Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/16775?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16775?format=api", "vulnerability_id": "VCID-wyec-gfgc-4yfw", "summary": "Incorrect Authorization\nJenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution.", "aliases": [ { "alias": "CVE-2023-27899" }, { "alias": "GHSA-hf9h-vv4m-2f33" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56372?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.375.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-432r-ukuw-4bgt" }, { "vulnerability": "VCID-6925-fwf4-f7df" }, { "vulnerability": "VCID-7xf4-2kjf-87fe" }, { "vulnerability": "VCID-dvyn-m8js-xbc2" }, { "vulnerability": "VCID-wyec-gfgc-4yfw" }, { "vulnerability": "VCID-xznu-vdv9-eue6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.375.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/71748?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.387.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.387.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/56373?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.394", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.394" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56372?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.375.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-432r-ukuw-4bgt" }, { "vulnerability": "VCID-6925-fwf4-f7df" }, { "vulnerability": "VCID-7xf4-2kjf-87fe" }, { "vulnerability": "VCID-dvyn-m8js-xbc2" }, { "vulnerability": "VCID-wyec-gfgc-4yfw" }, { "vulnerability": "VCID-xznu-vdv9-eue6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.375.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/581279?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.376", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-432r-ukuw-4bgt" }, { "vulnerability": "VCID-6925-fwf4-f7df" }, { "vulnerability": "VCID-7xf4-2kjf-87fe" }, { "vulnerability": "VCID-betz-7kth-p3cr" }, { "vulnerability": "VCID-dvyn-m8js-xbc2" }, { "vulnerability": "VCID-wyec-gfgc-4yfw" }, { "vulnerability": "VCID-xznu-vdv9-eue6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.376" }, { "url": "http://public2.vulnerablecode.io/api/packages/581280?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.388", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-432r-ukuw-4bgt" }, { "vulnerability": "VCID-6925-fwf4-f7df" }, { "vulnerability": "VCID-7xf4-2kjf-87fe" }, { "vulnerability": "VCID-dvyn-m8js-xbc2" }, { "vulnerability": "VCID-wyec-gfgc-4yfw" }, { "vulnerability": "VCID-xznu-vdv9-eue6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.388" }, { "url": "http://public2.vulnerablecode.io/api/packages/96940?format=api", "purl": "pkg:rpm/redhat/jenkins@2.387.1.1680701869-1?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-432r-ukuw-4bgt" }, { "vulnerability": "VCID-6925-fwf4-f7df" }, { "vulnerability": "VCID-betz-7kth-p3cr" }, { "vulnerability": "VCID-r15d-pzfc-3fg7" }, { "vulnerability": "VCID-wyec-gfgc-4yfw" }, { "vulnerability": "VCID-y82q-fr9b-gyf2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.387.1.1680701869-1%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/96405?format=api", "purl": "pkg:rpm/redhat/jenkins@2.401.1.1686831596-3?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-432r-ukuw-4bgt" }, { "vulnerability": "VCID-6925-fwf4-f7df" }, { "vulnerability": "VCID-9442-1vwr-5fbt" }, { "vulnerability": "VCID-afh4-nhxq-y3he" }, { "vulnerability": "VCID-betz-7kth-p3cr" }, { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-dvyn-8phs-a3a6" }, { "vulnerability": "VCID-wyec-gfgc-4yfw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.401.1.1686831596-3%3Farch=el8" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27899.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27899.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-27899", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15284", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15454", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15376", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15516", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15316", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15404", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15416", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15232", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15228", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15447", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.1531", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-27899" }, { "reference_url": "https://github.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27899.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27899.json" }, { "reference_url": "https://github.com/jenkinsci/jenkins/commit/f39c11fa27b14923260c4c9b896f0f373e2a0a17", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/jenkins/commit/f39c11fa27b14923260c4c9b896f0f373e2a0a17" }, { "reference_url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-28T18:35:20Z/" } ], "url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177626", "reference_id": "2177626", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177626" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27899", "reference_id": "CVE-2023-27899", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27899" }, { "reference_url": "https://github.com/advisories/GHSA-hf9h-vv4m-2f33", "reference_id": "GHSA-hf9h-vv4m-2f33", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hf9h-vv4m-2f33" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1655", "reference_id": "RHSA-2023:1655", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1655" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3663", "reference_id": "RHSA-2023:3663", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3663" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 863, "name": "Incorrect Authorization", "description": "The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 378, "name": "Creation of Temporary File With Insecure Permissions", "description": "Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wyec-gfgc-4yfw" }