Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/936878?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/936878?format=api", "purl": "pkg:deb/debian/python-urllib3@2.2.3-3?distro=trixie", "type": "deb", "namespace": "debian", "name": "python-urllib3", "version": "2.2.3-3", "qualifiers": { "distro": "trixie" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "2.3.0-3", "latest_non_vulnerable_version": "2.6.3-2", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18564?format=api", "vulnerability_id": "VCID-5tkp-pxz9-h7c2", "summary": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects\nWhen using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected.\n\nHowever, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.\n\nBecause this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident.\n\nUsers should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support.\n* Not disabling HTTP redirects.\n* Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin.\n\n## Remediation\n\n* Using the `Proxy-Authorization` header with urllib3's `ProxyManager`.\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Proxy-Authorization` header.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-37891.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-37891.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37891", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.4902", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.48973", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.48966", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.48978", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.48992", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.48975", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00256", "scoring_system": "epss", "scoring_elements": "0.48924", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49702", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49674", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37891" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37891", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37891" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/urllib3/urllib3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/urllib3/urllib3" }, { "reference_url": "https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468" }, { "reference_url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T13:49:45Z/" } ], "url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e" }, { "reference_url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T13:49:45Z/" } ], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240822-0003", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240822-0003" }, { "reference_url": "https://www.vicarius.io/vsociety/posts/proxy-authorization-header-handling-vulnerability-in-urllib3-cve-2024-37891", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vicarius.io/vsociety/posts/proxy-authorization-header-handling-vulnerability-in-urllib3-cve-2024-37891" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074149", "reference_id": "1074149", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074149" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292788", "reference_id": "2292788", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292788" }, { "reference_url": "https://github.com/advisories/GHSA-34jh-p97f-mpxf", "reference_id": "GHSA-34jh-p97f-mpxf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-34jh-p97f-mpxf" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4422", "reference_id": "RHSA-2024:4422", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4422" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4730", "reference_id": "RHSA-2024:4730", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4730" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4744", "reference_id": "RHSA-2024:4744", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4744" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4746", "reference_id": "RHSA-2024:4746", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4746" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5041", "reference_id": "RHSA-2024:5041", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5041" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5309", "reference_id": "RHSA-2024:5309", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5309" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5526", "reference_id": "RHSA-2024:5526", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5526" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5622", "reference_id": "RHSA-2024:5622", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5622" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5627", "reference_id": "RHSA-2024:5627", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5627" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5633", "reference_id": "RHSA-2024:5633", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5633" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6162", "reference_id": "RHSA-2024:6162", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6162" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6239", "reference_id": "RHSA-2024:6239", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6239" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6240", "reference_id": "RHSA-2024:6240", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6240" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6309", "reference_id": "RHSA-2024:6309", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6309" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6310", "reference_id": "RHSA-2024:6310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6311", "reference_id": "RHSA-2024:6311", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6311" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6358", "reference_id": "RHSA-2024:6358", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6358" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:7312", "reference_id": "RHSA-2024:7312", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:7312" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8035", "reference_id": "RHSA-2024:8035", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8035" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8842", "reference_id": "RHSA-2024:8842", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8842" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8843", "reference_id": "RHSA-2024:8843", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8843" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8906", "reference_id": "RHSA-2024:8906", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8906" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9457", "reference_id": "RHSA-2024:9457", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9457" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9458", "reference_id": "RHSA-2024:9458", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9458" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9922", "reference_id": "RHSA-2024:9922", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9922" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9923", "reference_id": "RHSA-2024:9923", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9923" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9985", "reference_id": "RHSA-2024:9985", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9985" }, { "reference_url": "https://usn.ubuntu.com/7084-1/", "reference_id": "USN-7084-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7084-1/" }, { "reference_url": "https://usn.ubuntu.com/7084-2/", "reference_id": "USN-7084-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7084-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/936866?format=api", "purl": "pkg:deb/debian/python-urllib3@1.26.5-1~exp1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-zevs-1ge5-y7g7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-urllib3@1.26.5-1~exp1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/936875?format=api", "purl": "pkg:deb/debian/python-urllib3@1.26.5-1~exp1%2Bdeb11u1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-urllib3@1.26.5-1~exp1%252Bdeb11u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/936864?format=api", "purl": "pkg:deb/debian/python-urllib3@1.26.12-1%2Bdeb12u1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-zevs-1ge5-y7g7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-urllib3@1.26.12-1%252Bdeb12u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/936878?format=api", "purl": "pkg:deb/debian/python-urllib3@2.2.3-3?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-urllib3@2.2.3-3%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/936868?format=api", "purl": "pkg:deb/debian/python-urllib3@2.3.0-3%2Bdeb13u1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-zevs-1ge5-y7g7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-urllib3@2.3.0-3%252Bdeb13u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/936867?format=api", "purl": "pkg:deb/debian/python-urllib3@2.6.3-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-urllib3@2.6.3-2%3Fdistro=trixie" } ], "aliases": [ "CVE-2024-37891", "GHSA-34jh-p97f-mpxf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5tkp-pxz9-h7c2" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-urllib3@2.2.3-3%3Fdistro=trixie" }