Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/426838?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/426838?format=api", "purl": "pkg:gem/omniauth@1.8.0", "type": "gem", "namespace": "", "name": "omniauth", "version": "1.8.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.0.0", "latest_non_vulnerable_version": "2.0.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48604?format=api", "vulnerability_id": "VCID-c39p-7ky4-mkbf", "summary": "OmniAuth Ruby gem Cross-site Request Forgery in request phase\nThe request phase of the OmniAuth Ruby gem (1.9.2 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.\n\nAs of v2 OmniAuth no longer has the vulnerable configuration by default, but it is still possible to configure OmniAuth in such a way that the web application becomes vulnerable to Cross-Site Request Forgery. There is a recommended remediation described [here](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-9284.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-9284.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2015-9284", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00425", "scoring_system": "epss", "scoring_elements": "0.62478", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2015-9284" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284" }, { "reference_url": "https://github.com/omniauth/omniauth", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/omniauth/omniauth" }, { "reference_url": "https://github.com/omniauth/omniauth/issues/1031", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/omniauth/omniauth/issues/1031" }, { "reference_url": "https://github.com/omniauth/omniauth/pull/809", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/omniauth/omniauth/pull/809" }, { "reference_url": "https://github.com/omniauth/omniauth-rails/pull/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/omniauth/omniauth-rails/pull/1" }, { "reference_url": "https://github.com/omniauth/omniauth/releases/tag/v1.9.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/omniauth/omniauth/releases/tag/v1.9.2" }, { "reference_url": "https://github.com/omniauth/omniauth/releases/tag/v2.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/omniauth/omniauth/releases/tag/v2.0.0" }, { "reference_url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2015-9284.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2015-9284.yml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/commit/aef9f623c0be838234d53baf18977564804da397", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/commit/aef9f623c0be838234d53baf18977564804da397" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9284", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9284" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2015/05/26/11", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.openwall.com/lists/oss-security/2015/05/26/11" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1707375", "reference_id": "1707375", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1707375" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973384", "reference_id": "973384", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973384" }, { "reference_url": "https://github.com/advisories/GHSA-ww4x-rwq6-qpgf", "reference_id": "GHSA-ww4x-rwq6-qpgf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ww4x-rwq6-qpgf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83722?format=api", "purl": "pkg:gem/omniauth@2.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/omniauth@2.0.0" } ], "aliases": [ "CVE-2015-9284", "GHSA-ww4x-rwq6-qpgf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c39p-7ky4-mkbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51237?format=api", "vulnerability_id": "VCID-rvp2-ahqb-4fhm", "summary": "OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value\nlib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36599", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00617", "scoring_system": "epss", "scoring_elements": "0.70264", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36599" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36599", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36599" }, { "reference_url": "https://github.com/omniauth/omniauth", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/omniauth/omniauth" }, { "reference_url": "https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2020-36599.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2020-36599.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36599", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36599" }, { "reference_url": "https://rubygems.org/gems/omniauth/versions/1.9.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rubygems.org/gems/omniauth/versions/1.9.2" }, { "reference_url": "https://github.com/advisories/GHSA-pm55-qfxr-h247", "reference_id": "GHSA-pm55-qfxr-h247", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pm55-qfxr-h247" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87548?format=api", "purl": "pkg:gem/omniauth@1.9.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c39p-7ky4-mkbf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/omniauth@1.9.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/83722?format=api", "purl": "pkg:gem/omniauth@2.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/omniauth@2.0.0" } ], "aliases": [ "CVE-2020-36599", "GHSA-pm55-qfxr-h247" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rvp2-ahqb-4fhm" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/omniauth@1.8.0" }