Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/160285?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/160285?format=api", "purl": "pkg:gem/spree_auth_devise@3.5.0", "type": "gem", "namespace": "", "name": "spree_auth_devise", "version": "3.5.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/14341?format=api", "vulnerability_id": "VCID-raed-358a-vqfn", "summary": "Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness\nCSRF vulnerability that allows user account takeover.\n\nAll applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both:\n\n* Executed whether as:\n* A before_action callback (the default)\n* A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).\n* Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).\n\nThat means that applications that haven't been configured differently from what it's generated with Rails aren't affected.\n\nThanks @waiting-for-dev for reporting and providing a patch 👏", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41275", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.2263", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41275" }, { "reference_url": "https://github.com/spree/spree_auth_devise", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree_auth_devise" }, { "reference_url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41275", "reference_id": "CVE-2021-41275", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41275" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml", "reference_id": "CVE-2021-41275.YML", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml" }, { "reference_url": "https://github.com/advisories/GHSA-26xx-m4q2-xhq8", "reference_id": "GHSA-26xx-m4q2-xhq8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-26xx-m4q2-xhq8" }, { "reference_url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8", "reference_id": "GHSA-26xx-m4q2-xhq8", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8" }, { "reference_url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-6mqr-q86q-6gwr", "reference_id": "GHSA-6mqr-q86q-6gwr", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-6mqr-q86q-6gwr" }, { "reference_url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-8xfw-5q82-3652", "reference_id": "GHSA-8xfw-5q82-3652", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-8xfw-5q82-3652" }, { "reference_url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954", "reference_id": "GHSA-gpqc-4pp7-5954", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954" }, { "reference_url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2", "reference_id": "GHSA-xm34-v85h-9pg2", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58570?format=api", "purl": "pkg:gem/spree_auth_devise@4.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-raed-358a-vqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree_auth_devise@4.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/58565?format=api", "purl": "pkg:gem/spree_auth_devise@4.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-raed-358a-vqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree_auth_devise@4.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/58569?format=api", "purl": "pkg:gem/spree_auth_devise@4.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-raed-358a-vqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree_auth_devise@4.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/58568?format=api", "purl": "pkg:gem/spree_auth_devise@4.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-raed-358a-vqfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree_auth_devise@4.4.1" } ], "aliases": [ "CVE-2021-41275", "GHSA-26xx-m4q2-xhq8" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-raed-358a-vqfn" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/spree_auth_devise@3.5.0" }