Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/84000?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/84000?format=api", "purl": "pkg:golang/github.com/coreos/ignition/v2@2.14.0", "type": "golang", "namespace": "github.com/coreos/ignition", "name": "v2", "version": "2.14.0", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/58810?format=api", "vulnerability_id": "VCID-gs98-cpw6-1ucd", "summary": "Duplicate advisory: Configuration exposure in github.com/coreos/ignition\n## Duplicate Advisory\nThis advisory is a duplicate of [GHSA-hj57-j5cw-2mwp](https://github.com/advisories/GHSA-hj57-j5cw-2mwp). This link is preserved to maintain external references.\n\n## Original Description\nA vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality. Possible workaround is to not put secrets in the Ignition config.", "references": [ { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2082274", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2082274" }, { "reference_url": "https://github.com/coreos/ignition", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/coreos/ignition" }, { "reference_url": "https://github.com/coreos/ignition/commit/4b70b44b430ecf8377a276e89b5acd3a6957d4ea", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/coreos/ignition/commit/4b70b44b430ecf8377a276e89b5acd3a6957d4ea" }, { "reference_url": "https://github.com/coreos/ignition/issues/1300", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/coreos/ignition/issues/1300" }, { "reference_url": "https://github.com/coreos/ignition/issues/1315", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/coreos/ignition/issues/1315" }, { "reference_url": "https://github.com/coreos/ignition/pull/1350", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/coreos/ignition/pull/1350" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LY7LKGMQMXV6DGD263YQHNSLOJJ5VLV5", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LY7LKGMQMXV6DGD263YQHNSLOJJ5VLV5" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NP765L7TJI7CD4XVOHUWZVRYRH3FYBOR", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NP765L7TJI7CD4XVOHUWZVRYRH3FYBOR" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5QQXRGQKTN4YX2ZF3GQNEBDEOKJGCN3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5QQXRGQKTN4YX2ZF3GQNEBDEOKJGCN3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1706", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1706" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84000?format=api", "purl": "pkg:golang/github.com/coreos/ignition/v2@2.14.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/github.com/coreos/ignition/v2@2.14.0" } ], "aliases": [ "GHSA-mjqc-5c9x-xfcc" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gs98-cpw6-1ucd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57827?format=api", "vulnerability_id": "VCID-y131-2ntq-hfdn", "summary": "Ignition config accessible to unprivileged software on VMware\n### Impact\nUnprivileged software in VMware VMs, including software running in unprivileged containers, can retrieve an Ignition config stored in a hypervisor guestinfo variable or OVF environment. If the Ignition config contains secrets, this can result in the compromise of sensitive information.\n\n### Patches\nIgnition 2.14.0 and later [adds](https://github.com/coreos/ignition/pull/1350) a new systemd service, `ignition-delete-config.service`, that deletes the Ignition config from supported hypervisors (currently VMware and VirtualBox) during the first boot. This ensures that unprivileged software cannot retrieve the Ignition config from the hypervisor.\n\nIf you have external tooling that requires the Ignition config to remain accessible in VM metadata after provisioning, and your Ignition config does not include sensitive information, you can prevent Ignition 2.14.0 and later from deleting the config by masking `ignition-delete-config.service`. For example:\n\n```json\n{\n \"ignition\": {\n \"version\": \"3.0.0\"\n },\n \"systemd\": {\n \"units\": [\n {\n \"name\": \"ignition-delete-config.service\",\n \"mask\": true\n }\n ]\n }\n}\n```\n\n### Workarounds\n[Avoid storing secrets](https://coreos.github.io/ignition/operator-notes/#secrets) in Ignition configs. In addition to VMware, many cloud platforms allow unprivileged software in a VM to retrieve the Ignition config from a networked cloud metadata service. While platform-specific mitigation is possible, such as firewall rules that prevent access to the metadata service, it's best to store secrets in a dedicated platform such as [Hashicorp Vault](https://www.vaultproject.io/).\n\n### Advice to Linux distributions\nLinux distributions that ship Ignition should ensure the new `ignition-delete-config.service` is installed and enabled by default.\n\nIn addition, we recommend shipping a service similar to `ignition-delete-config.service` that runs when existing machines are upgraded, similar to the one in https://github.com/coreos/fedora-coreos-config/pull/1738. Consider giving your users advance notice of this change, and providing instructions for masking `ignition-delete-config.service` on existing nodes if users have tooling that requires the Ignition config to remain accessible in VM metadata.\n\n### References\nFor more information, see #1300 and #1350.\n\n### For more information\nIf you have any questions or comments about this advisory, [open an issue in Ignition](https://github.com/coreos/ignition/issues/new/choose) or email the CoreOS [development mailing list](https://lists.fedoraproject.org/archives/list/coreos@lists.fedoraproject.org/).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1706.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1706.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1706", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.6935", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69265", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69237", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69276", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69284", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69264", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69315", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69323", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.6933", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69308", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69172", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69187", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69208", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69189", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69239", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69258", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.6928", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1706" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/coreos/ignition", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/coreos/ignition" }, { "reference_url": "https://github.com/coreos/ignition/issues/1300", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/coreos/ignition/issues/1300" }, { "reference_url": "https://github.com/coreos/ignition/pull/1350", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/coreos/ignition/pull/1350" }, { "reference_url": "https://github.com/coreos/ignition/security/advisories/GHSA-hj57-j5cw-2mwp", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/coreos/ignition/security/advisories/GHSA-hj57-j5cw-2mwp" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014716", "reference_id": "1014716", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014716" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5068", "reference_id": "RHSA-2022:5068", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5068" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8126", "reference_id": "RHSA-2022:8126", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8126" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84000?format=api", "purl": "pkg:golang/github.com/coreos/ignition/v2@2.14.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/github.com/coreos/ignition/v2@2.14.0" } ], "aliases": [ "CVE-2022-1706", "GHSA-hj57-j5cw-2mwp" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y131-2ntq-hfdn" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/github.com/coreos/ignition/v2@2.14.0" }