Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/515490?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/515490?format=api", "purl": "pkg:cargo/uv@0.11.15", "type": "cargo", "namespace": "", "name": "uv", "version": "0.11.15", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/92218?format=api", "vulnerability_id": "VCID-a171-rj2a-uuaw", "summary": "uv is vulnerable to arbitrary file write through entry point names\n### Impact\n\nIn versions of uv prior to 0.11.15, when installing a distribution containing an entry point specification (under `console_scripts` or `gui_scripts`), uv would place the generated entry point according to the given name even if doing so resulted in a path outside of the environment's scripts directory.\n\nA malicious wheel could use this to place an executable outside of the intended environment, including in a directory already present on the user's `PATH`. This could shadow or overwrite an existing executable and potentially result in unexpected code execution under the wheel's control, even if the wheel's installation environment was not explicitly added to `PATH` by the user.\n\nIn order to exploit this vulnerability, the attacker must induce their target into installing a malicious wheel.\n\n### Patches\n\nuv 0.11.15 and newer address this vulnerability. Users are encouraged to upgrade to 0.11.15.\n\n### Workarounds\n\nThere is no workaround other than upgrading to uv 0.11.15.", "references": [ { "reference_url": "https://github.com/astral-sh/uv", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/astral-sh/uv" }, { "reference_url": "https://github.com/astral-sh/uv/security/advisories/GHSA-4gg8-gxpx-9rph", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/astral-sh/uv/security/advisories/GHSA-4gg8-gxpx-9rph" }, { "reference_url": "https://github.com/advisories/GHSA-4gg8-gxpx-9rph", "reference_id": "GHSA-4gg8-gxpx-9rph", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4gg8-gxpx-9rph" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/515490?format=api", "purl": "pkg:cargo/uv@0.11.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:cargo/uv@0.11.15" } ], "aliases": [ "GHSA-4gg8-gxpx-9rph" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a171-rj2a-uuaw" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:cargo/uv@0.11.15" }