Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/66423?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/66423?format=api", "purl": "pkg:maven/com.tencyle.fixes/org.codehaus.jettison--jettison@1.1-tencyle-2.1.0", "type": "maven", "namespace": "com.tencyle.fixes", "name": "org.codehaus.jettison--jettison", "version": "1.1-tencyle-2.1.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45769?format=api", "vulnerability_id": "VCID-hwg1-r88g-5bbf", "summary": "Jettison parser crash by stackoverflow\nThose using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n\n### References\n\n- https://nvd.nist.gov/vuln/detail/CVE-2022-40149\n- https://github.com/jettison-json/jettison/issues/45\n- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538\n- https://github.com/jettison-json/jettison/pull/49/files\n- https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1\n- https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html\n- https://www.debian.org/security/2023/dsa-5312", "references": [ { "reference_url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538" }, { "reference_url": "https://github.com/jettison-json/jettison/issues/45", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jettison-json/jettison/issues/45" }, { "reference_url": "https://github.com/jettison-json/jettison/pull/49", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jettison-json/jettison/pull/49" }, { "reference_url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" }, { "reference_url": "https://github.com/tencyle-fixes/jettison", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tencyle-fixes/jettison" }, { "reference_url": "https://github.com/tencyle-fixes/jettison#jettison-backports-repository-by-tencyle", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tencyle-fixes/jettison#jettison-backports-repository-by-tencyle" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html" }, { "reference_url": "https://www.debian.org/security/2023/dsa-5312", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2023/dsa-5312" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "reference_id": "CVE-2022-40149", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "reference_url": "https://github.com/advisories/GHSA-xqcq-j8w9-3pxv", "reference_id": "GHSA-xqcq-j8w9-3pxv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xqcq-j8w9-3pxv" }, { "reference_url": "https://github.com/tencyle-fixes/jettison/security/advisories/GHSA-xqcq-j8w9-3pxv", "reference_id": "GHSA-xqcq-j8w9-3pxv", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tencyle-fixes/jettison/security/advisories/GHSA-xqcq-j8w9-3pxv" } ], "fixed_packages": [], "aliases": [ "GHSA-xqcq-j8w9-3pxv", "GMS-2023-1853" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hwg1-r88g-5bbf" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.tencyle.fixes/org.codehaus.jettison--jettison@1.1-tencyle-2.1.0" }