Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/55844?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/55844?format=api", "purl": "pkg:composer/symfony/symfony@3.2.13", "type": "composer", "namespace": "symfony", "name": "symfony", "version": "3.2.13", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.2.14", "latest_non_vulnerable_version": "8.0.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39962?format=api", "vulnerability_id": "VCID-djnm-e9r4-c3f5", "summary": "`DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` take the content of the `_target_path` parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks.", "references": [ { "reference_url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652", "reference_id": "", "reference_type": "", "scores": [], "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652" }, { "reference_url": "https://github.com/symfony/symfony/pull/24995", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/symfony/symfony/pull/24995" }, { "reference_url": "https://symfony.com/cve-2017-16652", "reference_id": "CVE-2017-16652", "reference_type": "", "scores": [], "url": "https://symfony.com/cve-2017-16652" }, { "reference_url": "http://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers", "reference_id": "CVE-2017-16652-OPEN-REDIRECT-VULNERABILITY-ON-SECURITY-HANDLERS", "reference_type": "", "scores": [], "url": "http://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55849?format=api", "purl": "pkg:composer/symfony/symfony@3.2.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/55850?format=api", "purl": "pkg:composer/symfony/symfony@3.3.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/55851?format=api", "purl": "pkg:composer/symfony/symfony@3.4.0-BETA5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.0-BETA5" }, { "url": "http://public2.vulnerablecode.io/api/packages/55852?format=api", "purl": "pkg:composer/symfony/symfony@4.0.0-BETA5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0-BETA5" } ], "aliases": [ "CVE-2017-16652" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-djnm-e9r4-c3f5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40159?format=api", "vulnerability_id": "VCID-dsbx-q641-4fc7", "summary": "Cross-Site Request Forgery (CSRF)\nThe current implementation of CSRF protection in Symfony does not use different tokens for HTTP and HTTPS.", "references": [ { "reference_url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653", "reference_id": "", "reference_type": "", "scores": [], "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653" }, { "reference_url": "https://github.com/symfony/symfony/pull/24992", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/symfony/symfony/pull/24992" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16653", "reference_id": "CVE-2017-16653", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16653" }, { "reference_url": "https://symfony.com/cve-2017-16653", "reference_id": "CVE-2017-16653", "reference_type": "", "scores": [], "url": "https://symfony.com/cve-2017-16653" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55849?format=api", "purl": "pkg:composer/symfony/symfony@3.2.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/55850?format=api", "purl": "pkg:composer/symfony/symfony@3.3.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/55828?format=api", "purl": "pkg:composer/symfony/symfony@4.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1y96-v19f-tkgg" }, { "vulnerability": "VCID-23hr-yznx-c3fb" }, { "vulnerability": "VCID-6c6t-kmb3-2qcm" }, { "vulnerability": "VCID-7m45-bvbn-4qd3" }, { "vulnerability": "VCID-ef86-hqv4-6kaz" }, { "vulnerability": "VCID-frbz-vpfe-vbh9" }, { "vulnerability": "VCID-mew1-9shg-mugs" }, { "vulnerability": "VCID-nsuz-7sdv-abef" }, { "vulnerability": "VCID-qqd1-smb1-sbe8" }, { "vulnerability": "VCID-tx26-92jc-rkff" }, { "vulnerability": "VCID-uuk9-e5qy-rfgf" }, { "vulnerability": "VCID-vyug-krcw-jyef" }, { "vulnerability": "VCID-zeut-9wfp-q7et" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0" } ], "aliases": [ "CVE-2017-16653" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dsbx-q641-4fc7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40158?format=api", "vulnerability_id": "VCID-xdtu-22ad-63aq", "summary": "Attacker can read all files content on the server\nWhen a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the `$_POST` array in plain PHP) and uploaded files data (known as the `$_FILES` array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a `FileType` is sent as normal `POST` data that could be interpreted as a locale file path on the server-side (for example, `file:///etc/passwd`). If the application did not perform any additional checks about the value submitted to the `FileType`, the contents of the given file on the server could have been exposed to the attacker.", "references": [ { "reference_url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790", "reference_id": "", "reference_type": "", "scores": [], "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790" }, { "reference_url": "https://github.com/symfony/symfony/pull/24993", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/symfony/symfony/pull/24993" }, { "reference_url": "http://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files", "reference_id": "CVE-2017-16790-ENSURE-THAT-SUBMITTED-DATA-ARE-UPLOADED-FILES", "reference_type": "", "scores": [], "url": "http://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55849?format=api", "purl": "pkg:composer/symfony/symfony@3.2.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/55850?format=api", "purl": "pkg:composer/symfony/symfony@3.3.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/55851?format=api", "purl": "pkg:composer/symfony/symfony@3.4.0-BETA5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.0-BETA5" }, { "url": "http://public2.vulnerablecode.io/api/packages/55852?format=api", "purl": "pkg:composer/symfony/symfony@4.0.0-BETA5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0-BETA5" } ], "aliases": [ "CVE-2017-16790" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xdtu-22ad-63aq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40157?format=api", "vulnerability_id": "VCID-xj13-fspe-hfgv", "summary": "An attacker can navigate to arbitrary directories via the dot-dot-slash attack\nThis package includes various bundle readers that are used to read resource bundles from the local filesystem. The `read()` methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a `URL` parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack.", "references": [ { "reference_url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654", "reference_id": "", "reference_type": "", "scores": [], "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654" }, { "reference_url": "https://github.com/symfony/symfony/pull/24994", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/symfony/symfony/pull/24994" }, { "reference_url": "http://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths", "reference_id": "CVE-2017-16654-INTL-BUNDLE-READERS-BREAKING-OUT-OF-PATHS", "reference_type": "", "scores": [], "url": "http://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55849?format=api", "purl": "pkg:composer/symfony/symfony@3.2.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/55850?format=api", "purl": "pkg:composer/symfony/symfony@3.3.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/55851?format=api", "purl": "pkg:composer/symfony/symfony@3.4.0-BETA5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.0-BETA5" }, { "url": "http://public2.vulnerablecode.io/api/packages/55852?format=api", "purl": "pkg:composer/symfony/symfony@4.0.0-BETA5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0-BETA5" } ], "aliases": [ "CVE-2017-16654" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xj13-fspe-hfgv" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40103?format=api", "vulnerability_id": "VCID-3qct-gbgt-kkbb", "summary": "Cross-site Scripting\nThe debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18343", "reference_id": "CVE-2017-18343", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18343" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56128?format=api", "purl": "pkg:composer/symfony/symfony@2.7.33", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/56129?format=api", "purl": "pkg:composer/symfony/symfony@2.8.26", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.26" }, { "url": "http://public2.vulnerablecode.io/api/packages/55844?format=api", "purl": "pkg:composer/symfony/symfony@3.2.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-djnm-e9r4-c3f5" }, { "vulnerability": "VCID-dsbx-q641-4fc7" }, { "vulnerability": "VCID-xdtu-22ad-63aq" }, { "vulnerability": "VCID-xj13-fspe-hfgv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/56130?format=api", "purl": "pkg:composer/symfony/symfony@3.3.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.6" } ], "aliases": [ "CVE-2017-18343" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3qct-gbgt-kkbb" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.13" }