Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/57174?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/57174?format=api", "purl": "pkg:maven/org.apache.nifi/nifi@1.8.0", "type": "maven", "namespace": "org.apache.nifi", "name": "nifi", "version": "1.8.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.15.1", "latest_non_vulnerable_version": "1.24.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45352?format=api", "vulnerability_id": "VCID-qkvt-fdp4-uyd6", "summary": "Deserialization of Untrusted Data\nThe JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.\n\nThe resolution validates the JNDI URL and restricts locations to a set of allowed schemes.\n\nYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.", "references": [ { "reference_url": "https://github.com/apache/nifi", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/nifi" }, { "reference_url": "https://github.com/apache/nifi/commit/3fcb82ee4509d1ad73893d8dca003be6d086c5d6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/nifi/commit/3fcb82ee4509d1ad73893d8dca003be6d086c5d6" }, { "reference_url": "https://github.com/apache/nifi/pull/7313", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/nifi/pull/7313" }, { "reference_url": "https://issues.apache.org/jira/browse/NIFI-11614", "reference_id": "", "reference_type": "", "scores": [], "url": "https://issues.apache.org/jira/browse/NIFI-11614" }, { "reference_url": "https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5" }, { "reference_url": "https://nifi.apache.org/security.html#CVE-2023-34212", "reference_id": "", "reference_type": "", "scores": [], "url": "https://nifi.apache.org/security.html#CVE-2023-34212" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/06/12/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2023/06/12/2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34212", "reference_id": "CVE-2023-34212", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34212" }, { "reference_url": "https://github.com/advisories/GHSA-65wh-g8x8-gm2h", "reference_id": "GHSA-65wh-g8x8-gm2h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-65wh-g8x8-gm2h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65375?format=api", "purl": "pkg:maven/org.apache.nifi/nifi@1.22.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mm3u-4acx-e3hj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.22.0" } ], "aliases": [ "CVE-2023-34212", "GHSA-65wh-g8x8-gm2h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qkvt-fdp4-uyd6" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40532?format=api", "vulnerability_id": "VCID-uxfk-98ce-hfe8", "summary": "Cross-site Scripting\nThe error page reflects the value of the HTTP request header `X-ProxyContextPath` without sanitization, resulting in a XSS attack.", "references": [ { "reference_url": "https://nifi.apache.org/security.html#CVE-2018-17193", "reference_id": "", "reference_type": "", "scores": [], "url": "https://nifi.apache.org/security.html#CVE-2018-17193" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17193", "reference_id": "CVE-2018-17193", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17193" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57174?format=api", "purl": "pkg:maven/org.apache.nifi/nifi@1.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-qkvt-fdp4-uyd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.8.0" } ], "aliases": [ "CVE-2018-17193" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uxfk-98ce-hfe8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40534?format=api", "vulnerability_id": "VCID-y1sd-wp8g-afcn", "summary": "Cross-Site Request Forgery (CSRF)\nThe template upload API endpoint accepts requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack.", "references": [ { "reference_url": "https://nifi.apache.org/security.html#CVE-2018-17195", "reference_id": "", "reference_type": "", "scores": [], "url": "https://nifi.apache.org/security.html#CVE-2018-17195" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17195", "reference_id": "CVE-2018-17195", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17195" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57174?format=api", "purl": "pkg:maven/org.apache.nifi/nifi@1.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-qkvt-fdp4-uyd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.8.0" } ], "aliases": [ "CVE-2018-17195" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y1sd-wp8g-afcn" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.nifi/nifi@1.8.0" }