Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/7701?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/7701?format=api", "purl": "pkg:pypi/pycrypto@2.6.1", "type": "pypi", "namespace": "", "name": "pycrypto", "version": "2.6.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35025?format=api", "vulnerability_id": "VCID-af5m-veyp-cugm", "summary": "Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.", "references": [ { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1409754", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1409754" }, { "reference_url": "https://github.com/advisories/GHSA-cq27-v7xp-c356", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cq27-v7xp-c356" }, { "reference_url": "https://github.com/dlitz/pycrypto", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dlitz/pycrypto" }, { "reference_url": "https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4" }, { "reference_url": "https://github.com/dlitz/pycrypto/issues/176", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dlitz/pycrypto/issues/176" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/pycrypto/PYSEC-2017-94.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pycrypto/PYSEC-2017-94.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C6BWNADPLKDBBQBUT3P75W7HAJCE7M3B", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C6BWNADPLKDBBQBUT3P75W7HAJCE7M3B" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C6BWNADPLKDBBQBUT3P75W7HAJCE7M3B/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C6BWNADPLKDBBQBUT3P75W7HAJCE7M3B/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJ37R2YLX56YZABFNAOWV4VTHTGYREAE", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJ37R2YLX56YZABFNAOWV4VTHTGYREAE" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJ37R2YLX56YZABFNAOWV4VTHTGYREAE/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJ37R2YLX56YZABFNAOWV4VTHTGYREAE/" }, { "reference_url": "https://pony7.fr/ctf:public:32c3:cryptmsg", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pony7.fr/ctf:public:32c3:cryptmsg" }, { "reference_url": "https://security.gentoo.org/glsa/201702-14", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/201702-14" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/12/27/8", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2016/12/27/8" }, { "reference_url": "http://www.securityfocus.com/bid/95122", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/95122" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7459", "reference_id": "CVE-2013-7459", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7459" } ], "fixed_packages": [], "aliases": [ "CVE-2013-7459", "GHSA-cq27-v7xp-c356", "PYSEC-2017-94" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-af5m-veyp-cugm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35169?format=api", "vulnerability_id": "VCID-stxq-tcuq-aud6", "summary": "lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-6528-wvf6-f6qg", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6528-wvf6-f6qg" }, { "reference_url": "https://github.com/dlitz/pycrypto", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dlitz/pycrypto" }, { "reference_url": "https://github.com/dlitz/pycrypto/issues/253", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dlitz/pycrypto/issues/253" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/pycrypto/PYSEC-2018-97.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pycrypto/PYSEC-2018-97.yaml" }, { "reference_url": "https://github.com/TElgamal/attack-on-pycrypto-elgamal", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/TElgamal/attack-on-pycrypto-elgamal" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00018.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00018.html" }, { "reference_url": "https://security.gentoo.org/glsa/202007-62", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202007-62" }, { "reference_url": "https://usn.ubuntu.com/3616-1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3616-1" }, { "reference_url": "https://usn.ubuntu.com/3616-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3616-1/" }, { "reference_url": "https://usn.ubuntu.com/3616-2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3616-2" }, { "reference_url": "https://usn.ubuntu.com/3616-2/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3616-2/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6594", "reference_id": "CVE-2018-6594", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6594" } ], "fixed_packages": [], "aliases": [ "CVE-2018-6594", "GHSA-6528-wvf6-f6qg", "PYSEC-2018-97" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-stxq-tcuq-aud6" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/34823?format=api", "vulnerability_id": "VCID-2t7d-kvmj-57c8", "summary": "The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.", "references": [ { "reference_url": "https://github.com/dlitz/pycrypto/commit/19dcf7b15d61b7dc1a125a367151de40df6ef175", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/dlitz/pycrypto/commit/19dcf7b15d61b7dc1a125a367151de40df6ef175" }, { "reference_url": "http://www.debian.org/security/2013/dsa-2781", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2013/dsa-2781" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2013/10/17/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2013/10/17/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/7701?format=api", "purl": "pkg:pypi/pycrypto@2.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-af5m-veyp-cugm" }, { "vulnerability": "VCID-stxq-tcuq-aud6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycrypto@2.6.1" } ], "aliases": [ "CVE-2013-1445", "PYSEC-2013-29" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2t7d-kvmj-57c8" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pycrypto@2.6.1" }