Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/9690?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9690?format=api", "vulnerability_id": "VCID-s5xv-w8ne-nuf3", "summary": "A number of releases of ultralytics contained malicious crypto miner software.\nUltralytics has identified a supply chain attack\naffecting affecting multiple versions of the ultralytics package.\nThe compromised versions contained unauthorized code that\ndownloaded and executed cryptocurrency mining software\nwhen instantiating YOLO models.\nThis code was injected into the PyPI release artifacts and was not present\nin the public GitHub repository.", "aliases": [ { "alias": "PYSEC-2024-154" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49959?format=api", "purl": "pkg:pypi/ultralytics@8.3.47", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.47" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49953?format=api", "purl": "pkg:pypi/ultralytics@8.3.41", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s5xv-w8ne-nuf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.41" }, { "url": "http://public2.vulnerablecode.io/api/packages/49954?format=api", "purl": "pkg:pypi/ultralytics@8.3.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s5xv-w8ne-nuf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.42" }, { "url": "http://public2.vulnerablecode.io/api/packages/49955?format=api", "purl": "pkg:pypi/ultralytics@8.3.43", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s5xv-w8ne-nuf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.43" }, { "url": "http://public2.vulnerablecode.io/api/packages/49956?format=api", "purl": "pkg:pypi/ultralytics@8.3.44", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s5xv-w8ne-nuf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.44" }, { "url": "http://public2.vulnerablecode.io/api/packages/49957?format=api", "purl": "pkg:pypi/ultralytics@8.3.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s5xv-w8ne-nuf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.45" }, { "url": "http://public2.vulnerablecode.io/api/packages/49958?format=api", "purl": "pkg:pypi/ultralytics@8.3.46", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s5xv-w8ne-nuf3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.46" } ], "references": [ { "reference_url": "https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "url": "https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection" }, { "reference_url": "https://github.com/ultralytics/ultralytics/issues/18027", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "url": "https://github.com/ultralytics/ultralytics/issues/18027" }, { "reference_url": "https://github.com/ultralytics/ultralytics/pull/18020#issuecomment-2525180194", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "url": "https://github.com/ultralytics/ultralytics/pull/18020#issuecomment-2525180194" }, { "reference_url": "https://github.com/ultralytics/ultralytics/pull/18052", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "url": "https://github.com/ultralytics/ultralytics/pull/18052" }, { "reference_url": "https://github.com/ultralytics/ultralytics/pull/18111", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "url": "https://github.com/ultralytics/ultralytics/pull/18111" }, { "reference_url": "https://github.com/ultralytics/ultralytics/releases/tag/v8.3.48", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "url": "https://github.com/ultralytics/ultralytics/releases/tag/v8.3.48" }, { "reference_url": "https://inspector.pypi.io/project/ultralytics/8.3.41/packages/d0/99/13d92174aa6a470d348a95e31164769f2cdf77838ea3c3e3fd476285777d/ultralytics-8.3.41-py3-none-any.whl/ultralytics/utils/downloads.py#line.284", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "url": "https://inspector.pypi.io/project/ultralytics/8.3.41/packages/d0/99/13d92174aa6a470d348a95e31164769f2cdf77838ea3c3e3fd476285777d/ultralytics-8.3.41-py3-none-any.whl/ultralytics/utils/downloads.py#line.284" } ], "weaknesses": [], "exploits": [], "severity_range_score": "8.6 - 8.7", "exploitability": "0.5", "weighted_severity": "7.8", "risk_score": 3.9, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s5xv-w8ne-nuf3" }