Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/65184?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/65184?format=api", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.85", "type": "maven", "namespace": "org.apache.tomcat.embed", "name": "tomcat-embed-core", "version": "8.5.85", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "8.5.86", "latest_non_vulnerable_version": "11.0.0-M12", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46179?format=api", "vulnerability_id": "VCID-kbpn-7esm-77ew", "summary": "Incomplete Cleanup vulnerability in Apache Tomcat.\n\nThe internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, \nin progress refactoring that exposed a potential denial of service on \nWindows if a web application opened a stream for an uploaded file but \nfailed to close the stream. The file would never be deleted from disk \ncreating the possibility of an eventual denial of service due to the \ndisk being full.\n\nUsers are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.", "references": [ { "reference_url": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/10/10/8", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2023/10/10/8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42794", "reference_id": "CVE-2023-42794", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42794" }, { "reference_url": "https://github.com/advisories/GHSA-jm7m-8jh6-29hp", "reference_id": "GHSA-jm7m-8jh6-29hp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jm7m-8jh6-29hp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67251?format=api", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.94", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.94" }, { "url": "http://public2.vulnerablecode.io/api/packages/67252?format=api", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.81", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.81" } ], "aliases": [ "CVE-2023-42794", "GHSA-jm7m-8jh6-29hp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kbpn-7esm-77ew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45242?format=api", "vulnerability_id": "VCID-ryby-gbcx-33ec", "summary": "Off-by-one Error\nThe fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.", "references": [ { "reference_url": "https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/05/22/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2023/05/22/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28709", "reference_id": "CVE-2023-28709", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28709" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64009?format=api", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.88", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5g79-2c83-v7dq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.88" }, { "url": "http://public2.vulnerablecode.io/api/packages/65188?format=api", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.74", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5g79-2c83-v7dq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.74" }, { "url": "http://public2.vulnerablecode.io/api/packages/65189?format=api", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5g79-2c83-v7dq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.8" } ], "aliases": [ "CVE-2023-28709" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ryby-gbcx-33ec" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.85" }