Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/66394?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/66394?format=api", "purl": "pkg:conan/openssl@1.1.1t", "type": "conan", "namespace": "", "name": "openssl", "version": "1.1.1t", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.1.1w", "latest_non_vulnerable_version": "3.2.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45761?format=api", "vulnerability_id": "VCID-w1qj-n768-hbar", "summary": "Excessive Iteration\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", "references": [ { "reference_url": "http://seclists.org/fulldisclosure/2023/Jul/43", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/fulldisclosure/2023/Jul/43" }, { "reference_url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5" }, { "reference_url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644", "reference_id": "", "reference_type": "", "scores": [], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644" }, { "reference_url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f", "reference_id": "", "reference_type": "", "scores": [], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f" }, { "reference_url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5" }, { "reference_url": "https://www.openssl.org/news/secadv/20230731.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openssl.org/news/secadv/20230731.txt" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/07/31/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2023/07/31/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817", "reference_id": "CVE-2023-3817", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63866?format=api", "purl": "pkg:conan/openssl@1.1.1w", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.1.1w" }, { "url": "http://public2.vulnerablecode.io/api/packages/63867?format=api", "purl": "pkg:conan/openssl@3.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-nx5k-32hq-yuh4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:conan/openssl@3.0.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/64354?format=api", "purl": "pkg:conan/openssl@3.1.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:conan/openssl@3.1.3" } ], "aliases": [ "CVE-2023-3817" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w1qj-n768-hbar" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.1.1t" }