Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/15817?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15817?format=api", "vulnerability_id": "VCID-fu4h-rp1z-83eq", "summary": "Exposure of Sensitive Information to an Unauthorized Actor\nXWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3.", "aliases": [ { "alias": "CVE-2011-2088" }, { "alias": "GHSA-9ccm-g362-2r35" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/299725?format=api", "purl": "pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6241-shkt-s7ew" }, { "vulnerability": "VCID-gv5f-auvz-5fda" }, { "vulnerability": "VCID-hkjh-35ye-1ugj" }, { "vulnerability": "VCID-kdsa-599r-eud7" }, { "vulnerability": "VCID-nmgp-r7hb-5ke1" }, { "vulnerability": "VCID-p9xh-frm5-8ucp" }, { "vulnerability": "VCID-q96z-v3bs-k3dg" }, { "vulnerability": "VCID-r28t-sdc5-kbga" }, { "vulnerability": "VCID-tgd1-s1yg-9fdt" }, { "vulnerability": "VCID-ufcq-57q9-53c7" }, { "vulnerability": "VCID-vkb9-11h4-dugp" }, { "vulnerability": "VCID-vnkw-9fa2-zqcm" }, { "vulnerability": "VCID-z1gf-169n-m3af" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67328?format=api", "purl": "pkg:maven/org.apache.struts.xwork/xwork-core@2.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6241-shkt-s7ew" }, { "vulnerability": "VCID-fu4h-rp1z-83eq" }, { "vulnerability": "VCID-gv5f-auvz-5fda" }, { "vulnerability": "VCID-hkjh-35ye-1ugj" }, { "vulnerability": "VCID-kdsa-599r-eud7" }, { "vulnerability": "VCID-nmgp-r7hb-5ke1" }, { "vulnerability": "VCID-p9xh-frm5-8ucp" }, { "vulnerability": "VCID-q96z-v3bs-k3dg" }, { "vulnerability": "VCID-r28t-sdc5-kbga" }, { "vulnerability": "VCID-tgd1-s1yg-9fdt" }, { "vulnerability": "VCID-ufcq-57q9-53c7" }, { "vulnerability": "VCID-vkb9-11h4-dugp" }, { "vulnerability": "VCID-vnkw-9fa2-zqcm" }, { "vulnerability": "VCID-z1gf-169n-m3af" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/299724?format=api", "purl": "pkg:maven/org.apache.struts.xwork/xwork-core@2.2.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6241-shkt-s7ew" }, { "vulnerability": "VCID-fu4h-rp1z-83eq" }, { "vulnerability": "VCID-gv5f-auvz-5fda" }, { "vulnerability": "VCID-hkjh-35ye-1ugj" }, { "vulnerability": "VCID-kdsa-599r-eud7" }, { "vulnerability": "VCID-nmgp-r7hb-5ke1" }, { "vulnerability": "VCID-p9xh-frm5-8ucp" }, { "vulnerability": "VCID-q96z-v3bs-k3dg" }, { "vulnerability": "VCID-r28t-sdc5-kbga" }, { "vulnerability": "VCID-tgd1-s1yg-9fdt" }, { "vulnerability": "VCID-ufcq-57q9-53c7" }, { "vulnerability": "VCID-vkb9-11h4-dugp" }, { "vulnerability": "VCID-vnkw-9fa2-zqcm" }, { "vulnerability": "VCID-z1gf-169n-m3af" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.2.1.1" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2088.json", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2088.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2011-2088", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74628", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74496", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74487", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74522", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74529", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74559", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74585", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74552", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74573", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74402", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74406", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74433", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74408", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.7444", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74458", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.7448", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.7446", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74451", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00825", "scoring_system": "epss", "scoring_elements": "0.74488", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2011-2088" }, { "reference_url": "http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html" }, { "reference_url": "http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html" }, { "reference_url": "https://github.com/apache/struts/commit/885ab3459e146ff830d1f7257f809f4a3dd4493a", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/struts/commit/885ab3459e146ff830d1f7257f809f4a3dd4493a" }, { "reference_url": "https://issues.apache.org/jira/browse/WW-3579", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.apache.org/jira/browse/WW-3579" }, { "reference_url": "https://web.archive.org/web/20110726113612/http://www.ventuneac.net/security-advisories/MVSA-11-006", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20110726113612/http://www.ventuneac.net/security-advisories/MVSA-11-006" }, { "reference_url": "https://web.archive.org/web/20201207174744/http://www.securityfocus.com/archive/1/518066/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20201207174744/http://www.securityfocus.com/archive/1/518066/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/archive/1/518066/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/518066/100/0/threaded" }, { "reference_url": "http://www.ventuneac.net/security-advisories/MVSA-11-006", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ventuneac.net/security-advisories/MVSA-11-006" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=723829", "reference_id": "723829", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=723829" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:webwork:-:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:opensymphony:webwork:-:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:webwork:-:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:xwork:-:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:opensymphony:xwork:-:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:xwork:-:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:xwork:2.2.1:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:opensymphony:xwork:2.2.1:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:xwork:2.2.1:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2088", "reference_id": "CVE-2011-2088", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:N/C:P/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2088" }, { "reference_url": "https://github.com/advisories/GHSA-9ccm-g362-2r35", "reference_id": "GHSA-9ccm-g362-2r35", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9ccm-g362-2r35" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 200, "name": "Exposure of Sensitive Information to an Unauthorized Actor", "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": "0.5", "weighted_severity": "6.2", "risk_score": 3.1, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fu4h-rp1z-83eq" }