Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/57778?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/57778?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.5.38", "type": "maven", "namespace": "org.apache.tomcat", "name": "tomcat", "version": "8.5.38", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "8.5.41", "latest_non_vulnerable_version": "11.0.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43311?format=api", "vulnerability_id": "VCID-9awt-9zjq-yucn", "summary": "Uncontrolled Resource Consumption\nThe documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.", "references": [ { "reference_url": "https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29885", "reference_id": "CVE-2022-29885", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29885" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62021?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.5.79", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.79" }, { "url": "http://public2.vulnerablecode.io/api/packages/62022?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.63", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.63" }, { "url": "http://public2.vulnerablecode.io/api/packages/62023?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@10.0.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.0.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/62024?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@10.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.1" } ], "aliases": [ "CVE-2022-29885" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9awt-9zjq-yucn" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40903?format=api", "vulnerability_id": "VCID-1kgu-zupu-tydw", "summary": "Uncontrolled Resource Consumption\nThe HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of `SETTINGS` frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0199", "reference_id": "CVE-2019-0199", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0199" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57778?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.5.38", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9awt-9zjq-yucn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.38" }, { "url": "http://public2.vulnerablecode.io/api/packages/57779?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.16" } ], "aliases": [ "CVE-2019-0199" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1kgu-zupu-tydw" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.38" }