Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/golang-github-ulikunitz-xz@0.5.6-2?distro=trixie
Typedeb
Namespacedebian
Namegolang-github-ulikunitz-xz
Version0.5.6-2
Qualifiers
distro trixie
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.5.15-1
Latest_non_vulnerable_version0.5.15-1
Affected_by_vulnerabilities
0
url VCID-rpxr-fp8j-q3g2
vulnerability_id VCID-rpxr-fp8j-q3g2
summary xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58058.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58058.json
1
reference_url https://github.com/ulikunitz/xz
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ulikunitz/xz
2
reference_url https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2
3
reference_url https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-58058
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-58058
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112508
reference_id 1112508
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112508
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2391585
reference_id 2391585
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2391585
fixed_packages
0
url pkg:deb/debian/golang-github-ulikunitz-xz@0.5.15-1?distro=trixie
purl pkg:deb/debian/golang-github-ulikunitz-xz@0.5.15-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-ulikunitz-xz@0.5.15-1%3Fdistro=trixie
aliases CVE-2025-58058, GHSA-jc7w-c686-c4v9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rpxr-fp8j-q3g2
Fixing_vulnerabilities
0
url VCID-chmx-xpyv-xyfx
vulnerability_id VCID-chmx-xpyv-xyfx
summary xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29482.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29482.json
1
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1954368
reference_id 1954368
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1954368
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988243
reference_id 988243
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988243
3
reference_url https://access.redhat.com/errata/RHSA-2021:2920
reference_id RHSA-2021:2920
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2920
4
reference_url https://access.redhat.com/errata/RHSA-2022:0687
reference_id RHSA-2022:0687
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:0687
5
reference_url https://access.redhat.com/errata/RHSA-2022:1276
reference_id RHSA-2022:1276
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:1276
6
reference_url https://access.redhat.com/errata/RHSA-2022:2183
reference_id RHSA-2022:2183
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:2183
fixed_packages
0
url pkg:deb/debian/golang-github-ulikunitz-xz@0.5.6-2?distro=trixie
purl pkg:deb/debian/golang-github-ulikunitz-xz@0.5.6-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-rpxr-fp8j-q3g2
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-ulikunitz-xz@0.5.6-2%3Fdistro=trixie
1
url pkg:deb/debian/golang-github-ulikunitz-xz@0.5.15-1?distro=trixie
purl pkg:deb/debian/golang-github-ulikunitz-xz@0.5.15-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-ulikunitz-xz@0.5.15-1%3Fdistro=trixie
aliases CVE-2021-29482
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-chmx-xpyv-xyfx
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-ulikunitz-xz@0.5.6-2%3Fdistro=trixie