Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/561419?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/561419?format=api", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.3", "type": "maven", "namespace": "org.apache.jackrabbit", "name": "jackrabbit-webdav", "version": "2.4.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.20.11", "latest_non_vulnerable_version": "2.21.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30320?format=api", "vulnerability_id": "VCID-6xn7-25dp-33c5", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-6801", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58539", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58651", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58666", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58656", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-6801" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6801", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6801" }, { "reference_url": "https://github.com/apache/jackrabbit", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/jackrabbit" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/09393f93862923e4c8a2f8c7d1236e1a5d3373b5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/09393f93862923e4c8a2f8c7d1236e1a5d3373b5" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/283df6f101676579086400e30e8dd42eacd5ef33", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/283df6f101676579086400e30e8dd42eacd5ef33" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/30318d5aef7bf494e579a86f45c79b18b204a997", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/30318d5aef7bf494e579a86f45c79b18b204a997" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/43accb855897b0d82393d47420e25a1e4a569211", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/43accb855897b0d82393d47420e25a1e4a569211" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/4908cb64317122cdd3e096ebe8c32bd98d2ed8b7", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/4908cb64317122cdd3e096ebe8c32bd98d2ed8b7" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/884ede7db1c6ca490fcbb8238762b000a25f82c3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/884ede7db1c6ca490fcbb8238762b000a25f82c3" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/8dde23b63151417769eaca112fbbae9a52c47ff3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/8dde23b63151417769eaca112fbbae9a52c47ff3" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/987168c04327fd4fbbb4fb9d13ae92d5ca888386", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/987168c04327fd4fbbb4fb9d13ae92d5ca888386" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/cab86cdfb7829b66c89196dfb6095f0faa5aa3c3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/cab86cdfb7829b66c89196dfb6095f0faa5aa3c3" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/d6e86e4350989af3eb3eb0429d6e4d4d6bd40e5c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/d6e86e4350989af3eb3eb0429d6e4d4d6bd40e5c" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/db26ade17d791bbb4e4771ed9650ec1159a541ff", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/db26ade17d791bbb4e4771ed9650ec1159a541ff" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/f05620fb3f4c72429c9856ab7f63a9ac8ca90acf", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/f05620fb3f4c72429c9856ab7f63a9ac8ca90acf" }, { "reference_url": "https://github.com/apache/jackrabbit/commit/f0bd17956647cf09cc898d30e7d58221ef409bca", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/jackrabbit/commit/f0bd17956647cf09cc898d30e7d58221ef409bca" }, { "reference_url": "https://issues.apache.org/jira/browse/JCR-4009", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.apache.org/jira/browse/JCR-4009" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6801", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6801" }, { "reference_url": "https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3679", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.debian.org/security/2016/dsa-3679" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2016/09/14/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2016/09/14/6" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838204", "reference_id": "838204", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838204" }, { "reference_url": "https://github.com/advisories/GHSA-9fc7-rhq3-wm7x", "reference_id": "GHSA-9fc7-rhq3-wm7x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9fc7-rhq3-wm7x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/386509?format=api", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ntd8-dnvq-cqa8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/386510?format=api", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.6.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ntd8-dnvq-cqa8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.6.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/386511?format=api", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.8.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ntd8-dnvq-cqa8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.8.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/386512?format=api", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.10.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ntd8-dnvq-cqa8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.10.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/386513?format=api", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.12.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ntd8-dnvq-cqa8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.12.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/386514?format=api", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.13.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ntd8-dnvq-cqa8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.13.3" } ], "aliases": [ "CVE-2016-6801", "GHSA-9fc7-rhq3-wm7x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6xn7-25dp-33c5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/138387?format=api", "vulnerability_id": "VCID-ntd8-dnvq-cqa8", "summary": "Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component \"commons-beanutils\", which contains a class that can be used for remote code execution over RMI.\n\nUsers are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.\n\nIn general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.\n\nHow to check whether RMI support is enabledRMI support can be over an RMI-specific TCP port, and over an HTTP binding. Both are by default enabled in Jackrabbit webapp/standalone.\n\nThe native RMI protocol by default uses port 1099. To check whether it is enabled, tools like \"netstat\" can be used to check.\n\nRMI-over-HTTP in Jackrabbit by default uses the path \"/rmi\". So when running standalone on port 8080, check whether an HTTP GET request on localhost:8080/rmi returns 404 (not enabled) or 200 (enabled). Note that the HTTP path may be different when the webapp is deployed in a container as non-root context, in which case the prefix is under the user's control.\n\nTurning off RMIFind web.xml (either in JAR/WAR file or in unpacked web application folder), and remove the declaration and the mapping definition for the RemoteBindingServlet:\n\n <servlet>\n <servlet-name>RMI</servlet-name>\n <servlet-class>org.apache.jackrabbit.servlet.remote.RemoteBindingServlet</servlet-class>\n </servlet>\n\n <servlet-mapping>\n <servlet-name>RMI</servlet-name>\n <url-pattern>/rmi</url-pattern>\n </servlet-mapping>\n\nFind the bootstrap.properties file (in $REPOSITORY_HOME), and set\n\n rmi.enabled=false\n\n and also remove\n\n rmi.host\n rmi.port\n rmi.url-pattern\n\n If there is no file named bootstrap.properties in $REPOSITORY_HOME, it is located somewhere in the classpath. In this case, place a copy in $REPOSITORY_HOME and modify it as explained.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37895", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.10007", "scoring_system": "epss", "scoring_elements": "0.93221", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.10007", "scoring_system": "epss", "scoring_elements": "0.93246", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.10007", "scoring_system": "epss", "scoring_elements": "0.93245", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.10007", "scoring_system": "epss", "scoring_elements": "0.93243", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37895" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37895", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37895" }, { "reference_url": "https://github.com/apache/jackrabbit", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/jackrabbit" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37895", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37895" }, { "reference_url": "http://seclists.org/fulldisclosure/2023/Jul/43", "reference_id": "43", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/" } ], "url": "http://seclists.org/fulldisclosure/2023/Jul/43" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/07/25/8", "reference_id": "8", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2023/07/25/8" }, { "reference_url": "https://github.com/advisories/GHSA-q8cm-3v62-jj79", "reference_id": "GHSA-q8cm-3v62-jj79", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q8cm-3v62-jj79" }, { "reference_url": "https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw", "reference_id": "j03b3qdhborc2jrhdc4d765d3jkh8bfw", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/" } ], "url": "https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw" }, { "reference_url": "https://lists.apache.org/list.html?users@jackrabbit.apache.org", "reference_id": "list.html?users@jackrabbit.apache.org", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/" } ], "url": "https://lists.apache.org/list.html?users@jackrabbit.apache.org" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/393968?format=api", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.20.11", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.20.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/393969?format=api", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.21.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.21.18" } ], "aliases": [ "CVE-2023-37895", "GHSA-q8cm-3v62-jj79" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ntd8-dnvq-cqa8" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.3" }