Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/51518?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/51518?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.3.15.1", "type": "maven", "namespace": "org.apache.struts", "name": "struts2-core", "version": "2.3.15.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.3.31", "latest_non_vulnerable_version": "7.1.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37580?format=api", "vulnerability_id": "VCID-z6wr-3psx-dbfm", "summary": "This package enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.", "references": [ { "reference_url": "http://struts.apache.org/docs/s2-019.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://struts.apache.org/docs/s2-019.html" }, { "reference_url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51619?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.3.15.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-kmqa-hsqy-muf1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.2" } ], "aliases": [ "CVE-2013-4316" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z6wr-3psx-dbfm" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37556?format=api", "vulnerability_id": "VCID-1exe-1vfk-f7bn", "summary": "Allows open redirects\nMultiple open redirect vulnerabilities in this package allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the `redirect:` or `redirectAction:` prefix.", "references": [ { "reference_url": "http://struts.apache.org/docs/s2-017.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://struts.apache.org/docs/s2-017.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51518?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.3.15.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-z6wr-3psx-dbfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1" } ], "aliases": [ "CVE-2013-2248" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1exe-1vfk-f7bn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43784?format=api", "vulnerability_id": "VCID-xpa5-fsb6-ukay", "summary": "Code injection in Apache Struts\nThe Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.\n\nIn Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \"redirectAction:\" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.", "references": [ { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90392", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90392" }, { "reference_url": "https://github.com/apache/struts", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/struts" }, { "reference_url": "https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6" }, { "reference_url": "https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e" }, { "reference_url": "https://issues.apache.org/jira/browse/WW-4140", "reference_id": "", "reference_type": "", "scores": [], "url": "https://issues.apache.org/jira/browse/WW-4140" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2251", "reference_id": "CVE-2013-2251", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2251" }, { "reference_url": "https://github.com/advisories/GHSA-47qp-8v9g-39hp", "reference_id": "GHSA-47qp-8v9g-39hp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-47qp-8v9g-39hp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51518?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.3.15.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-z6wr-3psx-dbfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1" } ], "aliases": [ "CVE-2013-2251", "GHSA-47qp-8v9g-39hp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa5-fsb6-ukay" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1" }