GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/45769?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45769?format=api",
    "vulnerability_id": "VCID-hwg1-r88g-5bbf",
    "summary": "Jettison parser crash by stackoverflow\nThose using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n\n### References\n\n- https://nvd.nist.gov/vuln/detail/CVE-2022-40149\n- https://github.com/jettison-json/jettison/issues/45\n- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538\n- https://github.com/jettison-json/jettison/pull/49/files\n- https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1\n- https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html\n- https://www.debian.org/security/2023/dsa-5312",
    "aliases": [
        {
            "alias": "GHSA-xqcq-j8w9-3pxv"
        },
        {
            "alias": "GMS-2023-1853"
        }
    ],
    "fixed_packages": [],
    "affected_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/66423?format=api",
            "purl": "pkg:maven/com.tencyle.fixes/org.codehaus.jettison--jettison@1.1-tencyle-2.1.0",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-hwg1-r88g-5bbf"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.tencyle.fixes/org.codehaus.jettison--jettison@1.1-tencyle-2.1.0"
        }
    ],
    "references": [
        {
            "reference_url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538"
        },
        {
            "reference_url": "https://github.com/jettison-json/jettison/issues/45",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/jettison-json/jettison/issues/45"
        },
        {
            "reference_url": "https://github.com/jettison-json/jettison/pull/49",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/jettison-json/jettison/pull/49"
        },
        {
            "reference_url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
        },
        {
            "reference_url": "https://github.com/tencyle-fixes/jettison#jettison-backports-repository-by-tencyle",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/tencyle-fixes/jettison#jettison-backports-repository-by-tencyle"
        },
        {
            "reference_url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html"
        },
        {
            "reference_url": "https://www.debian.org/security/2023/dsa-5312",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://www.debian.org/security/2023/dsa-5312"
        },
        {
            "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
            "reference_id": "CVE-2022-40149",
            "reference_type": "",
            "scores": [],
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
        },
        {
            "reference_url": "https://github.com/advisories/GHSA-xqcq-j8w9-3pxv",
            "reference_id": "GHSA-xqcq-j8w9-3pxv",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/advisories/GHSA-xqcq-j8w9-3pxv"
        },
        {
            "reference_url": "https://github.com/tencyle-fixes/jettison/security/advisories/GHSA-xqcq-j8w9-3pxv",
            "reference_id": "GHSA-xqcq-j8w9-3pxv",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/tencyle-fixes/jettison/security/advisories/GHSA-xqcq-j8w9-3pxv"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 1035,
            "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."
        },
        {
            "cwe_id": 937,
            "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."
        }
    ],
    "exploits": [],
    "severity_range_score": null,
    "exploitability": null,
    "weighted_severity": null,
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hwg1-r88g-5bbf"
}