Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/18203?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/18203?format=api", "purl": "pkg:pypi/pip@7.0.1", "type": "pypi", "namespace": "", "name": "pip", "version": "7.0.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "23.3", "latest_non_vulnerable_version": "26.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36594?format=api", "vulnerability_id": "VCID-1as6-9kq7-d7gy", "summary": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2023-228.yaml" }, { "reference_url": "https://github.com/pypa/pip", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/pip" }, { "reference_url": "https://github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/pip/commit/389cb799d0da9a840749fcd14878928467ed49b4" }, { "reference_url": "https://github.com/pypa/pip/pull/12306", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://github.com/pypa/pip/pull/12306" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ" }, { "reference_url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL", "reference_id": "", "reference_type": "", "scores": [], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL" }, { "reference_url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5752", "reference_id": "CVE-2023-5752", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5752" }, { "reference_url": "https://github.com/advisories/GHSA-mq26-g339-26xf", "reference_id": "GHSA-mq26-g339-26xf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mq26-g339-26xf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37730?format=api", "purl": "pkg:pypi/pip@23.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pip@23.3" } ], "aliases": [ "CVE-2023-5752", "GHSA-mq26-g339-26xf", "PYSEC-2023-228" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1as6-9kq7-d7gy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35614?format=api", "vulnerability_id": "VCID-g99f-q7vc-gyeg", "summary": "The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html" }, { "reference_url": "https://github.com/advisories/GHSA-gpvv-69j7-gwj8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gpvv-69j7-gwj8" }, { "reference_url": "https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace" }, { "reference_url": "https://github.com/pypa/pip/compare/19.1.1...19.2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/pip/compare/19.1.1...19.2" }, { "reference_url": "https://github.com/pypa/pip/issues/6413", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/pip/issues/6413" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18232?format=api", "purl": "pkg:pypi/pip@19.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1as6-9kq7-d7gy" }, { "vulnerability": "VCID-mh4d-1b2e-bqem" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pip@19.2" } ], "aliases": [ "CVE-2019-20916", "GHSA-gpvv-69j7-gwj8", "PYSEC-2020-173" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g99f-q7vc-gyeg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/6887?format=api", "vulnerability_id": "VCID-mh4d-1b2e-bqem", "summary": "silent downgrade", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3254", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3254" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1962856", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1962856" }, { "reference_url": "https://github.com/advisories/GHSA-5xp3-jfq3-5q8x", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5xp3-jfq3-5q8x" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pip/PYSEC-2021-437.yaml" }, { "reference_url": "https://github.com/pypa/pip", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/pip" }, { "reference_url": "https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b" }, { "reference_url": "https://github.com/pypa/pip/pull/9827", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/pip/pull/9827" }, { "reference_url": "https://packetstormsecurity.com/files/162712/USN-4961-1.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "https://packetstormsecurity.com/files/162712/USN-4961-1.txt" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240621-0006", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20240621-0006" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "reference_url": "https://www.oracle.com/security-alerts/cpujul2022.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "reference_url": "https://security.archlinux.org/AVG-2036", "reference_id": "AVG-2036", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2036" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3572", "reference_id": "CVE-2021-3572", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3572" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/24933?format=api", "purl": "pkg:pypi/pip@21.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1as6-9kq7-d7gy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pip@21.1" } ], "aliases": [ "CVE-2021-3572", "GHSA-5xp3-jfq3-5q8x", "PYSEC-2021-437" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mh4d-1b2e-bqem" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pip@7.0.1" }