Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/51281?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/51281?format=api", "purl": "pkg:gem/actionpack@3.2.0", "type": "gem", "namespace": "", "name": "actionpack", "version": "3.2.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.2.2", "latest_non_vulnerable_version": "7.1.3.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39069?format=api", "vulnerability_id": "VCID-7m31-x66p-3bha", "summary": "actionpack Cross-site Scripting vulnerability\nCross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/sanitize_helper.rb` in the `strip_tags` helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.", "references": [ { "reference_url": "https://github.com/rails/rails", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rails/rails" }, { "reference_url": "https://github.com/rails/rails/commit/cf48c9c7dcbef8543171f7f7de8d3d9a16b58e77", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rails/rails/commit/cf48c9c7dcbef8543171f7f7de8d3d9a16b58e77" }, { "reference_url": "https://github.com/rails/rails/commit/e91e4e8bbee12ce1496bf384c04da6be296b687a", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rails/rails/commit/e91e4e8bbee12ce1496bf384c04da6be296b687a" }, { "reference_url": "https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3465", "reference_id": "CVE-2012-3465", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3465" }, { "reference_url": "https://github.com/advisories/GHSA-7g65-ghrg-hpf5", "reference_id": "GHSA-7g65-ghrg-hpf5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7g65-ghrg-hpf5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51284?format=api", "purl": "pkg:gem/actionpack@3.2.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.8" } ], "aliases": [ "CVE-2012-3465", "GHSA-7g65-ghrg-hpf5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7m31-x66p-3bha" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39071?format=api", "vulnerability_id": "VCID-dx34-zm9p-1ydc", "summary": "actionpack Improper Authentication vulnerability\nThe `decode_credentials` method in `actionpack/lib/action_controller/metal/http_authentication.rb` in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a `with_http_digest` helper method, as demonstrated by the `authenticate_or_request_with_http_digest` method.", "references": [ { "reference_url": "https://github.com/rails/rails", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rails/rails" }, { "reference_url": "https://github.com/rails/rails/commit/3719bd3e95523c5518507dbe44f260f252930600", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rails/rails/commit/3719bd3e95523c5518507dbe44f260f252930600" }, { "reference_url": "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3424", "reference_id": "CVE-2012-3424", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3424" }, { "reference_url": "https://github.com/advisories/GHSA-92w9-2pqw-rhjj", "reference_id": "GHSA-92w9-2pqw-rhjj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-92w9-2pqw-rhjj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54502?format=api", "purl": "pkg:gem/actionpack@3.2.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.7" } ], "aliases": [ "CVE-2012-3424", "GHSA-92w9-2pqw-rhjj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dx34-zm9p-1ydc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39097?format=api", "vulnerability_id": "VCID-f21a-143f-9qay", "summary": "actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request\n`actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `['xyz', nil]` values, a related issue to CVE-2012-2660.", "references": [ { "reference_url": "https://github.com/rails/rails", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rails/rails" }, { "reference_url": "https://github.com/rails/rails/commit/2f3bc0467311781ac1ceb2c8c2b09002c8fe143a", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rails/rails/commit/2f3bc0467311781ac1ceb2c8c2b09002c8fe143a" }, { "reference_url": "https://github.com/rails/rails/commit/c202638225519b5e1a03ebe523b109c948fb0e52", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rails/rails/commit/c202638225519b5e1a03ebe523b109c948fb0e52" }, { "reference_url": "https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain" }, { "reference_url": "https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2694", "reference_id": "CVE-2012-2694", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2694" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2694.yml", "reference_id": "CVE-2012-2694.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2694.yml" }, { "reference_url": "https://github.com/advisories/GHSA-q34c-48gc-m9g8", "reference_id": "GHSA-q34c-48gc-m9g8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q34c-48gc-m9g8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54576?format=api", "purl": "pkg:gem/actionpack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.6" } ], "aliases": [ "CVE-2012-2694", "GHSA-q34c-48gc-m9g8" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f21a-143f-9qay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37516?format=api", "vulnerability_id": "VCID-kt2t-d3bx-jydv", "summary": "XSS vulnerability in sanitize_css in Action Pack\nCarefully crafted text can bypass the sanitization provided in the `sanitize_css` method in Action Pack.", "references": [ { "reference_url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51452?format=api", "purl": "pkg:gem/actionpack@3.2.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.13" } ], "aliases": [ "CVE-2013-1855" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kt2t-d3bx-jydv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37442?format=api", "vulnerability_id": "VCID-p6yg-d8wm-4bgz", "summary": "SQL Injection\nRuby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary `IS NULL` clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for `NULL` in arbitrary places.", "references": [ { "reference_url": "https://github.com/rails/rails", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rails/rails" }, { "reference_url": "https://github.com/rails/rails/commit/61eed87ce32caf534bf1f52dd8134097b4ad9e1b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rails/rails/commit/61eed87ce32caf534bf1f52dd8134097b4ad9e1b" }, { "reference_url": "https://github.com/rails/rails/commit/dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d#diff-3179d24efacadd64068c4d9c1184eac3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rails/rails/commit/dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d#diff-3179d24efacadd64068c4d9c1184eac3" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/OSVDB-82610.yml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/OSVDB-82610.yml" }, { "reference_url": "https://groups.google.com/forum/#!original/rubyonrails-security/8SA-M3as7A8/Mr9fi9X4kNgJ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!original/rubyonrails-security/8SA-M3as7A8/Mr9fi9X4kNgJ" }, { "reference_url": "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain" }, { "reference_url": "https://groups.google.com/g/rubyonrails-security/c/8SA-M3as7A8/m/Mr9fi9X4kNgJ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/g/rubyonrails-security/c/8SA-M3as7A8/m/Mr9fi9X4kNgJ" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2660", "reference_id": "CVE-2012-2660", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2660" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2660.yml", "reference_id": "CVE-2012-2660.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2660.yml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2012-2660.yml", "reference_id": "CVE-2012-2660.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2012-2660.yml" }, { "reference_url": "https://github.com/advisories/GHSA-hgpp-pp89-4fgf", "reference_id": "GHSA-hgpp-pp89-4fgf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hgpp-pp89-4fgf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54558?format=api", "purl": "pkg:gem/actionpack@3.2.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.4" } ], "aliases": [ "CVE-2012-2660", "GHSA-hgpp-pp89-4fgf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p6yg-d8wm-4bgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37479?format=api", "vulnerability_id": "VCID-puve-cp8z-zbdr", "summary": "Multiple vulnerabilities in parameter parsing in Action Pack\nThere are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.", "references": [ { "reference_url": "https://groups.google.com/forum/?fromgroups=#!searchin/rubyonrails-security/2013-0156/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/?fromgroups=#!searchin/rubyonrails-security/2013-0156/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51357?format=api", "purl": "pkg:gem/actionpack@3.2.11", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.11" } ], "aliases": [ "CVE-2013-0156" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-puve-cp8z-zbdr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37513?format=api", "vulnerability_id": "VCID-qmvt-9qth-77a6", "summary": "XSS Vulnerability in the `sanitize` helper\nThe `sanitize` helper in Ruby on Rails is designed to filter HTML and remove all tags and attributes which could be malicious.", "references": [ { "reference_url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51452?format=api", "purl": "pkg:gem/actionpack@3.2.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.13" } ], "aliases": [ "CVE-2013-1857" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qmvt-9qth-77a6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37449?format=api", "vulnerability_id": "VCID-t9c8-r3yp-sbde", "summary": "Ruby on Rails Potential XSS Vulnerability in select_tag prompt\nWhen a value for the `prompt` field is supplied to the `select_tag` helper, the value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.", "references": [ { "reference_url": "https://groups.google.com/forum/?fromgroups=#!searchin/rubyonrails-security/3463/rubyonrails-security/fV3QUToSMSw/eHBSFOUYHpYJ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/?fromgroups=#!searchin/rubyonrails-security/3463/rubyonrails-security/fV3QUToSMSw/eHBSFOUYHpYJ" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51284?format=api", "purl": "pkg:gem/actionpack@3.2.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.8" } ], "aliases": [ "CVE-2012-3463" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t9c8-r3yp-sbde" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.0" }