Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/11657?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/11657?format=api", "purl": "pkg:pypi/mitmproxy@3.0.1", "type": "pypi", "namespace": "", "name": "mitmproxy", "version": "3.0.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "12.2.2", "latest_non_vulnerable_version": "12.2.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36062?format=api", "vulnerability_id": "VCID-8xbk-3z3r-nkfh", "summary": "mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless mitmproxy is used to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 8.0.0 and above. There are currently no known workarounds.", "references": [ { "reference_url": "https://github.com/mitmproxy/mitmproxy", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mitmproxy/mitmproxy" }, { "reference_url": "https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b" }, { "reference_url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-gcx2-gvj7-pxv3" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mitmproxy/PYSEC-2022-170.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mitmproxy/PYSEC-2022-170.yaml" }, { "reference_url": "https://mitmproxy.org/posts/releases/mitmproxy8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://mitmproxy.org/posts/releases/mitmproxy8" }, { "reference_url": "https://mitmproxy.org/posts/releases/mitmproxy8/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://mitmproxy.org/posts/releases/mitmproxy8/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24766", "reference_id": "CVE-2022-24766", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24766" }, { "reference_url": "https://github.com/advisories/GHSA-gcx2-gvj7-pxv3", "reference_id": "GHSA-gcx2-gvj7-pxv3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gcx2-gvj7-pxv3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27088?format=api", "purl": "pkg:pypi/mitmproxy@8.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-qgvt-wb92-9kbw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mitmproxy@8.0.0" } ], "aliases": [ "CVE-2022-24766", "GHSA-gcx2-gvj7-pxv3", "PYSEC-2022-170" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8xbk-3z3r-nkfh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/7101?format=api", "vulnerability_id": "VCID-f126-n8nd-jfgs", "summary": "url request injection", "references": [ { "reference_url": "https://github.com/mitmproxy/mitmproxy", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mitmproxy/mitmproxy" }, { "reference_url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-22gh-3r9q-xf38", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-22gh-3r9q-xf38" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mitmproxy/PYSEC-2021-328.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mitmproxy/PYSEC-2021-328.yaml" }, { "reference_url": "https://security.archlinux.org/AVG-2395", "reference_id": "AVG-2395", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2395" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39214", "reference_id": "CVE-2021-39214", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39214" }, { "reference_url": "https://github.com/advisories/GHSA-22gh-3r9q-xf38", "reference_id": "GHSA-22gh-3r9q-xf38", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-22gh-3r9q-xf38" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23568?format=api", "purl": "pkg:pypi/mitmproxy@7.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8xbk-3z3r-nkfh" }, { "vulnerability": "VCID-qgvt-wb92-9kbw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mitmproxy@7.0.3" } ], "aliases": [ "CVE-2021-39214", "GHSA-22gh-3r9q-xf38", "PYSEC-2021-328" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f126-n8nd-jfgs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35235?format=api", "vulnerability_id": "VCID-pddc-5c8v-qqbs", "summary": "mitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, related to tools/web/app.py.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-6m53-c78q-7qmg", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6m53-c78q-7qmg" }, { "reference_url": "https://github.com/mitmproxy/mitmproxy", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mitmproxy/mitmproxy" }, { "reference_url": "https://github.com/mitmproxy/mitmproxy/commit/7f464b89296881f4d9ec032378c4418e832d17e3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mitmproxy/mitmproxy/commit/7f464b89296881f4d9ec032378c4418e832d17e3" }, { "reference_url": "https://github.com/mitmproxy/mitmproxy/issues/3234", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mitmproxy/mitmproxy/issues/3234" }, { "reference_url": "https://github.com/mitmproxy/mitmproxy/pull/3243", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/mitmproxy/mitmproxy/pull/3243" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/mitmproxy/PYSEC-2018-56.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mitmproxy/PYSEC-2018-56.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14505", "reference_id": "CVE-2018-14505", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14505" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/11664?format=api", "purl": "pkg:pypi/mitmproxy@4.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8xbk-3z3r-nkfh" }, { "vulnerability": "VCID-f126-n8nd-jfgs" }, { "vulnerability": "VCID-qgvt-wb92-9kbw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mitmproxy@4.0.4" } ], "aliases": [ "CVE-2018-14505", "GHSA-6m53-c78q-7qmg", "PYSEC-2018-56" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pddc-5c8v-qqbs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37298?format=api", "vulnerability_id": "VCID-qgvt-wb92-9kbw", "summary": "mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. Only mitmproxy instances using the proxyauth option with LDAP are affected. This option is not enabled by default. The vulnerability has been fixed in mitmproxy 12.2.2 and above.", "references": [ { "reference_url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49585?format=api", "purl": "pkg:pypi/mitmproxy@12.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mitmproxy@12.2.2" } ], "aliases": [ "CVE-2026-40606", "GHSA-527g-3w9m-29hv", "PYSEC-2026-92" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qgvt-wb92-9kbw" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/mitmproxy@3.0.1" }