forked from fabric8-analytics/graph-cve-sync
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfeed_sample_v1.json
198 lines (198 loc) · 24.7 KB
/
feed_sample_v1.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
[
{
"credits": [
"Unknown"
],
"cve_ids": [],
"cvss_details": [],
"cvss_v3_base_score": 3.7,
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"cwe_ids": [
"CWE-367"
],
"description": "## Amendment\nThis was deemed not a vulnerability.\n## Overview\n\nAffected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to the gateway only authenticating endpoints detected from DNS SRV records, and only authenticating the detected endpoints once. Therefore, if an endpoint changes its authentication settings, the gateway will continue to assume the endpoint is still authenticated.\r\n\r\n**Note**\r\n\r\nAccording to the [documentation](https://etcd.io/docs/v3.5/op-guide/gateway/#what-is-etcd-gateway), this security finding should not be considered a vulnerability in the library itself, but a security requirement which falls out of this library's scope.\n## References\n- [GitHub Commit](https://github.com/etcd-io/etcd/commit/b85fc84c263946d7f6e3a7f9825013e62db01cb2)\n- [Security Audit](https://github.com/etcd-io/etcd/blob/main/security/SECURITY_AUDIT.pdf)",
"description_overview": "Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to the gateway only authenticating endpoints detected from DNS SRV records, and only authenticating the detected endpoints once. Therefore, if an endpoint changes its authentication settings, the gateway will continue to assume the endpoint is still authenticated.\r\n\r\n**Note**\r\n\r\nAccording to the [documentation](https://etcd.io/docs/v3.5/op-guide/gateway/#what-is-etcd-gateway), this security finding should not be considered a vulnerability in the library itself, but a security requirement which falls out of this library's scope.",
"description_remediation": "## Amendment\nThis was deemed not a vulnerability.\n## Overview\n\nAffected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to the gateway only authenticating endpoints detected from DNS SRV records, and only authenticating the detected endpoints once. Therefore, if an endpoint changes its authentication settings, the gateway will continue to assume the endpoint is still authenticated.\r\n\r\n**Note**\r\n\r\nAccording to the [documentation](https://etcd.io/docs/v3.5/op-guide/gateway/#what-is-etcd-gateway), this security finding should not be considered a vulnerability in the library itself, but a security requirement which falls out of this library's scope.\n## References\n- [GitHub Commit](https://github.com/etcd-io/etcd/commit/b85fc84c263946d7f6e3a7f9825013e62db01cb2)\n- [Security Audit](https://github.com/etcd-io/etcd/blob/main/security/SECURITY_AUDIT.pdf)",
"disclosed": "2022-10-06T23:12:38Z",
"ecosystem": "golang",
"exploit_code_maturity": "Not Defined",
"initially_fixed_in_versions": [],
"is_fixable": false,
"is_malicious": false,
"is_social_media_trending": false,
"modified": "2022-11-13T07:58:37.081068Z",
"package": "github.com/etcd-io/etcd/etcdmain",
"package_repository_url": "https://github.com/",
"published": "2022-10-07T08:23:50.538578Z",
"references": [
{
"title": "GitHub Commit",
"url": "https://github.com/etcd-io/etcd/commit/b85fc84c263946d7f6e3a7f9825013e62db01cb2"
},
{
"title": "Security Audit",
"url": "https://github.com/etcd-io/etcd/blob/main/security/SECURITY_AUDIT.pdf"
}
],
"severity": "low",
"snyk_advisory_url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMETCDIOETCDETCDMAIN-3040864",
"snyk_id": "SNYK-GOLANG-GITHUBCOMETCDIOETCDETCDMAIN-3040864",
"title": "Time-of-check Time-of-use (TOCTOU) Race Condition",
"vulnerable_functions": [],
"vulnerable_hash_ranges": [],
"vulnerable_hashes": null,
"vulnerable_versions": [
"<0.0.0"
]
},
{
"credits": [
"jvoisin"
],
"cve_ids": [],
"cvss_details": [],
"cvss_v3_base_score": 5.3,
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-79"
],
"description": "## Overview\n\n[org.airsonic.player:airsonic-main](https://github.com/airsonic/airsonic) is a media server that can be used to stream multiple players simultaneously.\n\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS)\ndue to not escaping avatar names within `avatarUploadResult.jsp`.\n\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser\u2019s Same Origin Policy.\r\n\r\n\u05bfInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they\u2019ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user\u2019s browser.| \r\n|**DOM-based**|Client|The attacker forces the user\u2019s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\n\nUpgrade `org.airsonic.player:airsonic-main` to version 10.3.0 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/airsonic/airsonic/pull/938/commits/2f9046d6b4cfbfd0cef624ca301c321a1dc7825a)\n\n- [GitHub PR](https://github.com/airsonic/airsonic/pull/938)",
"description_overview": "[org.airsonic.player:airsonic-main](https://github.com/airsonic/airsonic) is a media server that can be used to stream multiple players simultaneously.\n\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS)\ndue to not escaping avatar names within `avatarUploadResult.jsp`.",
"description_remediation": "Upgrade `org.airsonic.player:airsonic-main` to version 10.3.0 or higher.",
"disclosed": "2019-03-28T15:01:51Z",
"ecosystem": "java",
"exploit_code_maturity": "Not Defined",
"initially_fixed_in_versions": [
"10.3.0"
],
"is_fixable": true,
"is_malicious": false,
"is_social_media_trending": false,
"modified": "2020-12-14T14:41:41.478536Z",
"package": "org.airsonic.player:airsonic-main",
"package_repository_url": "https://repo1.maven.org/maven2/",
"published": "2019-06-20T14:57:29Z",
"references": [
{
"title": "GitHub Commit",
"url": "https://github.com/airsonic/airsonic/pull/938/commits/2f9046d6b4cfbfd0cef624ca301c321a1dc7825a"
},
{
"title": "GitHub PR",
"url": "https://github.com/airsonic/airsonic/pull/938"
}
],
"severity": "medium",
"snyk_advisory_url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAIRSONICPLAYER-450219",
"snyk_id": "SNYK-JAVA-ORGAIRSONICPLAYER-450219",
"title": "Cross-site Scripting (XSS)",
"vulnerable_functions": [],
"vulnerable_hash_ranges": [],
"vulnerable_hashes": null,
"vulnerable_versions": [
"[,10.3.0)"
]
},
{
"credits": [
"Liran Tal"
],
"cve_ids": [],
"cvss_details": [],
"cvss_v3_base_score": 8.8,
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C",
"cwe_ids": [
"CWE-94"
],
"description": "## Overview\r\n[`pullit`](https://www.npmjs.com/package/pullit) is Display and pull branches from GitHub pull requests.\r\n\r\nAffected versions of the package are vulnerable to Arbitrary Code Execution. due to an insecure use of the `eval()` function. Node.js provides the `eval()` function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands. `pullit` uses this function in order to call git commands, which originate from user input in terms of a carefully created remote branch name on GitHub, which pullit pulls branch names from.\r\n\r\n## PoC\r\n* Create a branch that could potentially terminate an exec() command and concatenate to it a new command:\r\n`git checkout -b \";{echo,hello,world}>/tmp/c\u201d`\r\n* Push it to GitHub and create a pull request with this branch name\r\n* Run pullit from command line, select the relevant pull request to checkout locally\r\n* Read the contents of `/tmp/c`\r\n\r\n### Disclosure Timeline\r\n* Oct 24th, 2017 - Initial Disclosure \r\n* Jan 11th, 2018 - Second Reminder\r\n* Feb 14th, 2018 - Public GitHub issue opened\r\n* Feb 14th, 2018 - First response from maintainer\r\n* Feb 14th, 2018 - Vulnerability published\r\n* Feb 19th, 2018 - Vulnerability fixed\r\n\r\n## Remediation\r\nUpgrade `pullit` to version 1.4.0 or higher.\r\n\r\n## References\r\n- [GitHub Issue](https://github.com/jkup/pullit/issues/23)\r\n- [GitHub Commit](https://github.com/jkup/pullit/commit/4fec455774ee08f4dce0ef2ef934ffcc37219bfb)",
"description_overview": "## Overview\r\n[`pullit`](https://www.npmjs.com/package/pullit) is Display and pull branches from GitHub pull requests.\r\n\r\nAffected versions of the package are vulnerable to Arbitrary Code Execution. due to an insecure use of the `eval()` function. Node.js provides the `eval()` function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands. `pullit` uses this function in order to call git commands, which originate from user input in terms of a carefully created remote branch name on GitHub, which pullit pulls branch names from.\r\n\r\n## PoC\r\n* Create a branch that could potentially terminate an exec() command and concatenate to it a new command:\r\n`git checkout -b \";{echo,hello,world}>/tmp/c\u201d`\r\n* Push it to GitHub and create a pull request with this branch name\r\n* Run pullit from command line, select the relevant pull request to checkout locally\r\n* Read the contents of `/tmp/c`\r\n\r\n### Disclosure Timeline\r\n* Oct 24th, 2017 - Initial Disclosure \r\n* Jan 11th, 2018 - Second Reminder\r\n* Feb 14th, 2018 - Public GitHub issue opened\r\n* Feb 14th, 2018 - First response from maintainer\r\n* Feb 14th, 2018 - Vulnerability published\r\n* Feb 19th, 2018 - Vulnerability fixed\r\n\r\n## Remediation\r\nUpgrade `pullit` to version 1.4.0 or higher.\r\n\r\n## References\r\n- [GitHub Issue](https://github.com/jkup/pullit/issues/23)\r\n- [GitHub Commit](https://github.com/jkup/pullit/commit/4fec455774ee08f4dce0ef2ef934ffcc37219bfb)",
"description_remediation": "## Overview\r\n[`pullit`](https://www.npmjs.com/package/pullit) is Display and pull branches from GitHub pull requests.\r\n\r\nAffected versions of the package are vulnerable to Arbitrary Code Execution. due to an insecure use of the `eval()` function. Node.js provides the `eval()` function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands. `pullit` uses this function in order to call git commands, which originate from user input in terms of a carefully created remote branch name on GitHub, which pullit pulls branch names from.\r\n\r\n## PoC\r\n* Create a branch that could potentially terminate an exec() command and concatenate to it a new command:\r\n`git checkout -b \";{echo,hello,world}>/tmp/c\u201d`\r\n* Push it to GitHub and create a pull request with this branch name\r\n* Run pullit from command line, select the relevant pull request to checkout locally\r\n* Read the contents of `/tmp/c`\r\n\r\n### Disclosure Timeline\r\n* Oct 24th, 2017 - Initial Disclosure \r\n* Jan 11th, 2018 - Second Reminder\r\n* Feb 14th, 2018 - Public GitHub issue opened\r\n* Feb 14th, 2018 - First response from maintainer\r\n* Feb 14th, 2018 - Vulnerability published\r\n* Feb 19th, 2018 - Vulnerability fixed\r\n\r\n## Remediation\r\nUpgrade `pullit` to version 1.4.0 or higher.\r\n\r\n## References\r\n- [GitHub Issue](https://github.com/jkup/pullit/issues/23)\r\n- [GitHub Commit](https://github.com/jkup/pullit/commit/4fec455774ee08f4dce0ef2ef934ffcc37219bfb)",
"disclosed": "2018-02-13T22:00:00Z",
"ecosystem": "js",
"exploit_code_maturity": "Functional",
"initially_fixed_in_versions": [
"1.4.0"
],
"is_fixable": true,
"is_malicious": false,
"is_social_media_trending": false,
"modified": "2020-12-14T14:40:56.187205Z",
"package": "pullit",
"package_repository_url": "https://www.npmjs.org",
"published": "2018-02-14T13:22:50Z",
"references": [
{
"title": "GitHub Commit",
"url": "https://github.com/jkup/pullit/commit/4fec455774ee08f4dce0ef2ef934ffcc37219bfb"
},
{
"title": "GitHub Issue",
"url": "https://github.com/jkup/pullit/issues/23"
},
{
"title": "Hackerone Report",
"url": "https://hackerone.com/reports/315773"
},
{
"title": "NPM Advisory",
"url": "https://www.npmjs.com/advisories/1004"
}
],
"severity": "high",
"snyk_advisory_url": "https://security.snyk.io/vuln/SNYK-JS-PULLIT-10883",
"snyk_id": "SNYK-JS-PULLIT-10883",
"title": "Arbitrary Command Execution",
"vulnerable_functions": [],
"vulnerable_hash_ranges": [],
"vulnerable_hashes": [],
"vulnerable_versions": [
"<1.4.0"
]
},
{
"credits": [
"Slovak National Security Office (NBU)"
],
"cve_ids": [],
"cvss_details": [],
"cvss_v3_base_score": 8.8,
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H",
"cwe_ids": [
"CWE-506"
],
"description": "## Overview\r\n`apidev-coop` is a one of 10 malicious packages that use [typosquatting](http://incolumitas.com/2016/06/08/typosquatting-package-managers/) to bait unknowing users to install them.\r\nThese packages, which carry similar names to an original package, offer all the functionality of their original, but also include malicious code that collected information on infected hosts, such as the username of the user who installed the package, and the user's computer hostname. It is also possible that the packages collected SSH key information.\r\n\r\nThe collected data, which looked like `Y:urllib-1.21.1 admin testmachine`, was uploaded to a Chinese IP address at `121.42.217.44:8080`.\r\n\r\nThis is especially dangerous in production runtime environments, where environment variables tend to consist of keys, passwords, tokens and other secrets.\r\n\r\nOn September 15th, 2017 pypi deprecated all malicious typosquatting libraries from this list.\r\n\r\nThe full list of packages are:\r\n```\r\n\u2013 acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)\r\n\u2013 apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)\r\n\u2013 bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)\r\n\u2013 crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)\r\n\u2013 django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)\r\n\u2013 pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)\r\n\u2013 setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)\r\n\u2013 telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)\r\n\u2013 urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)\r\n\u2013 urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)\r\n```\r\n\r\n## Remediation\r\nAvoid usage of this package altogether.\n\n## References\n- [Malicious packages published on pip](https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/)\n- [Typosquatting programming language package managers](http://incolumitas.com/2016/06/08/typosquatting-package-managers/)",
"description_overview": "## Overview\r\n`apidev-coop` is a one of 10 malicious packages that use [typosquatting](http://incolumitas.com/2016/06/08/typosquatting-package-managers/) to bait unknowing users to install them.\r\nThese packages, which carry similar names to an original package, offer all the functionality of their original, but also include malicious code that collected information on infected hosts, such as the username of the user who installed the package, and the user's computer hostname. It is also possible that the packages collected SSH key information.\r\n\r\nThe collected data, which looked like `Y:urllib-1.21.1 admin testmachine`, was uploaded to a Chinese IP address at `121.42.217.44:8080`.\r\n\r\nThis is especially dangerous in production runtime environments, where environment variables tend to consist of keys, passwords, tokens and other secrets.\r\n\r\nOn September 15th, 2017 pypi deprecated all malicious typosquatting libraries from this list.\r\n\r\nThe full list of packages are:\r\n```\r\n\u2013 acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)\r\n\u2013 apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)\r\n\u2013 bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)\r\n\u2013 crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)\r\n\u2013 django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)\r\n\u2013 pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)\r\n\u2013 setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)\r\n\u2013 telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)\r\n\u2013 urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)\r\n\u2013 urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)\r\n```\r\n\r\n## Remediation\r\nAvoid usage of this package altogether.\n\n## References\n- [Malicious packages published on pip](https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/)\n- [Typosquatting programming language package managers](http://incolumitas.com/2016/06/08/typosquatting-package-managers/)",
"description_remediation": "## Overview\r\n`apidev-coop` is a one of 10 malicious packages that use [typosquatting](http://incolumitas.com/2016/06/08/typosquatting-package-managers/) to bait unknowing users to install them.\r\nThese packages, which carry similar names to an original package, offer all the functionality of their original, but also include malicious code that collected information on infected hosts, such as the username of the user who installed the package, and the user's computer hostname. It is also possible that the packages collected SSH key information.\r\n\r\nThe collected data, which looked like `Y:urllib-1.21.1 admin testmachine`, was uploaded to a Chinese IP address at `121.42.217.44:8080`.\r\n\r\nThis is especially dangerous in production runtime environments, where environment variables tend to consist of keys, passwords, tokens and other secrets.\r\n\r\nOn September 15th, 2017 pypi deprecated all malicious typosquatting libraries from this list.\r\n\r\nThe full list of packages are:\r\n```\r\n\u2013 acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)\r\n\u2013 apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)\r\n\u2013 bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)\r\n\u2013 crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)\r\n\u2013 django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)\r\n\u2013 pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)\r\n\u2013 setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)\r\n\u2013 telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)\r\n\u2013 urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)\r\n\u2013 urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)\r\n```\r\n\r\n## Remediation\r\nAvoid usage of this package altogether.\n\n## References\n- [Malicious packages published on pip](https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/)\n- [Typosquatting programming language package managers](http://incolumitas.com/2016/06/08/typosquatting-package-managers/)",
"disclosed": "2017-09-15T15:47:11Z",
"ecosystem": "python",
"exploit_code_maturity": "High",
"initially_fixed_in_versions": [],
"is_fixable": false,
"is_malicious": true,
"is_social_media_trending": false,
"modified": "2021-05-13T10:08:39.373978Z",
"package": "apidev-coop",
"package_repository_url": "https://pypi.org",
"published": "2017-09-17T09:08:41Z",
"references": [
{
"title": "Malicious packages published on pip",
"url": "https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/"
},
{
"title": "Typosquatting programming language package managers",
"url": "http://incolumitas.com/2016/06/08/typosquatting-package-managers/"
}
],
"severity": "high",
"snyk_advisory_url": "https://security.snyk.io/vuln/SNYK-PYTHON-APIDEVCOOP-40663",
"snyk_id": "SNYK-PYTHON-APIDEVCOOP-40663",
"title": "Malicious Package",
"vulnerable_functions": [],
"vulnerable_hash_ranges": [],
"vulnerable_hashes": [],
"vulnerable_versions": [
"[0,]"
]
}
]