Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/504669?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/504669?format=api", "purl": "pkg:composer/ibexa/graphql@3.3.0", "type": "composer", "namespace": "ibexa", "name": "graphql", "version": "3.3.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.2.3", "latest_non_vulnerable_version": "4.3.0-beta1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110239?format=api", "vulnerability_id": "VCID-d4tv-qqzh-3ket", "summary": "GraphQL queries can expose password hashes\n### Impact\nUnauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.\n\n### Patches\nAffected versions: Ibexa DXP v3.3.\\*, v4.2.\\*, eZ Platform v2.5.\\*\nResolving versions: Ibexa DXP v3.3.28, v4.2.3, eZ Platform v2.5.31\n\n### Workarounds\nRemove the \"passwordHash\" entry from \"src/bundle/Resources/config/graphql/User.types.yaml\" in the GraphQL package, and other properties like hash type, email, login if you prefer.\n\n### References\n\nThis issue was reported to us by Philippe Tranca (\"trancap\") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability. \n\n### For more information\nIf you have any questions or comments about this advisory, please contact Support via your service portal.", "references": [ { "reference_url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips" }, { "reference_url": "https://github.com/ibexa/graphql", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ibexa/graphql" }, { "reference_url": "https://github.com/ibexa/graphql/commit/5ae5fb4d1d292ddde8528e040ef8a7c8dd7f9c6d", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ibexa/graphql/commit/5ae5fb4d1d292ddde8528e040ef8a7c8dd7f9c6d" }, { "reference_url": "https://github.com/ibexa/graphql/security/advisories/GHSA-3p7g-wrgg-wq45", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ibexa/graphql/security/advisories/GHSA-3p7g-wrgg-wq45" }, { "reference_url": "https://github.com/advisories/GHSA-3p7g-wrgg-wq45", "reference_id": "GHSA-3p7g-wrgg-wq45", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3p7g-wrgg-wq45" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/148776?format=api", "purl": "pkg:composer/ibexa/graphql@3.3.28", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ibexa/graphql@3.3.28" }, { "url": "http://public2.vulnerablecode.io/api/packages/148775?format=api", "purl": "pkg:composer/ibexa/graphql@4.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ibexa/graphql@4.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/618873?format=api", "purl": "pkg:composer/ibexa/graphql@4.3.0-beta1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ibexa/graphql@4.3.0-beta1" } ], "aliases": [ "GHSA-3p7g-wrgg-wq45", "GMS-2022-6767" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d4tv-qqzh-3ket" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ibexa/graphql@3.3.0" }