Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/52184?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/52184?format=api", "purl": "pkg:composer/namshi/jose@2.1.0", "type": "composer", "namespace": "namshi", "name": "jose", "version": "2.1.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.2.0", "latest_non_vulnerable_version": "2.2.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37813?format=api", "vulnerability_id": "VCID-48zd-34ep-cua1", "summary": "Improper Authentication\nAttackers able to impersonate users.", "references": [ { "reference_url": "https://github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52188?format=api", "purl": "pkg:composer/namshi/jose@2.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gh79-gw1t-j7ar" }, { "vulnerability": "VCID-u53s-286x-1uax" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.1.2" } ], "aliases": [ "GMS-2015-70" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-48zd-34ep-cua1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54931?format=api", "vulnerability_id": "VCID-862b-xqfw-bya5", "summary": "namshi/jose insecure JSON Web Signatures (JWS)\nnamshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with 'none' algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-02-19.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-02-19.yaml" }, { "reference_url": "https://github.com/namshi/jose", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/namshi/jose" }, { "reference_url": "https://github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e" }, { "reference_url": "https://github.com/advisories/GHSA-hxhc-wmg8-xrqf", "reference_id": "GHSA-hxhc-wmg8-xrqf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hxhc-wmg8-xrqf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52188?format=api", "purl": "pkg:composer/namshi/jose@2.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gh79-gw1t-j7ar" }, { "vulnerability": "VCID-u53s-286x-1uax" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.1.2" } ], "aliases": [ "GHSA-hxhc-wmg8-xrqf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-862b-xqfw-bya5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37822?format=api", "vulnerability_id": "VCID-gh79-gw1t-j7ar", "summary": "Improper Authentication\nCritical vulnerabilities in JSON Web Token libraries.", "references": [ { "reference_url": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52208?format=api", "purl": "pkg:composer/namshi/jose@2.2.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.2.0" } ], "aliases": [ "GMS-2015-71" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gh79-gw1t-j7ar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37833?format=api", "vulnerability_id": "VCID-u53s-286x-1uax", "summary": "JWT Verification bypass with \"none\" algorithm\nIt is possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the \"none\" algorithm.", "references": [ { "reference_url": "https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/" }, { "reference_url": "https://github.com/namshi/jose/commit/127b4415e66d89b1fcfb5a07933db0b5ff5cd636", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/namshi/jose/commit/127b4415e66d89b1fcfb5a07933db0b5ff5cd636" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52229?format=api", "purl": "pkg:composer/namshi/jose@2.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gh79-gw1t-j7ar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.1.3" } ], "aliases": [ "GMS-2015-5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u53s-286x-1uax" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.1.0" }