{"url":"http://public2.vulnerablecode.io/api/packages/190648?format=json","purl":"pkg:ebuild/app-arch/arj@3.10.22-r5","type":"ebuild","namespace":"app-arch","name":"arj","version":"3.10.22-r5","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58777?format=json","vulnerability_id":"VCID-4d97-px4k-v3cf","summary":"Open-source ARJ archiver 3.10.22 does not properly remove leading slashes from paths, which allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path in an ARJ archive.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-0557","reference_id":"","reference_type":"","scores":[{"value":"0.02096","scoring_system":"epss","scoring_elements":"0.84355","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02096","scoring_system":"epss","scoring_elements":"0.84379","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-0557"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0556","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0556"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0557","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0557"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2782","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2782"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774435","reference_id":"774435","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774435"},{"reference_url":"https://security.gentoo.org/glsa/201612-15","reference_id":"GLSA-201612-15","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201612-15"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/190648?format=json","purl":"pkg:ebuild/app-arch/arj@3.10.22-r5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/app-arch/arj@3.10.22-r5"}],"aliases":["CVE-2015-0557"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4d97-px4k-v3cf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58776?format=json","vulnerability_id":"VCID-c741-c27z-2ket","summary":"Open-source ARJ archiver 3.10.22 allows remote attackers to conduct directory traversal attacks via a symlink attack in an ARJ archive.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-0556","reference_id":"","reference_type":"","scores":[{"value":"0.01551","scoring_system":"epss","scoring_elements":"0.81748","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01551","scoring_system":"epss","scoring_elements":"0.81783","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-0556"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0556","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0556"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0557","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0557"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2782","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2782"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774434","reference_id":"774434","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774434"},{"reference_url":"https://security.gentoo.org/glsa/201612-15","reference_id":"GLSA-201612-15","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201612-15"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/190648?format=json","purl":"pkg:ebuild/app-arch/arj@3.10.22-r5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/app-arch/arj@3.10.22-r5"}],"aliases":["CVE-2015-0556"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c741-c27z-2ket"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58778?format=json","vulnerability_id":"VCID-weda-75ms-8bbb","summary":"Buffer overflow in Open-source ARJ archiver 3.10.22 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ARJ archive.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-2782","reference_id":"","reference_type":"","scores":[{"value":"0.05446","scoring_system":"epss","scoring_elements":"0.90342","published_at":"2026-06-04T12:55:00Z"},{"value":"0.05446","scoring_system":"epss","scoring_elements":"0.90357","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-2782"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0556","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0556"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0557","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0557"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2782","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2782"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774015","reference_id":"774015","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774015"},{"reference_url":"https://security.gentoo.org/glsa/201612-15","reference_id":"GLSA-201612-15","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201612-15"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/190648?format=json","purl":"pkg:ebuild/app-arch/arj@3.10.22-r5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/app-arch/arj@3.10.22-r5"}],"aliases":["CVE-2015-2782"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-weda-75ms-8bbb"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/app-arch/arj@3.10.22-r5"}