Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/onefuzz@2.15.0
Typepypi
Namespace
Nameonefuzz
Version2.15.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.31.0
Latest_non_vulnerable_version2.31.0
Affected_by_vulnerabilities
0
url VCID-7dd4-wggf-t3g8
vulnerability_id VCID-7dd4-wggf-t3g8
summary OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz deployment must be both version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain option. This can result in read/write access to private data such as software vulnerability and crash information, security testing tools and proprietary code and symbols. Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources. This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. As a workaround users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-37705
reference_id
reference_type
scores
0
value 0.00466
scoring_system epss
scoring_elements 0.64858
published_at 2026-06-11T12:55:00Z
1
value 0.00466
scoring_system epss
scoring_elements 0.64958
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-37705
1
reference_url https://github.com/microsoft/onefuzz
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 9.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/microsoft/onefuzz
2
reference_url https://github.com/microsoft/onefuzz/commit/2fcb4998887959b4fa11894a068d689189742cb1
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 9.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/microsoft/onefuzz/commit/2fcb4998887959b4fa11894a068d689189742cb1
3
reference_url https://github.com/microsoft/onefuzz/pull/1153
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 9.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/microsoft/onefuzz/pull/1153
4
reference_url https://github.com/microsoft/onefuzz/releases/tag/2.31.0
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 9.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/microsoft/onefuzz/releases/tag/2.31.0
5
reference_url https://github.com/microsoft/onefuzz/security/advisories/GHSA-q5vh-6whw-x745
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value 9.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
3
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/microsoft/onefuzz/security/advisories/GHSA-q5vh-6whw-x745
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/onefuzz/PYSEC-2021-344.yaml
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 9.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/onefuzz/PYSEC-2021-344.yaml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-37705
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 9.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-37705
8
reference_url https://pypi.org/project/onefuzz
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 9.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://pypi.org/project/onefuzz
9
reference_url https://pypi.org/project/onefuzz/
reference_id
reference_type
scores
url https://pypi.org/project/onefuzz/
10
reference_url https://github.com/advisories/GHSA-q5vh-6whw-x745
reference_id GHSA-q5vh-6whw-x745
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q5vh-6whw-x745
fixed_packages
0
url pkg:pypi/onefuzz@2.31.0
purl pkg:pypi/onefuzz@2.31.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/onefuzz@2.31.0
aliases CVE-2021-37705, GHSA-q5vh-6whw-x745, PYSEC-2021-344
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7dd4-wggf-t3g8
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/onefuzz@2.15.0