Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/52807?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/52807?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.5", "type": "maven", "namespace": "org.apache.struts", "name": "struts2-core", "version": "2.5", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.5.1", "latest_non_vulnerable_version": "7.1.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38669?format=api", "vulnerability_id": "VCID-21k4-5a8r-7bd9", "summary": "Improper Input Validation\nIf an application allows to enter an URL in a form field and built-in `URLValidator` is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.", "references": [ { "reference_url": "http://struts.apache.org/docs/s2-047.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://struts.apache.org/docs/s2-047.html" }, { "reference_url": "http://www.securityfocus.com/bid/99563", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/99563" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7672", "reference_id": "CVE-2017-7672", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7672" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53731?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.5.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hrky-nmnv-g3eu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.12" } ], "aliases": [ "CVE-2017-7672" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-21k4-5a8r-7bd9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40350?format=api", "vulnerability_id": "VCID-7uv9-4vy7-ryd1", "summary": "Apache Struts vulnerable to remote command execution (RCE) due to improper input validation\nApache Struts contains a Remote Code Execution when using results with no namespace and it's upper actions have no or wildcard namespace. The same flaw exists when using a url tag with no value, action set, and it's upper actions have no or wildcard namespace.", "references": [ { "reference_url": "https://cwiki.apache.org/confluence/display/WW/S2-057", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cwiki.apache.org/confluence/display/WW/S2-057" }, { "reference_url": "https://github.com/apache/struts", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/struts" }, { "reference_url": "https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e" }, { "reference_url": "https://lgtm.com/blog/apache_struts_CVE-2018-11776", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lgtm.com/blog/apache_struts_CVE-2018-11776" }, { "reference_url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E" }, { "reference_url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012", "reference_id": "", "reference_type": "", "scores": [], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180822-0001", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180822-0001" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20181018-0002", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20181018-0002" }, { "reference_url": "https://web.archive.org/web/20180822160726/http://www.securityfocus.com/bid/105125", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20180822160726/http://www.securityfocus.com/bid/105125" }, { "reference_url": "https://web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888" }, { "reference_url": "https://web.archive.org/web/20201208145803/https://securitytracker.com/id/1041547", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20201208145803/https://securitytracker.com/id/1041547" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-11776", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-11776" }, { "reference_url": "https://www.exploit-db.com/exploits/45260", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.exploit-db.com/exploits/45260" }, { "reference_url": "https://www.exploit-db.com/exploits/45262", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.exploit-db.com/exploits/45262" }, { "reference_url": "https://www.exploit-db.com/exploits/45367", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.exploit-db.com/exploits/45367" }, { "reference_url": "https://www.oracle.com/security-alerts/cpujul2020.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "reference_url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11776", "reference_id": "CVE-2018-11776", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11776" }, { "reference_url": "https://github.com/hook-s3c/CVE-2018-11776-Python-PoC", "reference_id": "CVE-2018-11776-PYTHON-POC", "reference_type": "", "scores": [], "url": "https://github.com/hook-s3c/CVE-2018-11776-Python-PoC" }, { "reference_url": "https://github.com/advisories/GHSA-cr6j-3jp9-rw65", "reference_id": "GHSA-cr6j-3jp9-rw65", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cr6j-3jp9-rw65" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56788?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.5.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.17" } ], "aliases": [ "CVE-2018-11776", "GHSA-cr6j-3jp9-rw65" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7uv9-4vy7-ryd1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38856?format=api", "vulnerability_id": "VCID-dvxu-9sh6-qbef", "summary": "Improper Input Validation\nUsing an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.", "references": [ { "reference_url": "https://struts.apache.org/docs/s2-053.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://struts.apache.org/docs/s2-053.html" }, { "reference_url": "http://www.securityfocus.com/bid/100829", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/100829" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12611", "reference_id": "CVE-2017-12611", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12611" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53731?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.5.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hrky-nmnv-g3eu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.12" } ], "aliases": [ "CVE-2017-12611" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dvxu-9sh6-qbef" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38860?format=api", "vulnerability_id": "VCID-hrky-nmnv-g3eu", "summary": "Improper Input Validation\nIf an application allows entering a URL in a form field and built-in `URLValidator` is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.", "references": [ { "reference_url": "https://struts.apache.org/docs/s2-050.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://struts.apache.org/docs/s2-050.html" }, { "reference_url": "http://www.securityfocus.com/bid/100612", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/100612" }, { "reference_url": "http://www.securitytracker.com/id/1039261", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id/1039261" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9804", "reference_id": "CVE-2017-9804", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9804" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54101?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.5.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.13" } ], "aliases": [ "CVE-2017-9804" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hrky-nmnv-g3eu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38668?format=api", "vulnerability_id": "VCID-mmth-7rgf-aqfa", "summary": "Uncontrolled Resource Consumption\nWhen using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack.", "references": [ { "reference_url": "http://struts.apache.org/docs/s2-049.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://struts.apache.org/docs/s2-049.html" }, { "reference_url": "http://www.securityfocus.com/bid/99562", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/99562" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9787", "reference_id": "CVE-2017-9787", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9787" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53731?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.5.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hrky-nmnv-g3eu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.12" } ], "aliases": [ "CVE-2017-9787" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mmth-7rgf-aqfa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38152?format=api", "vulnerability_id": "VCID-qdsq-8td3-5qa1", "summary": "Improper Input Validation\nThe `URLValidator` class in Apache Struts 2 allows remote attackers to cause a denial of service via a `null` value for a URL field.", "references": [ { "reference_url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114", "reference_id": "", "reference_type": "", "scores": [], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114" }, { "reference_url": "http://jvn.jp/en/jp/JVN12352818/index.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://jvn.jp/en/jp/JVN12352818/index.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1348253", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1348253" }, { "reference_url": "https://struts.apache.org/docs/s2-041.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://struts.apache.org/docs/s2-041.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4465", "reference_id": "CVE-2016-4465", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4465" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52809?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.5.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.1" } ], "aliases": [ "CVE-2016-4465" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qdsq-8td3-5qa1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38858?format=api", "vulnerability_id": "VCID-ybuw-727z-r3eb", "summary": "Improper Input Validation\nIn Apache Struts, if an application allows entering a URL in a form field and the built-in `URLValidator` is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.", "references": [ { "reference_url": "https://struts.apache.org/docs/s2-044.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://struts.apache.org/docs/s2-044.html" }, { "reference_url": "http://www.securityfocus.com/bid/94657", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/94657" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8738", "reference_id": "CVE-2016-8738", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8738" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53734?format=api", "purl": "pkg:maven/org.apache.struts/struts2-core@2.5.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-21k4-5a8r-7bd9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.8" } ], "aliases": [ "CVE-2016-8738" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ybuw-727z-r3eb" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5" }