GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/45391?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45391?format=api",
    "vulnerability_id": "VCID-4pk4-kr33-y7gj",
    "summary": "Cross-Site Request Forgery (CSRF)\nIn Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.",
    "aliases": [
        {
            "alias": "CVE-2023-35141"
        }
    ],
    "fixed_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/65519?format=api",
            "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.401.1",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.401.1"
        }
    ],
    "affected_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/65518?format=api",
            "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.400",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-4pk4-kr33-y7gj"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.400"
        }
    ],
    "references": [
        {
            "reference_url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3135",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3135"
        },
        {
            "reference_url": "http://www.openwall.com/lists/oss-security/2023/06/14/5",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "http://www.openwall.com/lists/oss-security/2023/06/14/5"
        },
        {
            "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35141",
            "reference_id": "CVE-2023-35141",
            "reference_type": "",
            "scores": [],
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35141"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 1035,
            "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."
        },
        {
            "cwe_id": 352,
            "name": "Cross-Site Request Forgery (CSRF)",
            "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request."
        },
        {
            "cwe_id": 937,
            "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."
        }
    ],
    "exploits": [],
    "severity_range_score": null,
    "exploitability": null,
    "weighted_severity": null,
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4pk4-kr33-y7gj"
}