{"url":"http://public2.vulnerablecode.io/api/packages/516076?format=json","purl":"pkg:deb/debian/shadowsocks-libev@2.6.3%2Bds-3%2Bdeb9u1~bpo8%2B1","type":"deb","namespace":"debian","name":"shadowsocks-libev","version":"2.6.3+ds-3+deb9u1~bpo8+1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.3.5+ds-4","latest_non_vulnerable_version":"3.3.5+ds-4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100889?format=json","vulnerability_id":"VCID-gdk7-gwnx-9qae","summary":"An exploitable code execution vulnerability exists in the ss-manager binary of Shadowsocks-libev 3.3.2. Specially crafted network packets sent to ss-manager can cause an arbitrary binary to run, resulting in code execution and privilege escalation. An attacker can send network packets to trigger this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5164","reference_id":"","reference_type":"","scores":[{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62814","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62858","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62866","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62857","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62842","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5164"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5164","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5164"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/557687?format=json","purl":"pkg:deb/debian/shadowsocks-libev@3.3.5%2Bds-4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shadowsocks-libev@3.3.5%252Bds-4"}],"aliases":["CVE-2019-5164"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gdk7-gwnx-9qae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100886?format=json","vulnerability_id":"VCID-mr46-5hbt-wkgm","summary":"In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the add_server, build_config, and construct_command_line functions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15924","reference_id":"","reference_type":"","scores":[{"value":"0.00451","scoring_system":"epss","scoring_elements":"0.64","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00451","scoring_system":"epss","scoring_elements":"0.64042","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00451","scoring_system":"epss","scoring_elements":"0.64051","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00451","scoring_system":"epss","scoring_elements":"0.6404","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00451","scoring_system":"epss","scoring_elements":"0.64028","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00451","scoring_system":"epss","scoring_elements":"0.64048","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15924"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15924","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15924"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516077?format=json","purl":"pkg:deb/debian/shadowsocks-libev@2.6.3%2Bds-3%2Bdeb9u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gdk7-gwnx-9qae"},{"vulnerability":"VCID-mr46-5hbt-wkgm"},{"vulnerability":"VCID-q9e9-6jqm-h3at"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shadowsocks-libev@2.6.3%252Bds-3%252Bdeb9u1"},{"url":"http://public2.vulnerablecode.io/api/packages/537682?format=json","purl":"pkg:deb/debian/shadowsocks-libev@3.2.0%2Bds-3~bpo8%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gdk7-gwnx-9qae"},{"vulnerability":"VCID-q9e9-6jqm-h3at"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shadowsocks-libev@3.2.0%252Bds-3~bpo8%252B1"}],"aliases":["CVE-2017-15924"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mr46-5hbt-wkgm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100888?format=json","vulnerability_id":"VCID-q9e9-6jqm-h3at","summary":"An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2. When utilizing a Stream Cipher and a local_address, arbitrary UDP packets can cause a FATAL error code path and exit. An attacker can send arbitrary UDP packets to trigger this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5163","reference_id":"","reference_type":"","scores":[{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.65711","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.65763","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.65775","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.65762","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.65752","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.6577","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5163"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5163","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5163"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/557687?format=json","purl":"pkg:deb/debian/shadowsocks-libev@3.3.5%2Bds-4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shadowsocks-libev@3.3.5%252Bds-4"}],"aliases":["CVE-2019-5163"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q9e9-6jqm-h3at"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shadowsocks-libev@2.6.3%252Bds-3%252Bdeb9u1~bpo8%252B1"}