Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/146677?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/146677?format=api", "purl": "pkg:golang/github.com/mittwald/kube-httpcache@0.7.1", "type": "golang", "namespace": "github.com/mittwald", "name": "kube-httpcache", "version": "0.7.1", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/109498?format=api", "vulnerability_id": "VCID-bauu-4q7u-cbg8", "summary": "kube-httpcache is vulnerable to Cross-Site Request Forgery (CSRF)\n### Impact\n\n> A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server.\n> -- https://varnish-cache.org/security/VSV00011.html#vsv00011\n\n### Patches\n\nThis is fixed in Varnish 6.0.11; Varnish 6.0.11 is available in `kube-httpcache` versions v0.7.1 and later.\n\n### Workarounds\n\nSee [upstream mitigation hints](https://varnish-cache.org/security/VSV00011.html#mitigation).\n\n### References\n\n- https://varnish-cache.org/security/VSV00011.html#vsv00011", "references": [ { "reference_url": "https://github.com/mittwald/kube-httpcache", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mittwald/kube-httpcache" }, { "reference_url": "https://github.com/mittwald/kube-httpcache/security/advisories/GHSA-47xh-qxqv-mgvg", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mittwald/kube-httpcache/security/advisories/GHSA-47xh-qxqv-mgvg" }, { "reference_url": "https://varnish-cache.org/security/VSV00011.html#vsv00011", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://varnish-cache.org/security/VSV00011.html#vsv00011" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/146677?format=api", "purl": "pkg:golang/github.com/mittwald/kube-httpcache@0.7.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mittwald/kube-httpcache@0.7.1" } ], "aliases": [ "GHSA-47xh-qxqv-mgvg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bauu-4q7u-cbg8" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mittwald/kube-httpcache@0.7.1" }