Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/899?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "type": "mozilla", "namespace": "", "name": "Firefox ESR", "version": "45.3.0", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "45.4.0", "latest_non_vulnerable_version": "140.11.0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1930?format=api", "vulnerability_id": "VCID-7yr6-9vzv-g3h3", "summary": "An anonymous security researcher working with Trend Micro's Zero Day Initiative\nreported a buffer overflow in the ClearKey Content Decryption Module (CDM) used by the\nEncrypted Media Extensions (EME) API. This vulnerability can be triggered using a\nmalformed video file due to incorrect error handling. This could allow arbitrary code\nexecution if combined with a second vulnerability that allows an escape from the Gecko\nMedia Plugin (GMP) sandbox. Without such a vulnerability, the buffer overflow is contained\nwithin the GMP sandbox and cannot be exploited.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2837", "reference_id": "CVE-2016-2837", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2837" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-77", "reference_id": "mfsa2016-77", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-77" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-2837" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7yr6-9vzv-g3h3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1932?format=api", "vulnerability_id": "VCID-dhm8-3yaq-hfd7", "summary": "Security researcher Abdulrahman Alqabandi reported that when a local\nHTML file resides in the same directory as a malicious local shortcut file, the shortcut\ncan be called by the local page to allow the page to read the contents of local files or\ndirectories or to load an arbitrary website in violation of same-origin policy, allowing\nfor data theft. In order for this vulnerability to be triggered, both the malicious HTML\nfile as well as the shortcut must be saved to the same local directory and then loaded\nfrom there by a user.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5265", "reference_id": "CVE-2016-5265", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5265" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-80", "reference_id": "mfsa2016-80", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-80" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-5265" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dhm8-3yaq-hfd7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1938?format=api", "vulnerability_id": "VCID-eefa-gdnq-8kb7", "summary": "Mozilla developers and community members reported several memory safety bugs in the\nbrowser engine used in Firefox and other Mozilla-based products. Some of these bugs showed\nevidence of memory corruption under certain circumstances, and we presume that with enough\neffort at least some of these could be exploited to run arbitrary code.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2836", "reference_id": "CVE-2016-2836", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2836" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-62", "reference_id": "mfsa2016-62", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-62" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-2836" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eefa-gdnq-8kb7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1958?format=api", "vulnerability_id": "VCID-ewwn-e3cz-2fdh", "summary": "Security researcher Nikita Arykov reported that JavaScript event\nhandler attributes on a <marquee> tag will execute inside a sandboxed\niframe that does not have the allow-scripts flag set. This could result in a cross-site\nscripting (XSS) vulnerability in a site that depends on the iframe sandbox for\nsanitization and does no other content filtering.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5262", "reference_id": "CVE-2016-5262", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5262" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-76", "reference_id": "mfsa2016-76", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-76" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-5262" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ewwn-e3cz-2fdh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1931?format=api", "vulnerability_id": "VCID-gq8z-hdmh-vqba", "summary": "Security researcher Abhishek Arya (Inferno) of the Google\nChrome Security Team reported a use-after-free vulnerability when the alt key\nis used in conjunction with toplevel menu items in Firefox. This results in a potentially\nexploitable crash when triggered. This vulnerability is mitigated by not being triggerable\nby web content, only direct user interaction with the keyboard.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5254", "reference_id": "CVE-2016-5254", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5254" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-70", "reference_id": "mfsa2016-70", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-70" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-5254" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gq8z-hdmh-vqba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1900?format=api", "vulnerability_id": "VCID-pksn-mgxr-hyfe", "summary": "Using the Address Sanitizer tool, security researcher Atte Kettunen\nfound a buffer overflow during the rendering of SVG format graphics with directional\ncontent. This is caused by a flaw in directional-isolate processing and results in a\npotentially exploitable crash.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2838", "reference_id": "CVE-2016-2838", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2838" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-64", "reference_id": "mfsa2016-64", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-64" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-2838" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pksn-mgxr-hyfe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1875?format=api", "vulnerability_id": "VCID-rf28-tvhm-akgj", "summary": "Security researcher Looben Yang reported a use-after-free\nvulnerability in WebRTC. This occurs during WebRTC session shutdown when DTLS objects in\nmemory are freed while still actively in use. This results in a potentially exploitable\ncrash.", "references": [ { "reference_url": "https://security.archlinux.org/AVG-935", "reference_id": "AVG-935", "reference_type": "", "scores": [ { "value": "Critical", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-935" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5258", "reference_id": "CVE-2016-5258", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5258" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-72", "reference_id": "mfsa2016-72", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-72" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-5258" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rf28-tvhm-akgj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1926?format=api", "vulnerability_id": "VCID-rgr8-wktt-zqac", "summary": "Georg Koppen of the Tor Project used the Address Sanitizer tool to\ndiscover a stack buffer underflow when calculating clipping regions in 2D graphics. This\nresults in a potentially exploitable crash.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5252", "reference_id": "CVE-2016-5252", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5252" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-67", "reference_id": "mfsa2016-67", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-67" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-5252" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rgr8-wktt-zqac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1876?format=api", "vulnerability_id": "VCID-rxw6-exsx-jqcr", "summary": "Security researcher Looben Yang discovered a use-after-free\nvulnerability when working with nested sync event loops in Service Workers. He discovered\na mechanism where scripts can close their own worker, which will then trigger a\nsynchronization XMLHttpRequest on this now closed and released worker. This results in a\npotentially exploitable crash when triggered.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5259", "reference_id": "CVE-2016-5259", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5259" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-73", "reference_id": "mfsa2016-73", "reference_type": "", "scores": [ { "value": "critical", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-73" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-5259" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rxw6-exsx-jqcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1901?format=api", "vulnerability_id": "VCID-sw5f-jx18-3fg7", "summary": "Security researcher Nils used the Address Sanitizer tool to discover a\nuse-after-free vulnerability when applying effects to SVG elements. This results in a\npotentially exploitable crash.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5264", "reference_id": "CVE-2016-5264", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5264" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-79", "reference_id": "mfsa2016-79", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-79" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-5264" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sw5f-jx18-3fg7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1893?format=api", "vulnerability_id": "VCID-wcam-fcv5-j7h4", "summary": "Security researcher Toni Huttunen reported that once the favicon is\nrequested from a site, the remote server can keep the favicon network connection open even\nwhen the page is later closed. This allows a malicious site to continue to use this\nchannel to send requests to the browser, leading to potential information disclosure, such as tracking the user across multiple IP addresses as the user changes networks.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2830", "reference_id": "CVE-2016-2830", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2830" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-63", "reference_id": "mfsa2016-63", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-63" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-2830" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wcam-fcv5-j7h4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1927?format=api", "vulnerability_id": "VCID-wex6-qb1v-c3ay", "summary": "Using the Address Sanitizer tool, security researcher Nils reported a\ntype confusion flaw in display transformation during rendering due to incorrect bounds\nchecking. This leads to a potentially exploitable crash and can be triggered by web\ncontent.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5263", "reference_id": "CVE-2016-5263", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5263" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-78", "reference_id": "mfsa2016-78", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-78" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-5263" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wex6-qb1v-c3ay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1877?format=api", "vulnerability_id": "VCID-y45n-gp2d-vqh5", "summary": "Security researcher Bert Massop reported a crash in the Cairo graphics\nlayer on Linux systems using the LibAV library included in version 0.10 of the FFmpeg\nlibrary. This was due to an error when allocating the LibAV header when decoding some\nvideos.\nThis only affects systems running the Linux operating system that also\nhave FFMpeg version 0.10 installed and does not affect OS X or Windows systems.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2839", "reference_id": "CVE-2016-2839", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2839" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-65", "reference_id": "mfsa2016-65", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-65" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/899?format=api", "purl": "pkg:mozilla/Firefox%20ESR@45.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" } ], "aliases": [ "CVE-2016-2839" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y45n-gp2d-vqh5" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.3.0" }