Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye

Type deb

Namespace debian

Name libtar

Version 1.2.20-8+deb12u1

Qualifiers

distro	bullseye

Subpath

Is_vulnerable false

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-22gm-ma79-hbcv

vulnerability_id VCID-22gm-ma79-hbcv

summary Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file.

references

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4420.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4420.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2013-4420

reference_id

reference_type

scores

value	0.00376
scoring_system	epss
scoring_elements	0.59482
published_at	2026-06-04T12:55:00Z

value	0.00376
scoring_system	epss
scoring_elements	0.59532
published_at	2026-06-05T12:55:00Z

value	0.00376
scoring_system	epss
scoring_elements	0.59536
published_at	2026-06-06T12:55:00Z

value	0.00376
scoring_system	epss
scoring_elements	0.59527
published_at	2026-06-07T12:55:00Z

value	0.00376
scoring_system	epss
scoring_elements	0.59508
published_at	2026-06-08T12:55:00Z

value	0.00376
scoring_system	epss
scoring_elements	0.59526
published_at	2026-06-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2013-4420

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1018150
reference_id	1018150
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1018150

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860
reference_id	731860
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860

fixed_packages

url	pkg:deb/debian/libtar@1.2.20-2?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-2?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-2%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%252Bdeb12u1%3Fdistro=bullseye

aliases CVE-2013-4420

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-22gm-ma79-hbcv

url VCID-2p3j-1cvy-dyh7

vulnerability_id VCID-2p3j-1cvy-dyh7

summary The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33646.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33646.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-33646

reference_id

reference_type

scores

value	0.00219
scoring_system	epss
scoring_elements	0.44469
published_at	2026-06-04T12:55:00Z

value	0.00219
scoring_system	epss
scoring_elements	0.44539
published_at	2026-06-05T12:55:00Z

value	0.00219
scoring_system	epss
scoring_elements	0.44547
published_at	2026-06-06T12:55:00Z

value	0.00219
scoring_system	epss
scoring_elements	0.44526
published_at	2026-06-07T12:55:00Z

value	0.00219
scoring_system	epss
scoring_elements	0.44491
published_at	2026-06-08T12:55:00Z

value	0.00219
scoring_system	epss
scoring_elements	0.44504
published_at	2026-06-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-33646

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33646
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33646

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2121297
reference_id	2121297
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2121297

reference_url	https://access.redhat.com/errata/RHSA-2023:2898
reference_id	RHSA-2023:2898
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2898

reference_url	https://usn.ubuntu.com/7398-1/
reference_id	USN-7398-1
reference_type
scores
url	https://usn.ubuntu.com/7398-1/

fixed_packages

url	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1~deb11u1?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1~deb11u1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%252Bdeb12u1~deb11u1%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%252Bdeb12u1%3Fdistro=bullseye

aliases CVE-2021-33646

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2p3j-1cvy-dyh7

url VCID-bagt-betj-vqfy

vulnerability_id VCID-bagt-betj-vqfy

summary An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33644.json

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33644.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-33644

reference_id

reference_type

scores

value	0.00225
scoring_system	epss
scoring_elements	0.4535
published_at	2026-06-04T12:55:00Z

value	0.00225
scoring_system	epss
scoring_elements	0.45418
published_at	2026-06-05T12:55:00Z

value	0.00225
scoring_system	epss
scoring_elements	0.45423
published_at	2026-06-06T12:55:00Z

value	0.00225
scoring_system	epss
scoring_elements	0.45403
published_at	2026-06-07T12:55:00Z

value	0.00225
scoring_system	epss
scoring_elements	0.45377
published_at	2026-06-08T12:55:00Z

value	0.00225
scoring_system	epss
scoring_elements	0.4539
published_at	2026-06-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-33644

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33644
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33644

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2121292
reference_id	2121292
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2121292

reference_url	https://access.redhat.com/errata/RHSA-2023:2898
reference_id	RHSA-2023:2898
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2898

reference_url	https://usn.ubuntu.com/7398-1/
reference_id	USN-7398-1
reference_type
scores
url	https://usn.ubuntu.com/7398-1/

fixed_packages

url	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1~deb11u1?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1~deb11u1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%252Bdeb12u1~deb11u1%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%252Bdeb12u1%3Fdistro=bullseye

aliases CVE-2021-33644

risk_score 3.0

exploitability 0.5

weighted_severity 6.1

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bagt-betj-vqfy

url VCID-kucy-f2mb-vfa4

vulnerability_id VCID-kucy-f2mb-vfa4

summary An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33643.json

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33643.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-33643

reference_id

reference_type

scores

value	0.00225
scoring_system	epss
scoring_elements	0.4535
published_at	2026-06-04T12:55:00Z

value	0.00225
scoring_system	epss
scoring_elements	0.45418
published_at	2026-06-05T12:55:00Z

value	0.00225
scoring_system	epss
scoring_elements	0.45423
published_at	2026-06-06T12:55:00Z

value	0.00225
scoring_system	epss
scoring_elements	0.45403
published_at	2026-06-07T12:55:00Z

value	0.00225
scoring_system	epss
scoring_elements	0.45377
published_at	2026-06-08T12:55:00Z

value	0.00225
scoring_system	epss
scoring_elements	0.4539
published_at	2026-06-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-33643

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33643
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33643

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2121289
reference_id	2121289
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2121289

reference_url	https://access.redhat.com/errata/RHSA-2023:2898
reference_id	RHSA-2023:2898
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2898

reference_url	https://usn.ubuntu.com/7398-1/
reference_id	USN-7398-1
reference_type
scores
url	https://usn.ubuntu.com/7398-1/

fixed_packages

url	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1~deb11u1?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1~deb11u1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%252Bdeb12u1~deb11u1%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%252Bdeb12u1%3Fdistro=bullseye

aliases CVE-2021-33643

risk_score 3.4

exploitability 0.5

weighted_severity 6.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kucy-f2mb-vfa4

url VCID-u2y3-5bnz-kkg3

vulnerability_id VCID-u2y3-5bnz-kkg3

summary Multiple integer overflows in the th_read function in lib/block.c in libtar before 1.2.20 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) name or (2) link in an archive, which triggers a heap-based buffer overflow.

references

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4397.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4397.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2013-4397

reference_id

reference_type

scores

value	0.04261
scoring_system	epss
scoring_elements	0.89004
published_at	2026-06-04T12:55:00Z

value	0.04261
scoring_system	epss
scoring_elements	0.89021
published_at	2026-06-08T12:55:00Z

value	0.04261
scoring_system	epss
scoring_elements	0.89022
published_at	2026-06-06T12:55:00Z

value	0.04261
scoring_system	epss
scoring_elements	0.89037
published_at	2026-06-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2013-4397

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4397
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4397

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1014492
reference_id	1014492
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1014492

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725938
reference_id	725938
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725938

reference_url	https://security.gentoo.org/glsa/201402-19
reference_id	GLSA-201402-19
reference_type
scores
url	https://security.gentoo.org/glsa/201402-19

reference_url	https://access.redhat.com/errata/RHSA-2013:1418
reference_id	RHSA-2013:1418
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:1418

fixed_packages

url	pkg:deb/debian/libtar@1.2.20-1?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-1%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%252Bdeb12u1%3Fdistro=bullseye

aliases CVE-2013-4397

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u2y3-5bnz-kkg3

url VCID-went-15r7-mkck

vulnerability_id VCID-went-15r7-mkck

summary The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33645.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33645.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-33645

reference_id

reference_type

scores

value	0.00219
scoring_system	epss
scoring_elements	0.44469
published_at	2026-06-04T12:55:00Z

value	0.00219
scoring_system	epss
scoring_elements	0.44539
published_at	2026-06-05T12:55:00Z

value	0.00219
scoring_system	epss
scoring_elements	0.44547
published_at	2026-06-06T12:55:00Z

value	0.00219
scoring_system	epss
scoring_elements	0.44526
published_at	2026-06-07T12:55:00Z

value	0.00219
scoring_system	epss
scoring_elements	0.44491
published_at	2026-06-08T12:55:00Z

value	0.00219
scoring_system	epss
scoring_elements	0.44504
published_at	2026-06-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-33645

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33645
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33645

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2121295
reference_id	2121295
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2121295

reference_url	https://access.redhat.com/errata/RHSA-2023:2898
reference_id	RHSA-2023:2898
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2898

reference_url	https://usn.ubuntu.com/7398-1/
reference_id	USN-7398-1
reference_type
scores
url	https://usn.ubuntu.com/7398-1/

fixed_packages

url	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1~deb11u1?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1~deb11u1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%252Bdeb12u1~deb11u1%3Fdistro=bullseye

url	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
purl	pkg:deb/debian/libtar@1.2.20-8%2Bdeb12u1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%252Bdeb12u1%3Fdistro=bullseye

aliases CVE-2021-33645

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-went-15r7-mkck

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libtar@1.2.20-8%252Bdeb12u1%3Fdistro=bullseye

Package Instance