Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/417411?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/417411?format=api", "purl": "pkg:apk/alpine/go@0?arch=armhf&distroversion=v3.23&reponame=community", "type": "apk", "namespace": "alpine", "name": "go", "version": "0", "qualifiers": { "arch": "armhf", "distroversion": "v3.23", "reponame": "community" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "1.9.4-r0", "latest_non_vulnerable_version": "1.25.10-r0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70993?format=api", "vulnerability_id": "VCID-7r24-w1n2-1keq", "summary": "On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS(\"C:/tmp\").Open(\"COM1\") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS(\"\") has changed. Previously, an empty root was treated equivalently to \"/\", so os.DirFS(\"\").Open(\"tmp\") would open the path \"/tmp\". This now returns an error.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41720.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41720.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41720", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.1065", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10617", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10693", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10718", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10681", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10597", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41720" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161271", "reference_id": "2161271", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161271" }, { "reference_url": "https://go.dev/cl/455716", "reference_id": "455716", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:41:16Z/" } ], "url": "https://go.dev/cl/455716" }, { "reference_url": "https://go.dev/issue/56694", "reference_id": "56694", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:41:16Z/" } ], "url": "https://go.dev/issue/56694" }, { "reference_url": "https://pkg.go.dev/vuln/GO-2022-1143", "reference_id": "GO-2022-1143", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:41:16Z/" } ], "url": "https://pkg.go.dev/vuln/GO-2022-1143" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/417411?format=api", "purl": "pkg:apk/alpine/go@0?arch=armhf&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/go@0%3Farch=armhf&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2022-41720" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7r24-w1n2-1keq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70991?format=api", "vulnerability_id": "VCID-7t1b-2sh5-syds", "summary": "Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string \"A=B\\x00C=D\" sets the variables \"A=B\" and \"C=D\".", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41716", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02415", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02427", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02423", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02371", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02357", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02315", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41716" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41716", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41716" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://go.dev/cl/446916", "reference_id": "446916", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:02:04Z/" } ], "url": "https://go.dev/cl/446916" }, { "reference_url": "https://go.dev/issue/56284", "reference_id": "56284", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:02:04Z/" } ], "url": "https://go.dev/issue/56284" }, { "reference_url": "https://pkg.go.dev/vuln/GO-2022-1095", "reference_id": "GO-2022-1095", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:02:04Z/" } ], "url": "https://pkg.go.dev/vuln/GO-2022-1095" }, { "reference_url": "https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM/m/hSpmRzk-AgAJ", "reference_id": "hSpmRzk-AgAJ", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:02:04Z/" } ], "url": "https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM/m/hSpmRzk-AgAJ" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/417411?format=api", "purl": "pkg:apk/alpine/go@0?arch=armhf&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/go@0%3Farch=armhf&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2022-41716" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7t1b-2sh5-syds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70994?format=api", "vulnerability_id": "VCID-czpa-dun8-hkfw", "summary": "A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as \"a/../c:/b\" into the valid path \"c:\\b\". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path \".\\c:\\b\".", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41722.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41722.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41722", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56449", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56394", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56443", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56454", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00452", "scoring_system": "epss", "scoring_elements": "0.64115", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00452", "scoring_system": "epss", "scoring_elements": "0.64095", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41722" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41722", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41722" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2203008", "reference_id": "2203008", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2203008" }, { "reference_url": "https://go.dev/cl/468123", "reference_id": "468123", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T17:58:38Z/" } ], "url": "https://go.dev/cl/468123" }, { "reference_url": "https://go.dev/issue/57274", "reference_id": "57274", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T17:58:38Z/" } ], "url": "https://go.dev/issue/57274" }, { "reference_url": "https://pkg.go.dev/vuln/GO-2023-1568", "reference_id": "GO-2023-1568", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T17:58:38Z/" } ], "url": "https://pkg.go.dev/vuln/GO-2023-1568" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1325", "reference_id": "RHSA-2023:1325", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1325" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3304", "reference_id": "RHSA-2023:3304", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3304" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3366", "reference_id": "RHSA-2023:3366", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3366" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/417411?format=api", "purl": "pkg:apk/alpine/go@0?arch=armhf&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/go@0%3Farch=armhf&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2022-41722" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-czpa-dun8-hkfw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71029?format=api", "vulnerability_id": "VCID-nzay-a6zy-n3h6", "summary": "On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a \"#cgo LDFLAGS\" directive.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24787", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03204", "scoring_system": "epss", "scoring_elements": "0.87267", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.03204", "scoring_system": "epss", "scoring_elements": "0.87271", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.03204", "scoring_system": "epss", "scoring_elements": "0.87259", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.03204", "scoring_system": "epss", "scoring_elements": "0.87262", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.03204", "scoring_system": "epss", "scoring_elements": "0.87264", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24787" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/05/08/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-05T14:49:29Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/05/08/3" }, { "reference_url": "https://go.dev/cl/583815", "reference_id": "583815", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-05T14:49:29Z/" } ], "url": "https://go.dev/cl/583815" }, { "reference_url": "https://go.dev/issue/67119", "reference_id": "67119", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-05T14:49:29Z/" } ], "url": "https://go.dev/issue/67119" }, { "reference_url": "https://pkg.go.dev/vuln/GO-2024-2825", "reference_id": "GO-2024-2825", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-05T14:49:29Z/" } ], "url": "https://pkg.go.dev/vuln/GO-2024-2825" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240531-0006/", "reference_id": "ntap-20240531-0006", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-05T14:49:29Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20240531-0006/" }, { "reference_url": "https://groups.google.com/g/golang-announce/c/wkkO4P9stm0", "reference_id": "wkkO4P9stm0", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-05T14:49:29Z/" } ], "url": "https://groups.google.com/g/golang-announce/c/wkkO4P9stm0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/417411?format=api", "purl": "pkg:apk/alpine/go@0?arch=armhf&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/go@0%3Farch=armhf&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2024-24787" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nzay-a6zy-n3h6" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/go@0%3Farch=armhf&distroversion=v3.23&reponame=community" }