Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/64857?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/64857?format=api", "purl": "pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.0.0", "type": "maven", "namespace": "org.apache.dolphinscheduler", "name": "dolphinscheduler", "version": "3.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.0.2", "latest_non_vulnerable_version": "3.2.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44987?format=api", "vulnerability_id": "VCID-1ra7-3xzm-jbgt", "summary": "On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-gateway.enabled=false` in configuration file `application.yaml`. If you are using the python gateway, please upgrade to version 3.1.2 or above.", "references": [ { "reference_url": "https://github.com/apache/dolphinscheduler", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/dolphinscheduler" }, { "reference_url": "https://github.com/apache/dolphinscheduler/pull/12893", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/dolphinscheduler/pull/12893" }, { "reference_url": "https://github.com/apache/dolphinscheduler/releases/tag/3.1.2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/dolphinscheduler/releases/tag/3.1.2" }, { "reference_url": "https://lists.apache.org/thread/25g77jqczp3t8cz56hk1p65q7m6c64rf", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/25g77jqczp3t8cz56hk1p65q7m6c64rf" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/04/20/10", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2023/04/20/10" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25601", "reference_id": "CVE-2023-25601", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25601" }, { "reference_url": "https://github.com/advisories/GHSA-3jxw-cv35-2mmv", "reference_id": "GHSA-3jxw-cv35-2mmv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3jxw-cv35-2mmv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64858?format=api", "purl": "pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.1.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.1.2" } ], "aliases": [ "CVE-2023-25601", "GHSA-3jxw-cv35-2mmv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1ra7-3xzm-jbgt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36624?format=api", "vulnerability_id": "VCID-bzfg-r7ht-f3bb", "summary": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.\n\nThe information exposed to unauthorized actors may include sensitive data such as database credentials.\n\nUsers who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file\n\n```\nmanagement:\n endpoints:\n web:\n exposure:\n include: health,metrics,prometheus\n```\n\nThis issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2.\n\nUsers are recommended to upgrade to version 3.0.2, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/dolphinscheduler", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/dolphinscheduler" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2023-268.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2023-268.yaml" }, { "reference_url": "https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/11/24/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "http://www.openwall.com/lists/oss-security/2023/11/24/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48796", "reference_id": "CVE-2023-48796", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48796" }, { "reference_url": "https://github.com/advisories/GHSA-4vvc-r4p4-qgrr", "reference_id": "GHSA-4vvc-r4p4-qgrr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4vvc-r4p4-qgrr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67859?format=api", "purl": "pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.0.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.0.2" } ], "aliases": [ "CVE-2023-48796", "GHSA-4vvc-r4p4-qgrr", "PYSEC-2023-268" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bzfg-r7ht-f3bb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47066?format=api", "vulnerability_id": "VCID-t29h-zzxt-hbbk", "summary": "Improper Control of Generation of Code ('Code Injection')\nExposure of Remote Code Execution in Apache Dolphinscheduler.\n\nThis issue affects Apache DolphinScheduler: before 3.2.1. \n\nWe recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.", "references": [ { "reference_url": "https://github.com/apache/dolphinscheduler/pull/14991", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/dolphinscheduler/pull/14991" }, { "reference_url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/5b6yq2gov0fsy9x5dkvo8ws4rr45vkn8" }, { "reference_url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/6kgsl93vtqlbdk6otttl0d8wmlspk0m5" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/20/4", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/02/20/4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49109", "reference_id": "CVE-2023-49109", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49109" }, { "reference_url": "https://github.com/advisories/GHSA-qwxx-xww6-8q8m", "reference_id": "GHSA-qwxx-xww6-8q8m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qwxx-xww6-8q8m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67898?format=api", "purl": "pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.2.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.2.1" } ], "aliases": [ "CVE-2023-49109", "GHSA-qwxx-xww6-8q8m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t29h-zzxt-hbbk" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dolphinscheduler/dolphinscheduler@3.0.0" }