Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1083?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1083?format=api", "purl": "pkg:mozilla/Thunderbird@7.0.0", "type": "mozilla", "namespace": "", "name": "Thunderbird", "version": "7.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "8.0.0", "latest_non_vulnerable_version": "151.0.0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2845?format=api", "vulnerability_id": "VCID-5dm1-kvut-bbgv", "summary": "Mariusz Mlynski reported that if you could convince\na user to hold down the Enter key--as part of a game or test,\nperhaps--a malicious page could pop up a download dialog where the held\nkey would then activate the default Open action. For some file types this\nwould be merely annoying (the equivalent of a pop-up) but other file\ntypes have powerful scripting capabilities. And this would provide an\navenue for an attacker to exploit a vulnerability in applications not\nnormally exposed to potentially hostile internet content.\nMariusz also reported a similar flaw with manual plugin installation\nusing the PLUGINSPAGE attribute. It was possible to create\nan internal error that suppressed a confirmation dialog, such that holding\nenter would lead to the installation of an arbitrary add-on. (This variant\ndid not affect Firefox 3.6)", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2372", "reference_id": "CVE-2011-2372", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2372" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2011-40", "reference_id": "mfsa2011-40", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2011-40" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1208?format=api", "purl": "pkg:mozilla/Thunderbird@3.1.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@3.1.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/1083?format=api", "purl": "pkg:mozilla/Thunderbird@7.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@7.0.0" } ], "aliases": [ "CVE-2011-2372" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5dm1-kvut-bbgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2367?format=api", "vulnerability_id": "VCID-avt8-7dua-tyey", "summary": "For historical reasons Firefox has been generous in its interpretation of web\naddresses containing square brackets around the host. If this host was not a\nvalid IPv6 literal address, Firefox attempted to interpret the host as a regular\ndomain name. Gregory Fleischer reported that requests made\nusing IPv6 syntax using XMLHttpRequest objects through a proxy may generate\nerrors depending on proxy configuration for IPv6. The resulting error messages\nfrom the proxy may disclose sensitive data because Same-Origin Policy (SOP) will\nallow the XMLHttpRequest object to read these error messages, allowing user\nprivacy to be eroded. Firefox now enforces RFC 3986 IPv6 literal syntax and that\nmay break links written using the non-standard Firefox-only forms that were\npreviously accepted.\nThis was fixed previously for Firefox 7.0, Thunderbird 7.0, and\nSeaMonkey 2.4 but only fixed in Firefox 3.6.26 and Thunderbird 3.1.18 during\n2012.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3670", "reference_id": "CVE-2011-3670", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3670" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-02", "reference_id": "mfsa2012-02", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-02" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1018?format=api", "purl": "pkg:mozilla/Thunderbird@3.1.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@3.1.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/1083?format=api", "purl": "pkg:mozilla/Thunderbird@7.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@7.0.0" } ], "aliases": [ "CVE-2011-3670" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-avt8-7dua-tyey" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2855?format=api", "vulnerability_id": "VCID-bvjs-ev8j-2ka1", "summary": "Ian Graham of Citrix Online reported that when multiple\nLocation headers were present in a redirect response \nMozilla behavior differed from other browsers: Mozilla would use the second\nLocation header while Chrome and Internet Explorer would use\nthe first. Two copies of this header with different values could be a symptom\nof a CRLF injection attack against a vulnerable server. Most commonly it is\nthe Location header itself that is vulnerable to the response\nsplitting and therefore the copy preferred by Mozilla is more likely to be\nthe malicious one. It is possible, however, that the first copy was the\ninjected one depending on the nature of the server vulnerability.\nThe Mozilla browser engine has been changed to treat two copies of this\nheader with different values as an error condition. The same has been done\nwith the headers Content-Length and Content-Disposition", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3000", "reference_id": "CVE-2011-3000", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3000" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2011-39", "reference_id": "mfsa2011-39", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2011-39" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1208?format=api", "purl": "pkg:mozilla/Thunderbird@3.1.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@3.1.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/1083?format=api", "purl": "pkg:mozilla/Thunderbird@7.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@7.0.0" } ], "aliases": [ "CVE-2011-3000" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bvjs-ev8j-2ka1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2886?format=api", "vulnerability_id": "VCID-q6wy-vbkn-5ybk", "summary": "Mozilla developers identified and fixed several memory safety bugs\nin the browser engine used in Firefox and other Mozilla-based\nproducts. Some of these bugs showed evidence of memory corruption\nunder certain circumstances, and we presume that with enough effort at\nleast some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird\nand SeaMonkey products because scripting is disabled,, but are potentially a risk\nin browser or browser-like contexts in those products.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2995", "reference_id": "CVE-2011-2995", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2995" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2011-36", "reference_id": "mfsa2011-36", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2011-36" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1208?format=api", "purl": "pkg:mozilla/Thunderbird@3.1.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@3.1.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/1083?format=api", "purl": "pkg:mozilla/Thunderbird@7.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@7.0.0" } ], "aliases": [ "CVE-2011-2995" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q6wy-vbkn-5ybk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2898?format=api", "vulnerability_id": "VCID-uwxn-2akc-aud1", "summary": "Security researcher Aki Helin reported a potentially\nexploitable crash in the YARR regular expression library used by JavaScript.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3232", "reference_id": "CVE-2011-3232", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3232" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2011-42", "reference_id": "mfsa2011-42", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2011-42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1083?format=api", "purl": "pkg:mozilla/Thunderbird@7.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@7.0.0" } ], "aliases": [ "CVE-2011-3232" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uwxn-2akc-aud1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2850?format=api", "vulnerability_id": "VCID-xa69-rn7t-vfdn", "summary": "sczimmer reported that Firefox crashed when loading\na particular .ogg file. This was due to a use-after-free\ncondition and could potentially be exploited to install malware.\nThis vulnerability does not affect Firefox 3.6 or earlier.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3005", "reference_id": "CVE-2011-3005", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3005" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2011-44", "reference_id": "mfsa2011-44", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2011-44" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1083?format=api", "purl": "pkg:mozilla/Thunderbird@7.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@7.0.0" } ], "aliases": [ "CVE-2011-3005" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xa69-rn7t-vfdn" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@7.0.0" }