GET

Package Instance

Lookup for vulnerable packages by Package URL.

GET /api/packages/167?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/packages/167?format=api",
    "purl": "pkg:hex/pow_assent@0.4.1",
    "type": "hex",
    "namespace": "",
    "name": "pow_assent",
    "version": "0.4.1",
    "qualifiers": {},
    "subpath": "",
    "is_vulnerable": true,
    "next_non_vulnerable_version": "0.4.4",
    "latest_non_vulnerable_version": "0.4.4",
    "affected_by_vulnerabilities": [
        {
            "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8?format=api",
            "vulnerability_id": "VCID-x4x4-mzaz-xkg3",
            "summary": "### Impact\n\nThe use of `String.to_atom/1` in PowAssent is susceptible to denial of\nservice attacks. In `PowAssent.Phoenix.AuthorizationController` a value is\nfetched from the user provided params, and `String.to_atom/1` is used to\nconvert the binary value to an atom so it can be used to fetch the provider\nconfiguration value. This is unsafe as it's user provided data, and can be\nused to fill up the whole atom table of ~1M which will cause the app to\ncrash.\n\n### Workarounds\n\nA plug can be used to validate `conn.params[\"provider\"]` before it reaches\nthe `PowAssent.Phoenix.AuthorizationController`.\n\n### References\n\nhttp://erlang.org/doc/efficiency_guide/commoncaveats.html#list_to_atom-1",
            "references": [
                {
                    "reference_url": "https://github.com/pow-auth/pow_assent/security/advisories/GHSA-368c-xvrv-x986",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://github.com/pow-auth/pow_assent/security/advisories/GHSA-368c-xvrv-x986"
                }
            ],
            "fixed_packages": [
                {
                    "url": "http://public2.vulnerablecode.io/api/packages/170?format=api",
                    "purl": "pkg:hex/pow_assent@0.4.4",
                    "is_vulnerable": false,
                    "affected_by_vulnerabilities": [],
                    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.4.4"
                }
            ],
            "aliases": [
                "CVE-2019-16764"
            ],
            "risk_score": null,
            "exploitability": null,
            "weighted_severity": null,
            "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x4x4-mzaz-xkg3"
        }
    ],
    "fixing_vulnerabilities": [],
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:hex/pow_assent@0.4.1"
}