Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/337053?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/337053?format=api", "purl": "pkg:maven/com.guicedee.services/commons-text@1.0.19.12-jre8", "type": "maven", "namespace": "com.guicedee.services", "name": "commons-text", "version": "1.0.19.12-jre8", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "62", "latest_non_vulnerable_version": "62", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51949?format=api", "vulnerability_id": "VCID-j986-mtma-b3bw", "summary": "Arbitrary code execution in Apache Commons Text\nApache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html" }, { "reference_url": "http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42889.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42889.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.94251", "scoring_system": "epss", "scoring_elements": "0.99931", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.94251", "scoring_system": "epss", "scoring_elements": "0.9993", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42889" }, { "reference_url": "https://arxiv.org/pdf/2306.05534", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://arxiv.org/pdf/2306.05534" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889" }, { "reference_url": "http://seclists.org/fulldisclosure/2023/Feb/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "http://seclists.org/fulldisclosure/2023/Feb/3" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/apache/commons-text", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/commons-text" }, { "reference_url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889" }, { "reference_url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022" }, { "reference_url": "https://security.gentoo.org/glsa/202301-05", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "https://security.gentoo.org/glsa/202301-05" }, { "reference_url": "https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20221020-0004", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20221020-0004" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20221020-0004/", "reference_id": "", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20221020-0004/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/13/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/13/4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/18/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/18/1" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021787", "reference_id": "1021787", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021787" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", "reference_id": "2135435", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52261.py", "reference_id": "CVE-2022-42889", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52261.py" }, { "reference_url": "https://github.com/advisories/GHSA-599f-7c49-w659", "reference_id": "GHSA-599f-7c49-w659", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-599f-7c49-w659" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8652", "reference_id": "RHSA-2022:8652", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8652" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8876", "reference_id": "RHSA-2022:8876", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8876" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8902", "reference_id": "RHSA-2022:8902", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8902" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:9023", "reference_id": "RHSA-2022:9023", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:9023" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0261", "reference_id": "RHSA-2023:0261", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0261" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0469", "reference_id": "RHSA-2023:0469", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0469" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1006", "reference_id": "RHSA-2023:1006", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1006" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1524", "reference_id": "RHSA-2023:1524", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1524" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1655", "reference_id": "RHSA-2023:1655", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1655" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:2097", "reference_id": "RHSA-2023:2097", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:2097" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3195", "reference_id": "RHSA-2023:3195", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3195" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3299", "reference_id": "RHSA-2023:3299", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3299" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6171", "reference_id": "RHSA-2023:6171", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6171" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6172", "reference_id": "RHSA-2023:6172", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6172" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6179", "reference_id": "RHSA-2023:6179", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6179" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7288", "reference_id": "RHSA-2023:7288", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7288" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0775", "reference_id": "RHSA-2024:0775", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0775" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0776", "reference_id": "RHSA-2024:0776", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0776" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0777", "reference_id": "RHSA-2024:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0778", "reference_id": "RHSA-2024:0778", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0778" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1746", "reference_id": "RHSA-2025:1746", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1746" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1747", "reference_id": "RHSA-2025:1747", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1747" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/337136?format=api", "purl": "pkg:maven/com.guicedee.services/commons-text@62", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.guicedee.services/commons-text@62" } ], "aliases": [ "CVE-2022-42889", "GHSA-599f-7c49-w659" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j986-mtma-b3bw" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.guicedee.services/commons-text@1.0.19.12-jre8" }