Select report:
Filter results:
Filter-out (grep -v)
? errors
View the raw report

    pld package: picard
    pld version: 2.1.3
    {'affected': [{'database_specific': {'last_known_affected_version_range': '<= '
    '0.3.1',
    'source': 'https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-x5x2-mfc7-r22f/GHSA-x5x2-mfc7-r22f.json'},
    'package': {'ecosystem': 'npm',
    'name': 'picard',
    'purl': 'pkg:npm/picard'},
    'ranges': [{'events': [{'introduced': '0'}],
    'type': 'SEMVER'}]}],
    'aliases': ['CVE-2017-16194'],
    'database_specific': {'cwe_ids': ['CWE-22'],
    'github_reviewed': True,
    'severity': 'HIGH'},
    'details': 'Affected versions of `picard` resolve relative file paths, '
    'resulting in a directory traversal vulnerability. A malicious '
    'actor can use this vulnerability to access files outside of the '
    'intended directory root, which may result in the disclosure of '
    'private files on the vulnerable system.\n'
    '\n'
    'Example request:\n'
    '```\n'
    'GET /../../../../../../../../../../etc/passwd HTTP/1.1\n'
    'host:foo\n'
    '```\n'
    '\n'
    '\n'
    '## Recommendation\n'
    '\n'
    'No patch is available for this vulnerability.\n'
    '\n'
    'It is recommended that the package is only used for local '
    'development, and if the functionality is needed for production, a '
    'different package is used instead.',
    'id': 'GHSA-x5x2-mfc7-r22f',
    'modified': '2020-08-31T18:23:04Z',
    'published': '2018-07-23T20:40:20Z',
    'references': [{'type': 'ADVISORY',
    'url': 'https://nvd.nist.gov/vuln/detail/CVE-2017-16194'},
    {'type': 'WEB',
    'url': 'https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/picard'},
    {'type': 'ADVISORY',
    'url': 'https://github.com/advisories/GHSA-x5x2-mfc7-r22f'},
    {'type': 'WEB',
    'url': 'https://nodesecurity.io/advisories/436'},
    {'type': 'WEB', 'url': 'https://www.npmjs.com/advisories/436'}],
    'schema_version': '1.3.0',
    'summary': 'Directory Traversal in picard'}

    pld package: python-cjson
    pld version: 1.0.5
    {'affected': [{'database_specific': {'source': 'https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-95jp-77w6-qj52/GHSA-95jp-77w6-qj52.json'},
    'package': {'ecosystem': 'PyPI',
    'name': 'python-cjson',
    'purl': 'pkg:pypi/python-cjson'},
    'ranges': [{'events': [{'introduced': '0'}, {'fixed': '1.1.0'}],
    'type': 'ECOSYSTEM'}],
    'versions': ['1.0.0',
    '1.0.1',
    '1.0.2',
    '1.0.3',
    '1.0.4',
    '1.0.5']}],
    'aliases': ['CVE-2009-4924'],
    'database_specific': {'cwe_ids': ['CWE-79'],
    'github_reviewed': True,
    'severity': 'MODERATE'},
    'details': "Python-cjson 1.0.5 does not properly handle a ['/'] argument to "
    'cjson.encode, which makes it easier for remote attackers to '
    'conduct certain cross-site scripting (XSS) attacks involving '
    'Firefox and the end tag of a SCRIPT element.',
    'id': 'GHSA-95jp-77w6-qj52',
    'modified': '2022-09-19T03:05:55.012169Z',
    'published': '2021-12-06T18:17:45Z',
    'references': [{'type': 'ADVISORY',
    'url': 'https://nvd.nist.gov/vuln/detail/CVE-2009-4924'},
    {'type': 'WEB',
    'url': 'https://github.com/pypa/advisory-db/tree/main/vulns/python-cjson/PYSEC-2010-26.yaml'},
    {'type': 'WEB',
    'url': 'http://pypi.python.org/pypi/python-cjson/'},
    {'type': 'WEB',
    'url': 'http://t3.dotgnu.info/blog/insecurity/quotes-dont-help.html'}],
    'schema_version': '1.3.0',
    'summary': 'Cross-site Scripting in python-cjson'}
    {'affected': [{'database_specific': {'last_known_affected_version_range': '<= '
    '1.0.5',
    'source': 'https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cqmh-mpx2-g633/GHSA-cqmh-mpx2-g633.json'},
    'package': {'ecosystem': 'PyPI',
    'name': 'python-cjson',
    'purl': 'pkg:pypi/python-cjson'},
    'ranges': [{'events': [{'introduced': '0'},
    {'fixed': '1.0.5.1'}],
    'type': 'ECOSYSTEM'}],
    'versions': ['1.0.0',
    '1.0.1',
    '1.0.2',
    '1.0.3',
    '1.0.4',
    '1.0.5']}],
    'aliases': ['CVE-2010-1666'],
    'database_specific': {'cwe_ids': ['CWE-119'],
    'github_reviewed': True,
    'severity': 'MODERATE'},
    'details': 'Buffer overflow in Dan Pascu python-cjson 1.0.5, when UCS-4 '
    'encoding is enabled, allows context-dependent attackers to cause '
    'a denial of service (application crash) or possibly have '
    'unspecified other impact via vectors involving crafted Unicode '
    'input to the cjson.encode function.',
    'id': 'GHSA-cqmh-mpx2-g633',
    'modified': '2022-09-21T03:37:35.121147Z',
    'published': '2022-05-17T05:49:38Z',
    'references': [{'type': 'ADVISORY',
    'url': 'https://nvd.nist.gov/vuln/detail/CVE-2010-1666'},
    {'type': 'WEB',
    'url': 'https://github.com/AGProjects/python-cjson/commit/dc2b8781b8666de5ca707318521f554904fdd690'},
    {'type': 'WEB',
    'url': 'https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274'},
    {'type': 'PACKAGE',
    'url': 'https://github.com/AGProjects/python-cjson'},
    {'type': 'ADVISORY',
    'url': 'https://github.com/advisories/GHSA-cqmh-mpx2-g633'},
    {'type': 'WEB',
    'url': 'https://github.com/pypa/advisory-database/tree/main/vulns/python-cjson/PYSEC-2010-30.yaml'},
    {'type': 'WEB', 'url': 'http://secunia.com/advisories/40335'},
    {'type': 'WEB', 'url': 'http://secunia.com/advisories/40500'},
    {'type': 'WEB',
    'url': 'http://www.debian.org/security/2010/dsa-2068'},
    {'type': 'WEB',
    'url': 'http://www.vupen.com/english/advisories/2010/1774'}],
    'schema_version': '1.3.0',
    'summary': 'Improper Restriction of Operations within the Bounds of a Memory '
    'Buffer in python-cjson'}
    {'affected': [{'database_specific': {'source': 'https://github.com/pypa/advisory-database/blob/main/vulns/python-cjson/PYSEC-2010-26.yaml'},
    'package': {'ecosystem': 'PyPI',
    'name': 'python-cjson',
    'purl': 'pkg:pypi/python-cjson'},
    'ranges': [{'events': [{'introduced': '0'}, {'fixed': '1.1.0'}],
    'type': 'ECOSYSTEM'}],
    'versions': ['1.0.0',
    '1.0.1',
    '1.0.2',
    '1.0.3',
    '1.0.4',
    '1.0.5']}],
    'aliases': ['CVE-2009-4924', 'GHSA-95jp-77w6-qj52'],
    'details': "Dan Pascu python-cjson 1.0.5 does not properly handle a ['/'] "
    'argument to cjson.encode, which makes it easier for remote '
    'attackers to conduct certain cross-site scripting (XSS) attacks '
    'involving Firefox and the end tag of a SCRIPT element.',
    'id': 'PYSEC-2010-26',
    'modified': '2021-07-16T01:31:29.455845Z',
    'published': '2010-07-02T19:30:00Z',
    'references': [{'type': 'ARTICLE',
    'url': 'http://t3.dotgnu.info/blog/insecurity/quotes-dont-help.html'},
    {'type': 'WEB',
    'url': 'http://pypi.python.org/pypi/python-cjson/'},
    {'type': 'ADVISORY',
    'url': 'https://github.com/advisories/GHSA-95jp-77w6-qj52'}],
    'schema_version': '1.3.0'}
    {'affected': [{'database_specific': {'source': 'https://github.com/pypa/advisory-database/blob/main/vulns/python-cjson/PYSEC-2010-30.yaml'},
    'package': {'ecosystem': 'PyPI',
    'name': 'python-cjson',
    'purl': 'pkg:pypi/python-cjson'},
    'ranges': [{'events': [{'introduced': '0'}, {'fixed': '1.1.0'}],
    'type': 'ECOSYSTEM'}],
    'versions': ['1.0.0',
    '1.0.1',
    '1.0.2',
    '1.0.3',
    '1.0.4',
    '1.0.5']}],
    'aliases': ['CVE-2010-1666', 'GHSA-cqmh-mpx2-g633'],
    'details': 'Buffer overflow in Dan Pascu python-cjson 1.0.5, when UCS-4 '
    'encoding is enabled, allows context-dependent attackers to cause '
    'a denial of service (application crash) or possibly have '
    'unspecified other impact via vectors involving crafted Unicode '
    'input to the cjson.encode function.',
    'id': 'PYSEC-2010-30',
    'modified': '2021-08-27T03:22:17.891561Z',
    'published': '2010-07-02T19:00:00Z',
    'references': [{'type': 'ADVISORY',
    'url': 'http://secunia.com/advisories/40335'},
    {'type': 'WEB',
    'url': 'https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274'},
    {'type': 'ADVISORY',
    'url': 'http://www.vupen.com/english/advisories/2010/1774'},
    {'type': 'ADVISORY',
    'url': 'http://www.debian.org/security/2010/dsa-2068'},
    {'type': 'ADVISORY',
    'url': 'http://secunia.com/advisories/40500'},
    {'type': 'ADVISORY',
    'url': 'https://github.com/advisories/GHSA-cqmh-mpx2-g633'}],
    'schema_version': '1.3.0'}