Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/67034?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/67034?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.424", "type": "maven", "namespace": "org.jenkins-ci.main", "name": "jenkins-core", "version": "2.424", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "2.426.3", "latest_non_vulnerable_version": "2.551", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46064?format=api", "vulnerability_id": "VCID-68yq-k4tu-dybx", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nJenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter.", "references": [ { "reference_url": "https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3245", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3245" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/09/20/5", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2023/09/20/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43495", "reference_id": "CVE-2023-43495", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43495" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67034?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.424", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.424" } ], "aliases": [ "CVE-2023-43495" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-68yq-k4tu-dybx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46058?format=api", "vulnerability_id": "VCID-at1z-y2sc-e3ez", "summary": "Jenkins temporary plugin file created with insecure permissions\nJenkins creates a temporary file when a plugin is deployed directly from a URL.\n\nJenkins 2.423 and earlier, LTS 2.414.1 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files.\n\nIf these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.\n\nThis vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it.\n\nThis issue complements SECURITY-2823, which affected plugins uploaded from an administrator’s computer.\nJenkins 2.424, LTS 2.414.2 creates the temporary file in a subdirectory with more restrictive permissions.\n\nAs a workaround, you can change your default temporary-file directory using the Java system property java.io.tmpdir, if you’re concerned about this issue but unable to immediately update Jenkins.", "references": [ { "reference_url": "https://github.com/jenkinsci/jenkins/commit/df7c4ccda8976c06bf31b8fb9938f26fc38501ca", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/jenkinsci/jenkins/commit/df7c4ccda8976c06bf31b8fb9938f26fc38501ca" }, { "reference_url": "https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43496", "reference_id": "CVE-2023-43496", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43496" }, { "reference_url": "https://github.com/advisories/GHSA-55wp-3pq4-w8p9", "reference_id": "GHSA-55wp-3pq4-w8p9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-55wp-3pq4-w8p9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67033?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.414.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-68yq-k4tu-dybx" }, { "vulnerability": "VCID-y4a2-mamb-yqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.414.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/67034?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.424", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.424" } ], "aliases": [ "CVE-2023-43496", "GHSA-55wp-3pq4-w8p9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-at1z-y2sc-e3ez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46061?format=api", "vulnerability_id": "VCID-qfnd-7ps4-83hz", "summary": "Jenkins does not exclude sensitive build variables from search\nJenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.", "references": [ { "reference_url": "https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/09/20/5", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2023/09/20/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43494", "reference_id": "CVE-2023-43494", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43494" }, { "reference_url": "https://github.com/advisories/GHSA-279f-qwgh-h5mp", "reference_id": "GHSA-279f-qwgh-h5mp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-279f-qwgh-h5mp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67034?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.424", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.424" } ], "aliases": [ "CVE-2023-43494", "GHSA-279f-qwgh-h5mp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qfnd-7ps4-83hz" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.424" }