GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/40357?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40357?format=api",
    "vulnerability_id": "VCID-5cwu-zwsr-zqf8",
    "summary": "Improper Access Control\nThe application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.",
    "aliases": [
        {
            "alias": "CVE-2016-4464"
        },
        {
            "alias": "GHSA-qpwj-mvv7-v3m9"
        }
    ],
    "fixed_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/56852?format=api",
            "purl": "pkg:maven/org.apache.cxf.fediz/fediz-spring@1.2.3",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf.fediz/fediz-spring@1.2.3"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/56853?format=api",
            "purl": "pkg:maven/org.apache.cxf.fediz/fediz-spring@1.3.1",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf.fediz/fediz-spring@1.3.1"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/56814?format=api",
            "purl": "pkg:maven/org.apache.cxf.fediz/fediz-spring2@1.2.3",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf.fediz/fediz-spring2@1.2.3"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/56815?format=api",
            "purl": "pkg:maven/org.apache.cxf.fediz/fediz-spring2@1.3.1",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf.fediz/fediz-spring2@1.3.1"
        }
    ],
    "affected_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/56850?format=api",
            "purl": "pkg:maven/org.apache.cxf.fediz/fediz-spring@1.2.0",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-5cwu-zwsr-zqf8"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf.fediz/fediz-spring@1.2.0"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/56851?format=api",
            "purl": "pkg:maven/org.apache.cxf.fediz/fediz-spring@1.3.0",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-5cwu-zwsr-zqf8"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf.fediz/fediz-spring@1.3.0"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/56812?format=api",
            "purl": "pkg:maven/org.apache.cxf.fediz/fediz-spring2@1.2.0",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-5cwu-zwsr-zqf8"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf.fediz/fediz-spring2@1.2.0"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/56813?format=api",
            "purl": "pkg:maven/org.apache.cxf.fediz/fediz-spring2@1.3.0",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-5cwu-zwsr-zqf8"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.cxf.fediz/fediz-spring2@1.3.0"
        }
    ],
    "references": [
        {
            "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4464",
            "reference_id": "CVE-2016-4464",
            "reference_type": "",
            "scores": [],
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4464"
        },
        {
            "reference_url": "https://github.com/advisories/GHSA-qpwj-mvv7-v3m9",
            "reference_id": "GHSA-qpwj-mvv7-v3m9",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/advisories/GHSA-qpwj-mvv7-v3m9"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 1035,
            "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."
        },
        {
            "cwe_id": 284,
            "name": "Improper Access Control",
            "description": "The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor."
        },
        {
            "cwe_id": 937,
            "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."
        }
    ],
    "exploits": [],
    "severity_range_score": null,
    "exploitability": null,
    "weighted_severity": null,
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5cwu-zwsr-zqf8"
}