Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/39276?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39276?format=api", "vulnerability_id": "VCID-enff-2dm6-ybfa", "summary": "Hostname verification susceptible to MITM attack\nThe implementation used this package to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject.", "aliases": [ { "alias": "CVE-2014-3607" }, { "alias": "GHSA-273v-g3x4-r3rc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63024?format=api", "purl": "pkg:maven/edu.internet2.middleware/shibboleth-identityprovider@2.4.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/edu.internet2.middleware/shibboleth-identityprovider@2.4.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/54817?format=api", "purl": "pkg:maven/edu.vt.middleware/vt-ldap@3.3.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/edu.vt.middleware/vt-ldap@3.3.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/54815?format=api", "purl": "pkg:maven/org.ldaptive/ldaptive@1.0.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.ldaptive/ldaptive@1.0.5" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54816?format=api", "purl": "pkg:maven/edu.vt.middleware/vt-ldap@3.3.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-enff-2dm6-ybfa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/edu.vt.middleware/vt-ldap@3.3.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/54814?format=api", "purl": "pkg:maven/org.ldaptive/ldaptive@1.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-enff-2dm6-ybfa" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.ldaptive/ldaptive@1.0.4" } ], "references": [ { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1140438", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1140438" }, { "reference_url": "https://code.google.com/archive/p/vt-middleware/issues/226", "reference_id": "", "reference_type": "", "scores": [], "url": "https://code.google.com/archive/p/vt-middleware/issues/226" }, { "reference_url": "https://code.google.com/archive/p/vt-middleware/issues/227", "reference_id": "", "reference_type": "", "scores": [], "url": "https://code.google.com/archive/p/vt-middleware/issues/227" }, { "reference_url": "https://code.google.com/archive/p/vt-middleware/issues/228", "reference_id": "", "reference_type": "", "scores": [], "url": "https://code.google.com/archive/p/vt-middleware/issues/228" }, { "reference_url": "https://code.google.com/archive/p/vt-middleware/source/default/commits", "reference_id": "", "reference_type": "", "scores": [], "url": "https://code.google.com/archive/p/vt-middleware/source/default/commits" }, { "reference_url": "https://code.google.com/p/vt-middleware/source/detail?r=3046", "reference_id": "", "reference_type": "", "scores": [], "url": "https://code.google.com/p/vt-middleware/source/detail?r=3046" }, { "reference_url": "http://shibboleth.net/community/advisories/secadv_20140919.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "http://shibboleth.net/community/advisories/secadv_20140919.txt" }, { "reference_url": "https://bugzilla.redhat.com/CVE-2014-3607", "reference_id": "CVE-2014-3607", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/CVE-2014-3607" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3607", "reference_id": "CVE-2014-3607", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3607" }, { "reference_url": "https://github.com/advisories/GHSA-273v-g3x4-r3rc", "reference_id": "GHSA-273v-g3x4-r3rc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-273v-g3x4-r3rc" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 295, "name": "Improper Certificate Validation", "description": "The product does not validate, or incorrectly validates, a certificate." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-enff-2dm6-ybfa" }