{"url":"http://public2.vulnerablecode.io/api/packages/580418?format=json","purl":"pkg:deb/debian/cfitsio@3.410-1","type":"deb","namespace":"debian","name":"cfitsio","version":"3.410-1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.450-3","latest_non_vulnerable_version":"3.450-3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62434?format=json","vulnerability_id":"VCID-7uu1-f6gx-67hx","summary":"Multiple exploitable buffer overflow vulnerabilities exist in image parsing functionality of the CFITSIO library version 3.42. Specially crafted images parsed via the library, can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3847","reference_id":"","reference_type":"","scores":[{"value":"0.00479","scoring_system":"epss","scoring_elements":"0.65355","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00479","scoring_system":"epss","scoring_elements":"0.65407","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00479","scoring_system":"epss","scoring_elements":"0.65417","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00479","scoring_system":"epss","scoring_elements":"0.65406","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00479","scoring_system":"epss","scoring_elements":"0.65397","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3847"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3847","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3847"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458","reference_id":"892458","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458"},{"reference_url":"https://security.gentoo.org/glsa/202101-24","reference_id":"GLSA-202101-24","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202101-24"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/580419?format=json","purl":"pkg:deb/debian/cfitsio@3.450-3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/cfitsio@3.450-3"}],"aliases":["CVE-2018-3847"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7uu1-f6gx-67hx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62440?format=json","vulnerability_id":"VCID-b926-fwbr-yfhx","summary":"NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43. NOTE: this CVE refers to the issues not covered by CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849. One example is ftp_status in drvrnet.c mishandling a long string beginning with a '4' character.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1010060","reference_id":"","reference_type":"","scores":[{"value":"0.18171","scoring_system":"epss","scoring_elements":"0.95314","published_at":"2026-06-04T12:55:00Z"},{"value":"0.18171","scoring_system":"epss","scoring_elements":"0.95321","published_at":"2026-06-05T12:55:00Z"},{"value":"0.18171","scoring_system":"epss","scoring_elements":"0.95323","published_at":"2026-06-06T12:55:00Z"},{"value":"0.18171","scoring_system":"epss","scoring_elements":"0.95326","published_at":"2026-06-08T12:55:00Z"},{"value":"0.18171","scoring_system":"epss","scoring_elements":"0.95329","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1010060"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010060","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010060"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458","reference_id":"892458","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/580419?format=json","purl":"pkg:deb/debian/cfitsio@3.450-3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/cfitsio@3.450-3"}],"aliases":["CVE-2019-1010060"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b926-fwbr-yfhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62438?format=json","vulnerability_id":"VCID-mq8f-xg4f-p7b4","summary":"In the ffghtb function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3849.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3849.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3849","reference_id":"","reference_type":"","scores":[{"value":"0.01639","scoring_system":"epss","scoring_elements":"0.82279","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01639","scoring_system":"epss","scoring_elements":"0.82308","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01639","scoring_system":"epss","scoring_elements":"0.82307","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01639","scoring_system":"epss","scoring_elements":"0.82301","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01639","scoring_system":"epss","scoring_elements":"0.82315","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3849"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3849","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3849"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1568185","reference_id":"1568185","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1568185"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458","reference_id":"892458","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458"},{"reference_url":"https://security.gentoo.org/glsa/202101-24","reference_id":"GLSA-202101-24","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202101-24"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/580419?format=json","purl":"pkg:deb/debian/cfitsio@3.450-3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/cfitsio@3.450-3"}],"aliases":["CVE-2018-3849"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mq8f-xg4f-p7b4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62430?format=json","vulnerability_id":"VCID-tw8c-4zwu-zqah","summary":"In the ffgphd and ffgtkn functions in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3846.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3846.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3846","reference_id":"","reference_type":"","scores":[{"value":"0.0179","scoring_system":"epss","scoring_elements":"0.83091","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0179","scoring_system":"epss","scoring_elements":"0.83118","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0179","scoring_system":"epss","scoring_elements":"0.83114","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0179","scoring_system":"epss","scoring_elements":"0.83107","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0179","scoring_system":"epss","scoring_elements":"0.83119","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3846"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3846","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3846"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1563913","reference_id":"1563913","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1563913"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458","reference_id":"892458","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458"},{"reference_url":"https://security.gentoo.org/glsa/202101-24","reference_id":"GLSA-202101-24","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202101-24"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/580419?format=json","purl":"pkg:deb/debian/cfitsio@3.450-3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/cfitsio@3.450-3"}],"aliases":["CVE-2018-3846"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tw8c-4zwu-zqah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62437?format=json","vulnerability_id":"VCID-wb5k-e98m-aybk","summary":"In the ffghbn function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3848.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3848.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3848","reference_id":"","reference_type":"","scores":[{"value":"0.01319","scoring_system":"epss","scoring_elements":"0.80213","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01319","scoring_system":"epss","scoring_elements":"0.80237","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01319","scoring_system":"epss","scoring_elements":"0.8024","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01319","scoring_system":"epss","scoring_elements":"0.80236","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01319","scoring_system":"epss","scoring_elements":"0.80229","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01319","scoring_system":"epss","scoring_elements":"0.80249","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3848"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3848","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3848"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1568180","reference_id":"1568180","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1568180"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458","reference_id":"892458","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458"},{"reference_url":"https://security.gentoo.org/glsa/202101-24","reference_id":"GLSA-202101-24","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202101-24"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/580419?format=json","purl":"pkg:deb/debian/cfitsio@3.450-3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/cfitsio@3.450-3"}],"aliases":["CVE-2018-3848"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wb5k-e98m-aybk"}],"fixing_vulnerabilities":[],"risk_score":"3.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/cfitsio@3.410-1"}