Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/145290?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/145290?format=api", "purl": "pkg:hex/plug@1.2.3", "type": "hex", "namespace": "", "name": "plug", "version": "1.2.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.2.5", "latest_non_vulnerable_version": "1.19.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108951?format=api", "vulnerability_id": "VCID-x7su-wxws-a3gz", "summary": "Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie value, Headers can be added. This attack appear to be exploitable via Crafting a value to be sent as a cookie. This vulnerability appears to have been fixed in >= 1.3.5 or ~> 1.2.5 or ~> 1.1.9 or ~> 1.0.6.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-1000883", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0025", "scoring_system": "epss", "scoring_elements": "0.48431", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-1000883" }, { "reference_url": "https://github.com/dependabot/elixir-security-advisories/blob/master/packages/plug/2017-04-17.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dependabot/elixir-security-advisories/blob/master/packages/plug/2017-04-17.yml" }, { "reference_url": "https://github.com/elixir-plug/plug", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/elixir-plug/plug" }, { "reference_url": "https://github.com/elixir-plug/plug/commit/8857f8ab4acf9b9c22e80480dae2636692f5f573", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/elixir-plug/plug/commit/8857f8ab4acf9b9c22e80480dae2636692f5f573" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000883", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000883" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/145144?format=api", "purl": "pkg:hex/plug@1.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.2.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/145146?format=api", "purl": "pkg:hex/plug@1.3.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.3.5" } ], "aliases": [ "CVE-2018-1000883", "GHSA-9h73-w7ch-rh73" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x7su-wxws-a3gz" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108953?format=api", "vulnerability_id": "VCID-7ryv-jjw4-b7gh", "summary": "Arbitrary Code Execution in Cookie Serialization\nThe default serialization used by Plug session may result in code execution\n in certain situations. Keep in mind, however, the session cookie is signed\n and this attack can only be exploited if the attacker has access to your\n secret key as well as your signing/encryption salts. We recommend users to\n change their secret key base and salts if they suspect they have been leaked,\n regardless of this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-1000053", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01075", "scoring_system": "epss", "scoring_elements": "0.78131", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-1000053" }, { "reference_url": "https://elixirforum.com/t/security-releases-for-plug/3913", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://elixirforum.com/t/security-releases-for-plug/3913" }, { "reference_url": "https://elixirforum.com/t/static-and-session-security-fixes-for-plug/3913", "reference_id": "", "reference_type": "", "scores": [], "url": "https://elixirforum.com/t/static-and-session-security-fixes-for-plug/3913" }, { "reference_url": "https://github.com/elixir-plug/plug", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/elixir-plug/plug" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000053", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000053" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/145288?format=api", "purl": "pkg:hex/plug@1.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-x7su-wxws-a3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/145289?format=api", "purl": "pkg:hex/plug@1.1.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-x7su-wxws-a3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.1.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/145290?format=api", "purl": "pkg:hex/plug@1.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-x7su-wxws-a3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/145291?format=api", "purl": "pkg:hex/plug@1.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-x7su-wxws-a3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.3.2" } ], "aliases": [ "CVE-2017-1000053", "GHSA-5v4m-c73v-c7gq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7ryv-jjw4-b7gh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108980?format=api", "vulnerability_id": "VCID-dp5c-pz39-ckhp", "summary": "Null Byte Injection in Plug.Static\nPlug.Static is used for serving static assets, and is vulnerable to null\n byte injection. If file upload functionality is provided, this can allow\n users to bypass filetype restrictions.\n We recommend all applications that provide file upload functionality and\n serve those uploaded files locally with Plug.Static to upgrade immediately\n or include the fix below. If uploaded files are rather stored and served\n from S3 or any other cloud storage, you are not affected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-1000052", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00246", "scoring_system": "epss", "scoring_elements": "0.48038", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-1000052" }, { "reference_url": "https://elixirforum.com/t/security-releases-for-plug/3913", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://elixirforum.com/t/security-releases-for-plug/3913" }, { "reference_url": "https://elixirforum.com/t/static-and-session-security-fixes-for-plug/3913", "reference_id": "", "reference_type": "", "scores": [], "url": "https://elixirforum.com/t/static-and-session-security-fixes-for-plug/3913" }, { "reference_url": "https://github.com/elixir-plug/plug", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/elixir-plug/plug" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000052", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000052" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/145288?format=api", "purl": "pkg:hex/plug@1.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-x7su-wxws-a3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/145289?format=api", "purl": "pkg:hex/plug@1.1.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-x7su-wxws-a3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.1.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/145290?format=api", "purl": "pkg:hex/plug@1.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-x7su-wxws-a3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/145291?format=api", "purl": "pkg:hex/plug@1.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-x7su-wxws-a3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.3.2" } ], "aliases": [ "CVE-2017-1000052", "GHSA-2q6v-32mr-8p8x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dp5c-pz39-ckhp" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/plug@1.2.3" }