Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.struts/struts2-core@2.3.20
Typemaven
Namespaceorg.apache.struts
Namestruts2-core
Version2.3.20
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.3.31
Latest_non_vulnerable_version7.1.1
Affected_by_vulnerabilities
0
url VCID-4t8h-s9mh-p7c4
vulnerability_id VCID-4t8h-s9mh-p7c4
summary 
Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker
The default exclude patterns (excludeParams) in this package allow remote attackers to "compromise internal state of an application" via unspecified vectors.
references
0
reference_url https://struts.apache.org/docs/s2-024.html
reference_id
reference_type
scores
url https://struts.apache.org/docs/s2-024.html
1
reference_url https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1831
reference_id
reference_type
scores
url https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1831
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.20.1
purl pkg:maven/org.apache.struts/struts2-core@2.3.20.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-qdsq-8td3-5qa1
1
vulnerability VCID-z1jy-4da2-tyhk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20.1
aliases CVE-2015-1831
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4t8h-s9mh-p7c4
1
url VCID-qdsq-8td3-5qa1
vulnerability_id VCID-qdsq-8td3-5qa1
summary 
Improper Input Validation
The `URLValidator` class in Apache Struts 2 allows remote attackers to cause a denial of service via a `null` value for a URL field.
references
0
reference_url http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114
reference_id
reference_type
scores
url http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114
1
reference_url http://jvn.jp/en/jp/JVN12352818/index.html
reference_id
reference_type
scores
url http://jvn.jp/en/jp/JVN12352818/index.html
2
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1348253
reference_id
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1348253
3
reference_url https://struts.apache.org/docs/s2-041.html
reference_id
reference_type
scores
url https://struts.apache.org/docs/s2-041.html
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-4465
reference_id CVE-2016-4465
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2016-4465
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.29
purl pkg:maven/org.apache.struts/struts2-core@2.3.29
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dvxu-9sh6-qbef
1
vulnerability VCID-hrky-nmnv-g3eu
2
vulnerability VCID-mmth-7rgf-aqfa
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.29
1
url pkg:maven/org.apache.struts/struts2-core@2.5.1
purl pkg:maven/org.apache.struts/struts2-core@2.5.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.1
aliases CVE-2016-4465
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qdsq-8td3-5qa1
2
url VCID-z1jy-4da2-tyhk
vulnerability_id VCID-z1jy-4da2-tyhk
summary 
Improper Input Validation
`XSLTResult` in Apache Struts allows remote attackers to execute arbitrary code via the stylesheet location parameter.
references
0
reference_url http://struts.apache.org/docs/s2-031.html
reference_id
reference_type
scores
url http://struts.apache.org/docs/s2-031.html
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-3082
reference_id CVE-2016-3082
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2016-3082
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.20.3
purl pkg:maven/org.apache.struts/struts2-core@2.3.20.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mmth-7rgf-aqfa
1
vulnerability VCID-qdsq-8td3-5qa1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20.3
1
url pkg:maven/org.apache.struts/struts2-core@2.3.24.3
purl pkg:maven/org.apache.struts/struts2-core@2.3.24.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dvxu-9sh6-qbef
1
vulnerability VCID-hrky-nmnv-g3eu
2
vulnerability VCID-mmth-7rgf-aqfa
3
vulnerability VCID-qdsq-8td3-5qa1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.24.3
2
url pkg:maven/org.apache.struts/struts2-core@2.3.28.1
purl pkg:maven/org.apache.struts/struts2-core@2.3.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dvxu-9sh6-qbef
1
vulnerability VCID-hrky-nmnv-g3eu
2
vulnerability VCID-mmth-7rgf-aqfa
3
vulnerability VCID-qdsq-8td3-5qa1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.28.1
aliases CVE-2016-3082
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z1jy-4da2-tyhk
Fixing_vulnerabilities
0
url VCID-4ywn-n1my-83ev
vulnerability_id VCID-4ywn-n1my-83ev
summary 
Improper Input Validation
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.
references
0
reference_url https://security.netapp.com/advisory/ntap-20180629-0005/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20180629-0005/
1
reference_url https://struts.apache.org/docs/s2-027.html
reference_id
reference_type
scores
url https://struts.apache.org/docs/s2-027.html
2
reference_url https://web.archive.org/web/20210123095942/http://www.securityfocus.com/bid/85131
reference_id
reference_type
scores
url https://web.archive.org/web/20210123095942/http://www.securityfocus.com/bid/85131
3
reference_url https://web.archive.org/web/20211206100940/https://www.securitytracker.com/id/1035267
reference_id
reference_type
scores
url https://web.archive.org/web/20211206100940/https://www.securitytracker.com/id/1035267
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-3090
reference_id CVE-2016-3090
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2016-3090
5
reference_url https://github.com/advisories/GHSA-ggmp-fxfg-277r
reference_id GHSA-ggmp-fxfg-277r
reference_type
scores
url https://github.com/advisories/GHSA-ggmp-fxfg-277r
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.20
purl pkg:maven/org.apache.struts/struts2-core@2.3.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4t8h-s9mh-p7c4
1
vulnerability VCID-qdsq-8td3-5qa1
2
vulnerability VCID-z1jy-4da2-tyhk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20
aliases CVE-2016-3090, GHSA-ggmp-fxfg-277r
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4ywn-n1my-83ev
1
url VCID-m39c-3bv2-6ugy
vulnerability_id VCID-m39c-3bv2-6ugy
summary 
Cross-Site Scripting vulnerability on "Problem Report" screen
When Debug mode is turned on, under certain conditions an arbitrary script may be executed in the `Problem Report` screen. Also if JSP files are exposed to be accessed directly it's possible to execute an arbitrary script.
references
0
reference_url https://struts.apache.org/docs/s2-025.html
reference_id
reference_type
scores
url https://struts.apache.org/docs/s2-025.html
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.20
purl pkg:maven/org.apache.struts/struts2-core@2.3.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4t8h-s9mh-p7c4
1
vulnerability VCID-qdsq-8td3-5qa1
2
vulnerability VCID-z1jy-4da2-tyhk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20
aliases CVE-2015-5169
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m39c-3bv2-6ugy
2
url VCID-wtca-5ffw-w7bc
vulnerability_id VCID-wtca-5ffw-w7bc
summary 
Predictable CSRF token
This package uses predictable `<s:token/>` values, which allows remote attackers to bypass the CSRF protection mechanism.
references
0
reference_url http://blog.h3xstream.com/2014/12/predicting-struts-csrf-token-cve-2014.html
reference_id
reference_type
scores
url http://blog.h3xstream.com/2014/12/predicting-struts-csrf-token-cve-2014.html
1
reference_url http://struts.apache.org/docs/s2-023.html
reference_id
reference_type
scores
url http://struts.apache.org/docs/s2-023.html
2
reference_url https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7809
reference_id
reference_type
scores
url https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7809
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.20
purl pkg:maven/org.apache.struts/struts2-core@2.3.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4t8h-s9mh-p7c4
1
vulnerability VCID-qdsq-8td3-5qa1
2
vulnerability VCID-z1jy-4da2-tyhk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20
aliases CVE-2014-7809
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wtca-5ffw-w7bc
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20