Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/keystone@4.2.1
Typenpm
Namespace
Namekeystone
Version4.2.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-d888-42qr-hueg
vulnerability_id VCID-d888-42qr-hueg
summary 
Unrestricted Upload of File with Dangerous Type
An arbitrary file upload vulnerability in the file upload module of Keystone v4.2.1 allows attackers to execute arbitrary code via a crafted file.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-29354
reference_id
reference_type
scores
0
value 0.03874
scoring_system epss
scoring_elements 0.88446
published_at 2026-06-04T12:55:00Z
1
value 0.03874
scoring_system epss
scoring_elements 0.88464
published_at 2026-06-05T12:55:00Z
2
value 0.03874
scoring_system epss
scoring_elements 0.88466
published_at 2026-06-06T12:55:00Z
3
value 0.03874
scoring_system epss
scoring_elements 0.88465
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-29354
1
reference_url https://www.youtube.com/watch?v=DOM20FKpQQw
reference_id
reference_type
scores
url https://www.youtube.com/watch?v=DOM20FKpQQw
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-29354
reference_id CVE-2022-29354
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2022-29354
fixed_packages
aliases CVE-2022-29354
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d888-42qr-hueg
1
url VCID-ppy6-36tw-sqft
vulnerability_id VCID-ppy6-36tw-sqft
summary 
Missing Authorization
Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a `session` strategy is not defined. This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, `isAccessAllowed` is not `undefined`). This vulnerability does affect users who believed that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. Users are advised to upgrade. Users unable to upgrade may opt to write their own `isAccessAllowed` functionality to work-around this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-40027
reference_id
reference_type
scores
0
value 0.00321
scoring_system epss
scoring_elements 0.55402
published_at 2026-06-08T12:55:00Z
1
value 0.00321
scoring_system epss
scoring_elements 0.55421
published_at 2026-06-07T12:55:00Z
2
value 0.00321
scoring_system epss
scoring_elements 0.55432
published_at 2026-06-06T12:55:00Z
3
value 0.00321
scoring_system epss
scoring_elements 0.55427
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-40027
1
reference_url https://github.com/keystonejs/keystone
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone
2
reference_url https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/
url https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284
3
reference_url https://github.com/keystonejs/keystone/pull/8771
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/
url https://github.com/keystonejs/keystone/pull/8771
4
reference_url https://github.com/keystonejs/keystone/releases/tag/2023-08-15
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone/releases/tag/2023-08-15
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40027
reference_id CVE-2023-40027
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-40027
6
reference_url https://github.com/advisories/GHSA-9cvc-v7wm-992c
reference_id GHSA-9cvc-v7wm-992c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9cvc-v7wm-992c
7
reference_url https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c
reference_id GHSA-9cvc-v7wm-992c
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/
url https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c
fixed_packages
0
url pkg:npm/keystone@5.5.1
purl pkg:npm/keystone@5.5.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/keystone@5.5.1
aliases CVE-2023-40027, GHSA-9cvc-v7wm-992c
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ppy6-36tw-sqft
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.2.1