Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/43521?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43521?format=api", "vulnerability_id": "VCID-126z-y9y8-zqhx", "summary": "Jenkins does not Verify Checksums for Plugin Files\nThe Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.", "aliases": [ { "alias": "CVE-2015-7539" }, { "alias": "GHSA-x274-9m9r-fm5g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62086?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/62204?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@1.640", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.640" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62091?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@1.626", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-126z-y9y8-zqhx" }, { "vulnerability": "VCID-hzw1-bfa6-47au" }, { "vulnerability": "VCID-jj3u-n2vy-5fe8" }, { "vulnerability": "VCID-kupx-qgas-r7fz" }, { "vulnerability": "VCID-swpw-2zw3-d3hy" }, { "vulnerability": "VCID-vuwz-whaq-rybd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.626" } ], "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2016:0070", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2016:0070" }, { "reference_url": "https://github.com/jenkinsci/jenkins", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/jenkinsci/jenkins" }, { "reference_url": "https://github.com/jenkinsci/jenkins/commit/11479a2cc0a322a6bcd7e65667f3d24aa4d444bb", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/jenkinsci/jenkins/commit/11479a2cc0a322a6bcd7e65667f3d24aa4d444bb" }, { "reference_url": "https://github.com/jenkinsci/jenkins/commit/97adb71aa4509f91e408a16ba312e817ec015cf4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/jenkinsci/jenkins/commit/97adb71aa4509f91e408a16ba312e817ec015cf4" }, { "reference_url": "https://github.com/jenkinsci/jenkins/commit/9ec88357a354d8354728cc06e2b8c8b68aee58bf", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/jenkinsci/jenkins/commit/9ec88357a354d8354728cc06e2b8c8b68aee58bf" }, { "reference_url": "https://github.com/jenkinsci/jenkins/commit/c158648afa8888bc49ac337c973d4e4bc050118e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/jenkinsci/jenkins/commit/c158648afa8888bc49ac337c973d4e4bc050118e" }, { "reference_url": "https://github.com/jenkinsci/jenkins/commit/f99cb46e06f394637067730a82f46bddc3567295", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/jenkinsci/jenkins/commit/f99cb46e06f394637067730a82f46bddc3567295" }, { "reference_url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09", "reference_id": "", "reference_type": "", "scores": [], "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7539", "reference_id": "CVE-2015-7539", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7539" }, { "reference_url": "https://github.com/advisories/GHSA-x274-9m9r-fm5g", "reference_id": "GHSA-x274-9m9r-fm5g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x274-9m9r-fm5g" } ], "weaknesses": [ { "cwe_id": 345, "name": "Insufficient Verification of Data Authenticity", "description": "The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-126z-y9y8-zqhx" }