Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/220221?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/220221?format=api", "purl": "pkg:apk/alpine/yt-dlp@2023.11.14-r0?arch=riscv64&distroversion=v3.21&reponame=community", "type": "apk", "namespace": "alpine", "name": "yt-dlp", "version": "2023.11.14-r0", "qualifiers": { "arch": "riscv64", "distroversion": "v3.21", "reponame": "community" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/132530?format=api", "vulnerability_id": "VCID-9cc8-rqk4-uqh8", "summary": "yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46121", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26342", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26544", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46121" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yt-dlp/yt-dlp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46121", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46121" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055996", "reference_id": "1055996", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055996" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14", "reference_id": "2023.11.14", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T15:18:50Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb", "reference_id": "f04b5bedad7b281bee9814686bba1762bae092eb", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T15:18:50Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb" }, { "reference_url": "https://github.com/advisories/GHSA-3ch3-jhc6-5r8x", "reference_id": "GHSA-3ch3-jhc6-5r8x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3ch3-jhc6-5r8x" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x", "reference_id": "GHSA-3ch3-jhc6-5r8x", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T15:18:50Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x" }, { "reference_url": "https://security.gentoo.org/glsa/202409-30", "reference_id": "GLSA-202409-30", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202409-30" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/220221?format=api", "purl": "pkg:apk/alpine/yt-dlp@2023.11.14-r0?arch=riscv64&distroversion=v3.21&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/yt-dlp@2023.11.14-r0%3Farch=riscv64&distroversion=v3.21&reponame=community" } ], "aliases": [ "CVE-2023-46121", "GHSA-3ch3-jhc6-5r8x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9cc8-rqk4-uqh8" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/yt-dlp@2023.11.14-r0%3Farch=riscv64&distroversion=v3.21&reponame=community" }