Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/44661?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44661?format=api", "vulnerability_id": "VCID-vpbp-kn99-hygk", "summary": "Duplicate Advisory: User account enumeration in eZ Publish Ibexa Kernel\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-gmrf-99gw-vvwj. This link is maintained to preserve external references.\n\n## Original Description\n\nThis Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.", "aliases": [ { "alias": "GHSA-89p3-9j8c-fqh4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64301?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/64302?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B1" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64297?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m6hv-1sz4-mfff" }, { "vulnerability": "VCID-vpbp-kn99-hygk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/60248?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1eex-e332-37e8" }, { "vulnerability": "VCID-86hr-ej2a-ubbw" }, { "vulnerability": "VCID-jz3f-vywm-v7a7" }, { "vulnerability": "VCID-m6hv-1sz4-mfff" }, { "vulnerability": "VCID-q58t-76x6-mqgp" }, { "vulnerability": "VCID-tw5w-dvc4-gfh4" }, { "vulnerability": "VCID-ueng-9gm9-4qb2" }, { "vulnerability": "VCID-veax-u5rr-4kbv" }, { "vulnerability": "VCID-vpbp-kn99-hygk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.0" } ], "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46876", "reference_id": "CVE-2021-46876", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46876" }, { "reference_url": "https://github.com/advisories/GHSA-89p3-9j8c-fqh4", "reference_id": "GHSA-89p3-9j8c-fqh4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-89p3-9j8c-fqh4" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj", "reference_id": "GHSA-gmrf-99gw-vvwj", "reference_type": "", "scores": [], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj" } ], "weaknesses": [ { "cwe_id": 203, "name": "Observable Discrepancy", "description": "The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vpbp-kn99-hygk" }