Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/461639?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/461639?format=api", "purl": "pkg:gem/dependabot-omnibus@0.119.1", "type": "gem", "namespace": "", "name": "dependabot-omnibus", "version": "0.119.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.125.2", "latest_non_vulnerable_version": "0.125.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41084?format=api", "vulnerability_id": "VCID-vfaj-ymca-zyaq", "summary": "Remote code execution in dependabot-core branch names when cloning\n### Impact\nRemote code execution vulnerability in `dependabot-common` and `dependabot-go_modules` when a source branch name contains malicious injectable bash code.\n\nFor example, if Dependabot is configured to use the following source branch name: `\"/$({curl,127.0.0.1})\"`, Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository.\n\nWhen Dependabot is configured to clone the source repository during an update, Dependabot runs a shell command to git clone the repository:\n\n```bash\ngit clone --no-tags --no-recurse-submodules --depth=1 --branch=<BRANCH> --single-branch <GITHUB_REPO_URL> repo/contents/path\n```\n\nDependabot will always clone the source repository for `go_modules` during the file fetching step and can be configured to clone the repository for other package managers using the `FileFetcher` class from `dependabot-common`.\n\n```ruby\nsource = Dependabot::Source.new(\n provider: \"github\",\n repo: \"repo/name\",\n directory: \"/\",\n branch: \"/$({curl,127.0.0.1})\",\n)\n\nrepo_contents_path = \"./file/path\"\nfetcher = Dependabot::FileFetchers.for_package_manager(\"bundler\").\n new(source: source, credentials: [],\n repo_contents_path: repo_contents_path)\nfetcher.clone_repo_contents\n```\n\n### Patches\n\nThe fix was applied to version `0.125.1`: https://github.com/dependabot/dependabot-core/pull/2727\n\n### Workarounds\nEscape the branch name prior to passing it to the `Dependabot::Source` class.\n\nFor example using `shellwords`:\n\n```ruby\nrequire \"shellwords\"\nbranch = Shellwords.escape(\"/$({curl,127.0.0.1})\")\nsource = Dependabot::Source.new(\n provider: \"github\",\n repo: \"repo/name\",\n directory: \"/\",\n branch: branch,\n)\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26222", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00477", "scoring_system": "epss", "scoring_elements": "0.65227", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26222" }, { "reference_url": "https://github.com/dependabot/dependabot-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dependabot/dependabot-core" }, { "reference_url": "https://github.com/dependabot/dependabot-core/commit/e089116abbe284425b976f7920e502b8e83a61b5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dependabot/dependabot-core/commit/e089116abbe284425b976f7920e502b8e83a61b5" }, { "reference_url": "https://github.com/dependabot/dependabot-core/pull/2727", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dependabot/dependabot-core/pull/2727" }, { "reference_url": "https://github.com/dependabot/dependabot-core/security/advisories/GHSA-23f7-99jx-m54r", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dependabot/dependabot-core/security/advisories/GHSA-23f7-99jx-m54r" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/dependabot-common/CVE-2020-26222.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/dependabot-common/CVE-2020-26222.yml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/dependabot-omnibus/CVE-2020-26222.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/dependabot-omnibus/CVE-2020-26222.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26222", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26222" }, { "reference_url": "https://rubygems.org/gems/dependabot-common", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rubygems.org/gems/dependabot-common" }, { "reference_url": "https://rubygems.org/gems/dependabot-omnibus", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rubygems.org/gems/dependabot-omnibus" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74660?format=api", "purl": "pkg:gem/dependabot-omnibus@0.125.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-vfaj-ymca-zyaq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/dependabot-omnibus@0.125.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/461667?format=api", "purl": "pkg:gem/dependabot-omnibus@0.125.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/dependabot-omnibus@0.125.2" } ], "aliases": [ "CVE-2020-26222", "GHSA-23f7-99jx-m54r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vfaj-ymca-zyaq" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/dependabot-omnibus@0.119.1" }