Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/52662?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/52662?format=api", "purl": "pkg:npm/csrf-lite@0.1.1", "type": "npm", "namespace": "", "name": "csrf-lite", "version": "0.1.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.1.2", "latest_non_vulnerable_version": "0.1.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38098?format=api", "vulnerability_id": "VCID-5npf-xayn-6qfa", "summary": "Non-Constant Time String Comparison\ncsrf-lite uses `===`, a fail first string comparison, instead of a time constant string comparison. This enables an attacker being able to calculate minuscule differences in CSRF tokens, essentially enabling them to guess the token one character at a time Each check increases the variable `tempCheck` by one. If a malicious user is able to see what `tempCheck` is at each run (how long it takes to do a check), then they can see when it increases. This increase indicates that the character they just put in for `csrfTokenCompare` is the correct one.", "references": [ { "reference_url": "https://github.com/isaacs/csrf-lite/pull/1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/isaacs/csrf-lite/pull/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52663?format=api", "purl": "pkg:npm/csrf-lite@0.1.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/csrf-lite@0.1.2" } ], "aliases": [ "GMS-2016-30" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5npf-xayn-6qfa" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/csrf-lite@0.1.1" }