, { "reference_url": "https://botan.randombit.net/security.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://botan.randombit.net/security.html" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20187", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20187" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/crocs-muni/ECTester", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/crocs-muni/ECTester" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918732", "reference_id": "918732", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918732" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20187", "reference_id": "CVE-2018-20187", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:M/Au:N/C:P/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20187" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055078?format=api", "purl": "pkg:deb/debian/botan@2.9.0-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-32jb-t7zq-uyhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.9.0-2" } ], "aliases": [ "CVE-2018-20187" ], "risk_score": 2.6, "exploitability": "0.5", "weighted_severity": "5.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-31pb-3pss-ybg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94671?format=api", "vulnerability_id": "VCID-32jb-t7zq-uyhe", "summary": "In Botan before 2.17.3, constant-time computations are not used for certain decoding and encoding operations (base32, base58, base64, and hex).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-24115", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72286", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72204", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72209", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72229", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72205", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72242", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72254", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72277", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.7226", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72247", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72289", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72298", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-24115" }, { "reference_url": "https://botan.randombit.net/news.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://botan.randombit.net/news.html" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24115", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24115" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24115", "reference_id": "CVE-2021-24115", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24115" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/583830?format=api", "purl": "pkg:deb/debian/botan@2.17.3%2Bdfsg-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4813-s8rk-xqcz" }, { "vulnerability": "VCID-9kx4-w9uw-vybp" }, { "vulnerability": "VCID-9us9-jyfu-hqdg" }, { "vulnerability": "VCID-sfcs-71wr-wbf4" }, { "vulnerability": "VCID-vgqy-r4ed-4bcv" }, { "vulnerability": "VCID-w192-d7k6-h3a3" }, { "vulnerability": "VCID-xffg-w6fz-yqfj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.17.3%252Bdfsg-2" } ], "aliases": [ "CVE-2021-24115" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "4.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-32jb-t7zq-uyhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93510?format=api", "vulnerability_id": "VCID-851y-jyry-8qe1", "summary": "Botan 2.5.0 through 2.6.0 before 2.7.0 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP, related to dsa/dsa.cpp, ec_group/ec_group.cpp, and ecdsa/ecdsa.cpp. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-12435", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.36009", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.36035", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.36062", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.35969", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.36159", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.3619", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.36025", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.36075", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.36093", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.361", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.36061", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-12435" }, { "reference_url": "https://botan.randombit.net/security.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://botan.randombit.net/security.html" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12435", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12435" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/randombit/botan/commit/48fc8df51d99f9d8ba251219367b3d629cc848e3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/randombit/botan/commit/48fc8df51d99f9d8ba251219367b3d629cc848e3" }, { "reference_url": "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901619", "reference_id": "901619", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901619" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12435", "reference_id": "CVE-2018-12435", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv2", "scoring_elements": "AV:L/AC:M/Au:N/C:P/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12435" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055078?format=api", "purl": "pkg:deb/debian/botan@2.9.0-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-32jb-t7zq-uyhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.9.0-2" } ], "aliases": [ "CVE-2018-12435" ], "risk_score": 2.6, "exploitability": "0.5", "weighted_severity": "5.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-851y-jyry-8qe1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93826?format=api", "vulnerability_id": "VCID-bdvc-y1wv-gkcf", "summary": "An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An off-by-one error when processing malformed TLS-CBC ciphertext could cause the receiving side to include in the HMAC computation exactly 64K bytes of data following the record buffer, aka an over-read. The MAC comparison will subsequently fail and the connection will be closed. This could be used for denial of service. No information leak occurs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-9860", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65823", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65871", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65901", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65866", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65918", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65929", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65947", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65934", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65904", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65939", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65954", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00499", "scoring_system": "epss", "scoring_elements": "0.65943", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-9860" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9860", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9860" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055078?format=api", "purl": "pkg:deb/debian/botan@2.9.0-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-32jb-t7zq-uyhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.9.0-2" } ], "aliases": [ "CVE-2018-9860" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bdvc-y1wv-gkcf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93822?format=api", "vulnerability_id": "VCID-wqt2-m3gv-6fgk", "summary": "Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard certificates and could accept certain certificates as valid for hostnames when, under RFC 6125 rules, they should not match. This only affects certificates issued to the same domain as the host, so to impersonate a host one must already have a wildcard certificate matching other hosts in the same domain. For example, b*.example.com would match some hostnames that do not begin with a 'b' character.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-9127", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.3933", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39492", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39515", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39429", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39485", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.395", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39511", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39472", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39455", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39507", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39478", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00179", "scoring_system": "epss", "scoring_elements": "0.39393", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-9127" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9127", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9127" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894648", "reference_id": "894648", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894648" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055078?format=api", "purl": "pkg:deb/debian/botan@2.9.0-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-32jb-t7zq-uyhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.9.0-2" } ], "aliases": [ "CVE-2018-9127" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wqt2-m3gv-6fgk" } ], "fixing_vulnerabilities": [], "risk_score": "2.6", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@1.6.5-3" }