Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/52358?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/52358?format=api", "purl": "pkg:gem/rubygems-update@2.4.8", "type": "gem", "namespace": "", "name": "rubygems-update", "version": "2.4.8", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "2.5.1", "latest_non_vulnerable_version": "3.0.3", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37905?format=api", "vulnerability_id": "VCID-t8p2-dj3e-r7gt", "summary": "Improper Input Validation\nRubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a \"DNS hijack attack.\" NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.", "references": [ { "reference_url": "http://blog.rubygems.org/2015/06/08/2.2.5-released.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://blog.rubygems.org/2015/06/08/2.2.5-released.html" }, { "reference_url": "http://blog.rubygems.org/2015/06/08/2.4.8-released.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://blog.rubygems.org/2015/06/08/2.4.8-released.html" }, { "reference_url": "https://github.com/rubygems/rubygems/commit/5c7bfb5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rubygems/rubygems/commit/5c7bfb5" }, { "reference_url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478" }, { "reference_url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html" }, { "reference_url": "http://www.securityfocus.com/bid/75431", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/75431" }, { "reference_url": "https://puppet.com/security/cve/CVE-2015-3900", "reference_id": "CVE-2015-3900", "reference_type": "", "scores": [], "url": "https://puppet.com/security/cve/CVE-2015-3900" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2015-4020", "reference_id": "CVE-2015-4020", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-4020" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52358?format=api", "purl": "pkg:gem/rubygems-update@2.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.4.8" } ], "aliases": [ "CVE-2015-4020" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t8p2-dj3e-r7gt" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.4.8" }