Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/56268?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/56268?format=api", "purl": "pkg:composer/symfony/symfony@4.1.0", "type": "composer", "namespace": "symfony", "name": "symfony", "version": "4.1.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.1.3", "latest_non_vulnerable_version": "8.0.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40155?format=api", "vulnerability_id": "VCID-1y96-v19f-tkgg", "summary": "Improper Input Validation\nAn issue was discovered in `HttpKernel` in Symfony When using `HttpCache`, the values of the `X-Forwarded-Host` headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14774", "reference_id": "CVE-2018-14774", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14774" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56272?format=api", "purl": "pkg:composer/symfony/symfony@4.1.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.3" } ], "aliases": [ "CVE-2018-14774" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1y96-v19f-tkgg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40525?format=api", "vulnerability_id": "VCID-frbz-vpfe-vbh9", "summary": "Unrestricted Upload of File with Dangerous Type\nWhen using the scalar type hint `string` in a setter method (e.g. `setName(string$name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.", "references": [ { "reference_url": "https://symfony.com/cve-2018-19789", "reference_id": "CVE-2018-19789", "reference_type": "", "scores": [], "url": "https://symfony.com/cve-2018-19789" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57138?format=api", "purl": "pkg:composer/symfony/symfony@4.1.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/57139?format=api", "purl": "pkg:composer/symfony/symfony@4.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.1" } ], "aliases": [ "CVE-2018-19789" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-frbz-vpfe-vbh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41766?format=api", "vulnerability_id": "VCID-m9e2-rg83-d7eb", "summary": "Improper Neutralization of Formula Elements in a CSV File\n`Symfony/Serializer` handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\\t`. Since then, OWASP added 2 chars in that list, Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value.", "references": [ { "reference_url": "https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8" }, { "reference_url": "https://github.com/symfony/symfony/pull/44243", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/symfony/symfony/pull/44243" }, { "reference_url": "https://github.com/symfony/symfony/releases/tag/v5.3.12", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41270", "reference_id": "CVE-2021-41270", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41270" }, { "reference_url": "https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x", "reference_id": "GHSA-2xhg-w2g5-w95x", "reference_type": "", "scores": [], "url": "https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/59646?format=api", "purl": "pkg:composer/symfony/symfony@4.4.35", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.4.35" }, { "url": "http://public2.vulnerablecode.io/api/packages/59642?format=api", "purl": "pkg:composer/symfony/symfony@5.3.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.3.12" } ], "aliases": [ "CVE-2021-41270", "GHSA-2xhg-w2g5-w95x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m9e2-rg83-d7eb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40526?format=api", "vulnerability_id": "VCID-mew1-9shg-mugs", "summary": "URL Redirection to Untrusted Site (Open Redirect)\nBy using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.", "references": [ { "reference_url": "https://symfony.com/cve-2018-19790", "reference_id": "CVE-2018-19790", "reference_type": "", "scores": [], "url": "https://symfony.com/cve-2018-19790" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57138?format=api", "purl": "pkg:composer/symfony/symfony@4.1.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/57139?format=api", "purl": "pkg:composer/symfony/symfony@4.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.1" } ], "aliases": [ "CVE-2018-19790" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mew1-9shg-mugs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40154?format=api", "vulnerability_id": "VCID-qqd1-smb1-sbe8", "summary": "URL Rewrite vulnerability\nAn issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\\Symfony\\Component\\HttpFoundation\\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.", "references": [ { "reference_url": "https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers", "reference_id": "CVE-2018-14773-REMOVE-SUPPORT-FOR-LEGACY-AND-RISKY-HTTP-HEADERS", "reference_type": "", "scores": [], "url": "https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56272?format=api", "purl": "pkg:composer/symfony/symfony@4.1.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.3" } ], "aliases": [ "CVE-2018-14773" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qqd1-smb1-sbe8" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.0" }