Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/713088?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/713088?format=api", "purl": "pkg:npm/remark-images-download@2.0.0", "type": "npm", "namespace": "", "name": "remark-images-download", "version": "2.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.1.0", "latest_non_vulnerable_version": "3.1.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46940?format=api", "vulnerability_id": "VCID-wphk-qc82-u3da", "summary": "Zmarkdown Server-Side Request Forgery (SSRF) in remark-download-images\nA major blind SSRF has been found in `remark-images-download`, which allowed\nfor requests to be made to neighboring servers on local IP ranges.\nThe issue came from a loose filtering of URLs inside the module.\n\nImagine a server running on a private network `192.168.1.0/24`.\nA private service serving images is running on `192.168.1.2`, and\nis not expected to be accessed by users. A machine is running\n`remark-images-download` on the neighboring `192.168.1.3` host.\nAn user enters the following Markdown:\n\n```markdown\n\n```\n\nThe image is downloaded by the server and included inside the resulting\ndocument. Hence, the user has access to the private image.\n\nIt has been corrected by preventing images downloads from\nlocal IP ranges, both in IPv4 and IPv6.\nTo avoid malicious domain names, resolved local IPs from are also\nforbidden inside the module.\nThis vulnerability impact is moderate, as it is can allow access to\nunexposed documents on the local network, and is very easy\nto exploit.", "references": [ { "reference_url": "https://github.com/zestedesavoir/zmarkdown", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zestedesavoir/zmarkdown" }, { "reference_url": "https://github.com/advisories/GHSA-mf74-qq7w-6j7v", "reference_id": "GHSA-mf74-qq7w-6j7v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mf74-qq7w-6j7v" }, { "reference_url": "https://github.com/zestedesavoir/zmarkdown/security/advisories/GHSA-mf74-qq7w-6j7v", "reference_id": "GHSA-mf74-qq7w-6j7v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/zestedesavoir/zmarkdown/security/advisories/GHSA-mf74-qq7w-6j7v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68748?format=api", "purl": "pkg:npm/remark-images-download@3.1.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/remark-images-download@3.1.0" } ], "aliases": [ "GHSA-mf74-qq7w-6j7v", "GMS-2024-73" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wphk-qc82-u3da" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/remark-images-download@2.0.0" }