GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/43784?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43784?format=api",
    "vulnerability_id": "VCID-xpa5-fsb6-ukay",
    "summary": "Code injection in Apache Struts\nThe Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.\n\nIn Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \"redirectAction:\" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.",
    "aliases": [
        {
            "alias": "CVE-2013-2251"
        },
        {
            "alias": "GHSA-47qp-8v9g-39hp"
        }
    ],
    "fixed_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/51518?format=api",
            "purl": "pkg:maven/org.apache.struts/struts2-core@2.3.15.1",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-z6wr-3psx-dbfm"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1"
        }
    ],
    "affected_packages": [],
    "references": [
        {
            "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90392",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90392"
        },
        {
            "reference_url": "https://github.com/apache/struts",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/apache/struts"
        },
        {
            "reference_url": "https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6"
        },
        {
            "reference_url": "https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e"
        },
        {
            "reference_url": "https://issues.apache.org/jira/browse/WW-4140",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://issues.apache.org/jira/browse/WW-4140"
        },
        {
            "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251"
        },
        {
            "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2251",
            "reference_id": "CVE-2013-2251",
            "reference_type": "",
            "scores": [],
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2251"
        },
        {
            "reference_url": "https://github.com/advisories/GHSA-47qp-8v9g-39hp",
            "reference_id": "GHSA-47qp-8v9g-39hp",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/advisories/GHSA-47qp-8v9g-39hp"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 20,
            "name": "Improper Input Validation",
            "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly."
        },
        {
            "cwe_id": 74,
            "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",
            "description": "The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component."
        },
        {
            "cwe_id": 937,
            "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."
        },
        {
            "cwe_id": 1035,
            "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."
        }
    ],
    "exploits": [],
    "severity_range_score": null,
    "exploitability": null,
    "weighted_severity": null,
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa5-fsb6-ukay"
}