{"url":"http://public2.vulnerablecode.io/api/packages/49957?format=json","purl":"pkg:pypi/ultralytics@8.3.45","type":"pypi","namespace":"","name":"ultralytics","version":"8.3.45","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"8.3.47","latest_non_vulnerable_version":"8.3.47","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9690?format=json","vulnerability_id":"VCID-s5xv-w8ne-nuf3","summary":"A number of releases of ultralytics contained malicious crypto miner software.\nUltralytics has identified a supply chain attack\naffecting affecting multiple versions of the ultralytics package.\nThe compromised versions contained unauthorized code that\ndownloaded and executed cryptocurrency mining software\nwhen instantiating YOLO models.\nThis code was injected into the PyPI release artifacts and was not present\nin the public GitHub repository.","references":[{"reference_url":"https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}],"url":"https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection"},{"reference_url":"https://github.com/ultralytics/ultralytics/issues/18027","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}],"url":"https://github.com/ultralytics/ultralytics/issues/18027"},{"reference_url":"https://github.com/ultralytics/ultralytics/pull/18020#issuecomment-2525180194","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}],"url":"https://github.com/ultralytics/ultralytics/pull/18020#issuecomment-2525180194"},{"reference_url":"https://github.com/ultralytics/ultralytics/pull/18052","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}],"url":"https://github.com/ultralytics/ultralytics/pull/18052"},{"reference_url":"https://github.com/ultralytics/ultralytics/pull/18111","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}],"url":"https://github.com/ultralytics/ultralytics/pull/18111"},{"reference_url":"https://github.com/ultralytics/ultralytics/releases/tag/v8.3.48","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}],"url":"https://github.com/ultralytics/ultralytics/releases/tag/v8.3.48"},{"reference_url":"https://inspector.pypi.io/project/ultralytics/8.3.41/packages/d0/99/13d92174aa6a470d348a95e31164769f2cdf77838ea3c3e3fd476285777d/ultralytics-8.3.41-py3-none-any.whl/ultralytics/utils/downloads.py#line.284","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}],"url":"https://inspector.pypi.io/project/ultralytics/8.3.41/packages/d0/99/13d92174aa6a470d348a95e31164769f2cdf77838ea3c3e3fd476285777d/ultralytics-8.3.41-py3-none-any.whl/ultralytics/utils/downloads.py#line.284"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49959?format=json","purl":"pkg:pypi/ultralytics@8.3.47","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.47"}],"aliases":["PYSEC-2024-154"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s5xv-w8ne-nuf3"}],"fixing_vulnerabilities":[],"risk_score":"3.9","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ultralytics@8.3.45"}