{"url":"http://public2.vulnerablecode.io/api/packages/517596?format=json","purl":"pkg:deb/debian/apr-util@1.3.9%2Bdfsg-5","type":"deb","namespace":"debian","name":"apr-util","version":"1.3.9+dfsg-5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.6.1-5+deb11u1","latest_non_vulnerable_version":"1.6.1-5+deb11u1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58717?format=json","vulnerability_id":"VCID-dsmr-qb7w-uucb","summary":"Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer.     This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25147.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25147.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25147","reference_id":"","reference_type":"","scores":[{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18757","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18833","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18835","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18794","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25147"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25147","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25147"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2169652","reference_id":"2169652","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2169652"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3109","reference_id":"RHSA-2023:3109","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3109"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3145","reference_id":"RHSA-2023:3145","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3145"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3146","reference_id":"RHSA-2023:3146","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3146"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3147","reference_id":"RHSA-2023:3147","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3147"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3177","reference_id":"RHSA-2023:3177","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3177"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3178","reference_id":"RHSA-2023:3178","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3178"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3354","reference_id":"RHSA-2023:3354","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3354"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3355","reference_id":"RHSA-2023:3355","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3355"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3360","reference_id":"RHSA-2023:3360","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3360"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3380","reference_id":"RHSA-2023:3380","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3380"},{"reference_url":"https://usn.ubuntu.com/5870-1/","reference_id":"USN-5870-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5870-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/921576?format=json","purl":"pkg:deb/debian/apr-util@1.6.1-5%2Bdeb11u1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apr-util@1.6.1-5%252Bdeb11u1"}],"aliases":["CVE-2022-25147"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dsmr-qb7w-uucb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58716?format=json","vulnerability_id":"VCID-syc1-pm1k-4ucv","summary":"Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to validate the integrity of SDBM database files used by apr_sdbm*() functions, resulting in a possible out of bound read access. A local user with write access to the database can make a program or process using these functions crash, and cause a denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12618.json","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12618.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12618","reference_id":"","reference_type":"","scores":[{"value":"0.00922","scoring_system":"epss","scoring_elements":"0.76364","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00922","scoring_system":"epss","scoring_elements":"0.76384","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00922","scoring_system":"epss","scoring_elements":"0.76392","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00922","scoring_system":"epss","scoring_elements":"0.76394","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12618"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12618","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12618"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"1.4","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:M/C:N/I:N/A:P"},{"value":"2.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1506532","reference_id":"1506532","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1506532"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879996","reference_id":"879996","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879996"},{"reference_url":"https://security.archlinux.org/ASA-201710-33","reference_id":"ASA-201710-33","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201710-33"},{"reference_url":"https://security.archlinux.org/AVG-468","reference_id":"AVG-468","reference_type":"","scores":[{"value":"Low","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-468"},{"reference_url":"https://usn.ubuntu.com/5737-1/","reference_id":"USN-5737-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5737-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/517600?format=json","purl":"pkg:deb/debian/apr-util@1.6.1-4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dsmr-qb7w-uucb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apr-util@1.6.1-4"}],"aliases":["CVE-2017-12618"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"5.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-syc1-pm1k-4ucv"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51007?format=json","vulnerability_id":"VCID-2zx1-eaw8-kfgd","summary":"A denial of service flaw was found in the bundled copy of the APR-util library Extensible Markup Language (XML) parser. A remote attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1955.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1955.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-1955","reference_id":"","reference_type":"","scores":[{"value":"0.02329","scoring_system":"epss","scoring_elements":"0.85119","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02329","scoring_system":"epss","scoring_elements":"0.85144","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02329","scoring_system":"epss","scoring_elements":"0.85149","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02329","scoring_system":"epss","scoring_elements":"0.85143","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-1955"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=504555","reference_id":"504555","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=504555"},{"reference_url":"https://httpd.apache.org/security/json/CVE-2009-1955.json","reference_id":"CVE-2009-1955","reference_type":"","scores":[{"value":"moderate","scoring_system":"apache_httpd","scoring_elements":""}],"url":"https://httpd.apache.org/security/json/CVE-2009-1955.json"},{"reference_url":"https://security.gentoo.org/glsa/200907-03","reference_id":"GLSA-200907-03","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200907-03"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/dos/8842.pl","reference_id":"OSVDB-55057;CVE-2009-1955","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/dos/8842.pl"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1107","reference_id":"RHSA-2009:1107","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1107"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1108","reference_id":"RHSA-2009:1108","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1108"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1160","reference_id":"RHSA-2009:1160","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1160"},{"reference_url":"https://usn.ubuntu.com/786-1/","reference_id":"USN-786-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/786-1/"},{"reference_url":"https://usn.ubuntu.com/787-1/","reference_id":"USN-787-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/787-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/517596?format=json","purl":"pkg:deb/debian/apr-util@1.3.9%2Bdfsg-5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dsmr-qb7w-uucb"},{"vulnerability":"VCID-syc1-pm1k-4ucv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apr-util@1.3.9%252Bdfsg-5"}],"aliases":["CVE-2009-1955"],"risk_score":9.6,"exploitability":"2.0","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2zx1-eaw8-kfgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51002?format=json","vulnerability_id":"VCID-5275-kg9r-n7a2","summary":"A heap-based underwrite flaw was found in the way the bundled copy of the APR-util library created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0023.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0023.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0023","reference_id":"","reference_type":"","scores":[{"value":"0.14793","scoring_system":"epss","scoring_elements":"0.94627","published_at":"2026-06-04T12:55:00Z"},{"value":"0.14793","scoring_system":"epss","scoring_elements":"0.94636","published_at":"2026-06-06T12:55:00Z"},{"value":"0.14793","scoring_system":"epss","scoring_elements":"0.94637","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0023"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=503928","reference_id":"503928","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=503928"},{"reference_url":"https://httpd.apache.org/security/json/CVE-2009-0023.json","reference_id":"CVE-2009-0023","reference_type":"","scores":[{"value":"moderate","scoring_system":"apache_httpd","scoring_elements":""}],"url":"https://httpd.apache.org/security/json/CVE-2009-0023.json"},{"reference_url":"https://security.gentoo.org/glsa/200907-03","reference_id":"GLSA-200907-03","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200907-03"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1107","reference_id":"RHSA-2009:1107","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1107"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1108","reference_id":"RHSA-2009:1108","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1108"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1160","reference_id":"RHSA-2009:1160","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1160"},{"reference_url":"https://usn.ubuntu.com/786-1/","reference_id":"USN-786-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/786-1/"},{"reference_url":"https://usn.ubuntu.com/787-1/","reference_id":"USN-787-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/787-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/517596?format=json","purl":"pkg:deb/debian/apr-util@1.3.9%2Bdfsg-5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dsmr-qb7w-uucb"},{"vulnerability":"VCID-syc1-pm1k-4ucv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apr-util@1.3.9%252Bdfsg-5"}],"aliases":["CVE-2009-0023"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5275-kg9r-n7a2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51020?format=json","vulnerability_id":"VCID-e8cs-fvsy-b7dd","summary":"A flaw was found in the apr_brigade_split_line() function of the bundled APR-util library, used to process non-SSL requests. A remote attacker could send requests, carefully crafting the timing of individual bytes, which would slowly consume memory, potentially leading to a denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2010-1623.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2010-1623.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2010-1623","reference_id":"","reference_type":"","scores":[{"value":"0.28285","scoring_system":"epss","scoring_elements":"0.96591","published_at":"2026-06-04T12:55:00Z"},{"value":"0.28285","scoring_system":"epss","scoring_elements":"0.96594","published_at":"2026-06-05T12:55:00Z"},{"value":"0.28285","scoring_system":"epss","scoring_elements":"0.96599","published_at":"2026-06-06T12:55:00Z"},{"value":"0.28285","scoring_system":"epss","scoring_elements":"0.96598","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2010-1623"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=640281","reference_id":"640281","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=640281"},{"reference_url":"https://httpd.apache.org/security/json/CVE-2010-1623.json","reference_id":"CVE-2010-1623","reference_type":"","scores":[{"value":"low","scoring_system":"apache_httpd","scoring_elements":""}],"url":"https://httpd.apache.org/security/json/CVE-2010-1623.json"},{"reference_url":"https://security.gentoo.org/glsa/201405-24","reference_id":"GLSA-201405-24","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201405-24"},{"reference_url":"https://access.redhat.com/errata/RHSA-2010:0950","reference_id":"RHSA-2010:0950","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2010:0950"},{"reference_url":"https://usn.ubuntu.com/1021-1/","reference_id":"USN-1021-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1021-1/"},{"reference_url":"https://usn.ubuntu.com/1022-1/","reference_id":"USN-1022-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1022-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/517596?format=json","purl":"pkg:deb/debian/apr-util@1.3.9%2Bdfsg-5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dsmr-qb7w-uucb"},{"vulnerability":"VCID-syc1-pm1k-4ucv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apr-util@1.3.9%252Bdfsg-5"}],"aliases":["CVE-2010-1623"],"risk_score":1.1,"exploitability":"0.5","weighted_severity":"2.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e8cs-fvsy-b7dd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51009?format=json","vulnerability_id":"VCID-g837-8mzy-h3be","summary":"A flaw in apr_palloc() in the bundled copy of APR could cause heap overflows in programs that try to apr_palloc() a user controlled size. The Apache HTTP Server itself does not pass unsanitized user-provided sizes to this function, so it could only be triggered through some other application which uses apr_palloc() in a vulnerable way.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2412.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2412.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2412","reference_id":"","reference_type":"","scores":[{"value":"0.07751","scoring_system":"epss","scoring_elements":"0.92088","published_at":"2026-06-04T12:55:00Z"},{"value":"0.07751","scoring_system":"epss","scoring_elements":"0.921","published_at":"2026-06-05T12:55:00Z"},{"value":"0.07751","scoring_system":"epss","scoring_elements":"0.92097","published_at":"2026-06-06T12:55:00Z"},{"value":"0.07751","scoring_system":"epss","scoring_elements":"0.92095","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2412"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=515698","reference_id":"515698","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=515698"},{"reference_url":"https://httpd.apache.org/security/json/CVE-2009-2412.json","reference_id":"CVE-2009-2412","reference_type":"","scores":[{"value":"low","scoring_system":"apache_httpd","scoring_elements":""}],"url":"https://httpd.apache.org/security/json/CVE-2009-2412.json"},{"reference_url":"https://security.gentoo.org/glsa/200909-03","reference_id":"GLSA-200909-03","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200909-03"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1204","reference_id":"RHSA-2009:1204","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1204"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1205","reference_id":"RHSA-2009:1205","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1205"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1462","reference_id":"RHSA-2009:1462","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1462"},{"reference_url":"https://usn.ubuntu.com/813-1/","reference_id":"USN-813-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/813-1/"},{"reference_url":"https://usn.ubuntu.com/813-2/","reference_id":"USN-813-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/813-2/"},{"reference_url":"https://usn.ubuntu.com/813-3/","reference_id":"USN-813-3","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/813-3/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/517596?format=json","purl":"pkg:deb/debian/apr-util@1.3.9%2Bdfsg-5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dsmr-qb7w-uucb"},{"vulnerability":"VCID-syc1-pm1k-4ucv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apr-util@1.3.9%252Bdfsg-5"}],"aliases":["CVE-2009-2412"],"risk_score":1.1,"exploitability":"0.5","weighted_severity":"2.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g837-8mzy-h3be"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51008?format=json","vulnerability_id":"VCID-r9vj-qa89-hqan","summary":"An off-by-one overflow flaw was found in the way the bundled copy of the APR-util library processed a variable list of arguments. An attacker could provide a specially-crafted string as input for the formatted output conversion routine, which could, on big-endian platforms, potentially lead to the disclosure of sensitive information or a denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1956.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1956.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-1956","reference_id":"","reference_type":"","scores":[{"value":"0.05415","scoring_system":"epss","scoring_elements":"0.90307","published_at":"2026-06-04T12:55:00Z"},{"value":"0.05415","scoring_system":"epss","scoring_elements":"0.90323","published_at":"2026-06-05T12:55:00Z"},{"value":"0.05415","scoring_system":"epss","scoring_elements":"0.90321","published_at":"2026-06-06T12:55:00Z"},{"value":"0.05415","scoring_system":"epss","scoring_elements":"0.90319","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-1956"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=504390","reference_id":"504390","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=504390"},{"reference_url":"https://httpd.apache.org/security/json/CVE-2009-1956.json","reference_id":"CVE-2009-1956","reference_type":"","scores":[{"value":"moderate","scoring_system":"apache_httpd","scoring_elements":""}],"url":"https://httpd.apache.org/security/json/CVE-2009-1956.json"},{"reference_url":"https://security.gentoo.org/glsa/200907-03","reference_id":"GLSA-200907-03","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/200907-03"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1107","reference_id":"RHSA-2009:1107","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1107"},{"reference_url":"https://access.redhat.com/errata/RHSA-2009:1108","reference_id":"RHSA-2009:1108","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2009:1108"},{"reference_url":"https://usn.ubuntu.com/786-1/","reference_id":"USN-786-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/786-1/"},{"reference_url":"https://usn.ubuntu.com/787-1/","reference_id":"USN-787-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/787-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/517596?format=json","purl":"pkg:deb/debian/apr-util@1.3.9%2Bdfsg-5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dsmr-qb7w-uucb"},{"vulnerability":"VCID-syc1-pm1k-4ucv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apr-util@1.3.9%252Bdfsg-5"}],"aliases":["CVE-2009-1956"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r9vj-qa89-hqan"}],"risk_score":"3.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apr-util@1.3.9%252Bdfsg-5"}