Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/54036?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/54036?format=api", "purl": "pkg:gem/rubygems-update@2.6.13", "type": "gem", "namespace": "", "name": "rubygems-update", "version": "2.6.13", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.6.14", "latest_non_vulnerable_version": "3.0.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39019?format=api", "vulnerability_id": "VCID-c7rs-vbjr-nyfz", "summary": "Deserialization of Untrusted Data\nrubygems-update is vulnerable to a remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.", "references": [ { "reference_url": "http://blog.rubygems.org/2017/10/09/2.6.14-released.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://blog.rubygems.org/2017/10/09/2.6.14-released.html" }, { "reference_url": "http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html" }, { "reference_url": "http://www.securityfocus.com/bid/101275", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/101275" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0903", "reference_id": "CVE-2017-0903", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0903" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54431?format=api", "purl": "pkg:gem/rubygems-update@2.6.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.14" } ], "aliases": [ "CVE-2017-0903" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c7rs-vbjr-nyfz" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38790?format=api", "vulnerability_id": "VCID-68hc-d8u1-yye5", "summary": "Improper Input Validation\nRubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.", "references": [ { "reference_url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html" }, { "reference_url": "http://www.securityfocus.com/bid/100579", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/100579" }, { "reference_url": "http://www.securitytracker.com/id/1039249", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id/1039249" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0900", "reference_id": "CVE-2017-0900", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0900" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54036?format=api", "purl": "pkg:gem/rubygems-update@2.6.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7rs-vbjr-nyfz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13" } ], "aliases": [ "CVE-2017-0900" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-68hc-d8u1-yye5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38792?format=api", "vulnerability_id": "VCID-bb6n-nq7v-8qex", "summary": "Improper Input Validation\nRubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.", "references": [ { "reference_url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html" }, { "reference_url": "https://www.exploit-db.com/exploits/42611/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.exploit-db.com/exploits/42611/" }, { "reference_url": "http://www.securityfocus.com/bid/100580", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/100580" }, { "reference_url": "http://www.securitytracker.com/id/1039249", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id/1039249" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0901", "reference_id": "CVE-2017-0901", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0901" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54036?format=api", "purl": "pkg:gem/rubygems-update@2.6.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7rs-vbjr-nyfz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13" } ], "aliases": [ "CVE-2017-0901" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bb6n-nq7v-8qex" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38789?format=api", "vulnerability_id": "VCID-br82-gd5d-pqew", "summary": "Origin Validation Error\nRubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.", "references": [ { "reference_url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html" }, { "reference_url": "https://hackerone.com/reports/218088", "reference_id": "", "reference_type": "", "scores": [], "url": "https://hackerone.com/reports/218088" }, { "reference_url": "http://www.securityfocus.com/bid/100586", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/100586" }, { "reference_url": "http://www.securitytracker.com/id/1039249", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id/1039249" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0902", "reference_id": "CVE-2017-0902", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0902" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54036?format=api", "purl": "pkg:gem/rubygems-update@2.6.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7rs-vbjr-nyfz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13" } ], "aliases": [ "CVE-2017-0902" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-br82-gd5d-pqew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38793?format=api", "vulnerability_id": "VCID-nd17-pxzx-nyba", "summary": "Code Injection\nRubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.", "references": [ { "reference_url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html" }, { "reference_url": "http://www.securityfocus.com/bid/100576", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/100576" }, { "reference_url": "http://www.securitytracker.com/id/1039249", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id/1039249" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0899", "reference_id": "CVE-2017-0899", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0899" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54036?format=api", "purl": "pkg:gem/rubygems-update@2.6.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7rs-vbjr-nyfz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13" } ], "aliases": [ "CVE-2017-0899" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nd17-pxzx-nyba" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rubygems-update@2.6.13" }