Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/52362?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/52362?format=api", "purl": "pkg:composer/zendframework/zendframework@2.5.2", "type": "composer", "namespace": "zendframework", "name": "zendframework", "version": "2.5.2", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39010?format=api", "vulnerability_id": "VCID-8fwb-56kb-jubf", "summary": "Potential Information Disclosure in Zend\\Crypt\\PublicKey\\Rsa\\PublicKey\nZend\\Crypt\\PublicKey\\Rsa\\PublicKey has a call to `openssl_public_encrypt()` which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality.", "references": [ { "reference_url": "http://framework.zend.com/security/advisory/ZF2015-10", "reference_id": "", "reference_type": "", "scores": [], "url": "http://framework.zend.com/security/advisory/ZF2015-10" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52416?format=api", "purl": "pkg:composer/zendframework/zendframework@2.4.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.4.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/52362?format=api", "purl": "pkg:composer/zendframework/zendframework@2.5.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.5.2" } ], "aliases": [ "CVE-2015-7503" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8fwb-56kb-jubf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37904?format=api", "vulnerability_id": "VCID-njsg-e1w1-9qcy", "summary": "XXE/XEE vulnerability via multibyte payloads\nThere's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.", "references": [ { "reference_url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161", "reference_id": "", "reference_type": "", "scores": [], "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161" }, { "reference_url": "http://framework.zend.com/security/advisory/ZF2015-06", "reference_id": "", "reference_type": "", "scores": [], "url": "http://framework.zend.com/security/advisory/ZF2015-06" }, { "reference_url": "https://framework.zend.com/security/advisory/ZF2015-06", "reference_id": "", "reference_type": "", "scores": [], "url": "https://framework.zend.com/security/advisory/ZF2015-06" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52361?format=api", "purl": "pkg:composer/zendframework/zendframework@2.4.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.4.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/52362?format=api", "purl": "pkg:composer/zendframework/zendframework@2.5.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.5.2" } ], "aliases": [ "CVE-2015-5161" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-njsg-e1w1-9qcy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37956?format=api", "vulnerability_id": "VCID-vmut-b2y4-rkcp", "summary": "Potential Information Disclosure and Insufficient Entropy in Zend\\Captcha\\Word\nZend generates a \"word\" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.", "references": [ { "reference_url": "http://framework.zend.com/security/advisory/ZF2015-09", "reference_id": "", "reference_type": "", "scores": [], "url": "http://framework.zend.com/security/advisory/ZF2015-09" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52416?format=api", "purl": "pkg:composer/zendframework/zendframework@2.4.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.4.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/52362?format=api", "purl": "pkg:composer/zendframework/zendframework@2.5.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.5.2" } ], "aliases": [ "GMS-2015-48" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vmut-b2y4-rkcp" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zendframework@2.5.2" }