Vulnerability Details REST API
The Vulnerability Details REST API allows you to retrieve vulnerability details by passing a CVE ID/Sonatype vulnerability identifier or a component identifier. The response will include the root causes of the vulnerability when you pass the component identifier as a parameter in the GET request.
User Permissions Required to Invoke this API call
View IQ Elements
Methods supported:
GET (As an authenticated request)
GET (As an anonymous, non-authenticated request)
GET vulnerability details by passing a CVE or Sonatype vulnerability identifier
Vulnerability details can be retrieved by making an authenticated HTTP GET request:
GET /api/v2/vulnerabilities/{vulnerabilityId}
Where {vulnerabilityId}
is a CVE or a Sonatype vulnerability identifier.
Example:
curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'
where CVE-2017-5929 is the vulnerabilityID.
Response:
On successful execution, the response JSON returns the vulnerability details corresponding to the vulnerabilityID provided.
{ "identifier": "CVE-2017-5929", "vulnIds": ["CVE-2017-5929"], "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929", "source": { "shortName": "CVE", "longName": "National Vulnerability Database" }, "mainSeverity": { "source": "cve_cvss_3", "score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "severityScores": [ { "source": "cve_cvss_2", "score": 7.5 }, { "source": "sonatype_cvss_3", "score": 9.8 } ], "weakness": { "cweSource": "CVE", "cweIds": [ { "id": "XXX", "uri": "https://cwe.mitre.org/data/definitions/XXX.html" } ] }, "categories": [ "category1", "category2" ], "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.", "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand. When data is received from the `Socket`, to be logged, it is deserialized into Java objects. An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).", "detectionMarkdown": "Detection instructions will be provided here.", "recommendationMarkdown": "Recommendations will be provided here", "advisories": [ { "referenceType": "PROJECT", "url": "http://project-url" } ], "researchType": "DEEP_DIVE", "isAdvancedVulnerabilityDetection": false, "customData": { "remediation": "Please install latest version of the app", "cweId": "some-cwe-ids", "cvssVector": "some/vector", "cvssSeverity": 7.6 }, "detectionType": null }
In the JSON response above,
mainSeverity
is an official CVE severity for a given vulnerability, (if the CVE severity score does not exist it represents Sonatype severity provided by Sonatype researchers.)severityScores
are all other known severity scores not mentioned inmainSeverity
.vulnerabilityLink
is the link to the official CVE description page.vulnIds
is an array containing a list of related vulnerability IDs.
customData
retrieves vulnerability attributes that are customized by users, for a given vulnerability, under the requested scope. The JSON response includes the "customData" field if customized vulnerability attributes are found under the given scope.
detectionType
is a string with possible valuesPRIMARY
,SECONDARY
,AST
,UNSHADER
,OTHER
, or null (if no component identifier is provided.) It indicates the type of vulnerability detection system used to obtain the vulnerability data.
Definitions of the detectionType values:
PRIMARY
: This vulnerability data has been investigated by the researcher to explicitly implicate components referenced in the feed or as a result of their independent research.
SECONDARY
: This component has been implicated by our automated systems because they share vulnerable code with components that were implicated by our PRIMARY
systems.
AST
: This vulnerability has been discovered as part of Application Security Testing (AST) and includes common issues such as code injection, authentication flaws, and data leakage.
UNSHADER
: This vulnerability has been discovered by the Shaded Vulnerability Detection algorithm.
Values for researchType values:
Possible values for researchType
include PUBLIC_RESEARCH and VENDOR_RESEARCH. Refer to Sonatype Vulnerability Data for more details.
Vulnerability Details with KEV data
Example:
curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-7525'
Response:
{ "identifier": "CVE-2017-7525", "vulnIds": [ "CVE-2017-7525" ], "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7525", "source": { "shortName": "CVE", "longName": "National Vulnerability Database" }, "mainSeverity": { "source": "cve_cvss_3", "sourceLabel": "CVE CVSS 3", "score": 9.8, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "severityScores": [ { "source": "cve_cvss_2", "sourceLabel": "CVE CVSS 2.0", "score": 7.5 }, { "source": "sonatype_cvss_3", "sourceLabel": "Sonatype CVSS 3", "score": 8.5 } ], "weakness": { "cweSource": "CVE", "cweIds": [ { "id": "184", "uri": "https://cwe.mitre.org/data/definitions/184.html" }, { "id": "502", "uri": "https://cwe.mitre.org/data/definitions/502.html" } ] }, "categories": [ "data" ], "description": "A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", "explanationMarkdown": "`jackson-databind` is vulnerable to Remote Code Execution (RCE). The `createBeanDeserializer()` function in the `BeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.\n\nNOTE: This vulnerability is also tracked by the Apache Struts team as [S2-055](https://cwiki.apache.org/confluence/display/WW/S2-055).\n\nNOTE: This CVE is a part of the series of CVEs (e.g. CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, ... [full list](https://www.sonatype.com/blog/jackson-databind-the-end-of-the-blacklist)) that have been, and continue to be released by the Jackson Databind project, for the exact same deserialization vulnerability. To reduce unnecessary noise arising from duplicates and false positives, we have strategically implicated components so that they show the minimal number of CVEs necessary to represent the same vulnerability.\n\n*Advisory Deviation Notice:*\n The Sonatype Security Research team has created a CVSS score that differs from the publicly available score that, based on our research, more accurately reflects the severity of the vulnerability.", "detectionMarkdown": "The application is vulnerable by using this component, when default typing is enabled.\r\n\r\nNote: Spring Security has provided their own fix for this vulnerability ([CVE-2017-4995](https://pivotal.io/security/cve-2017-4995)). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.", "recommendationMarkdown": "*Update*: As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability.\n\nReference: [https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2](https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2)\n\nIn order to mitigate this vulnerability, we recommend upgrading to at least version 2.10.0 and changing any usages of `enableDefaultTyping()` to `activateDefaultTyping()`.\n\nAlternatively, if upgrading is not a viable option, this vulnerability can be mitigated by disabling default typing. Instead, you will need to implement your own:\n\n>It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(...) -- you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.\n\nReference: [https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization](https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization)\n\nExamples of implementing your own typing can be found by looking at [Spring Security's fix](https://github.com/spring-projects/spring-security/commit/947d11f433b78294942cb5ea56e8aa5c3a0ca439) or [this Stack Overflow article](https://stackoverflow.com/questions/12353774/how-to-customize-jackson-type-information-mechanism).", "rootCauses": [ { "listOfPaths": [ "jackson-databind-2.0.4.jar", "com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.class" ], "versionRange": "[2.0.0-RC1, 2.6.7.1)" } ], "advisories": [ { "referenceType": "PROJECT", "url": "https://github.com/FasterXML/jackson-databind/issues/1599" }, { "referenceType": "THIRD_PARTY", "url": "https://blog.sonatype.com/jackson-databind-remote-code-execution" }, { "referenceType": "THIRD_PARTY", "url": "https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist" }, { "referenceType": "THIRD_PARTY", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525" } ], "vulnerableVersionRanges": [ "[2.0.0-RC1,2.6.7]", "[2.7.0-rc1,2.7.9]", "[2.8.0.rc1,2.8.8]", "[2.9.0.pr1,2.9.0.pr2]" ], "researchType": "DEEP_DIVE", "isAdvancedVulnerabilityDetection": false, "detectionType": "PRIMARY", "kevData": { "isKev": false }, "identificationSource": "Sonatype" }
isKev
indicates if the vulnerability is listed in the Known Exploited Vulnerabilities (KEV) catalog.
Get vulnerability details by passing a component identifier
Vulnerability details can be retrieved by an authenticated HTTP GET request and passing a component identifier as a query parameter. In addition to the vulnerability details, this GET request will also retrieve the root causes of that vulnerability.
Example:
curl -u admin:admin123 'http://localhost:8070/api/v2/vulnerabilities/CVE-2022-22815?componentIdentifier=%7B%22format%22%3A%22pypi%22%2C%22coordinates%22%3A%7B%22extension%22%3A%22whl%22%2C%22name%22%3A%22Pillow%22%2C%22qualifier%22%3A%22cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64%22%2C%22version%22%3A%228.3.2%22%7D%7D'
Response:
{ "identifier": "CVE-2022-22815", "vulnIds": [ "CVE-2022-22815" ], "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22815", "source": { "shortName": "CVE", "longName": "National Vulnerability Database" }, "mainSeverity": { "source": "cve_cvss_3", "score": 9.8, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "severityScores": [ { "source": "cve_cvss_2", "score": 7.5 }, { "source": "sonatype_cvss_3", "score": 9.8 } ], "weakness": { "cweSource": "CVE", "cweIds": [ { "id": "665", "uri": "https://cwe.mitre.org/data/definitions/665.html" } ] }, "categories": [ "data" ], "description": "path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.", "explanationMarkdown": "The `Pillow` package is vulnerable due to Improper Initialization. The `alloc_array()` and `path_getbbox()` functions in the `path.c` file do not properly initialize coordinates before using them to construct path objects. A remote attacker can supply specially-crafted input that exploits the aforementioned issue to gain unauthorized access to memory, cause an application crash, or other unexpected behavior.", "componentExplanationMarkdown": "", "detectionMarkdown": "The application is vulnerable by using this component.", "componentDetectionMarkdown": "", "recommendationMarkdown": "We recommend upgrading to a version of this component that is not vulnerable to this specific issue.\n\nNote: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.", "componentRecommendationMarkdown": "", "rootCauses": [ { "listOfPaths": [ "Pillow-8.3.2.tar.gz", "Pillow-8.3.2/src/path.c" ], "versionRange": "[5.0.0 , 9.0.0)" } ], "advisories": [ { "referenceType": "PROJECT", "url": "https://github.com/python-pillow/Pillow/pull/5920" }, { "referenceType": "THIRD_PARTY", "url": "https://access.redhat.com/security/cve/cve-2022-22815" } ], "vulnerableVersionRanges": [ "[8.3.2,9.0.0)" ], "researchType": "DEEP_DIVE", "isAdvancedVulnerabilityDetection": false, "customData": { "remediation": "some-string", "cweId": "some-cwe-ids", "cvssVector": "some/vector", "cvssSeverity": 7.6 }, "detectionType": "PRIMARY" }
In the above JSON return field, vulnerableVersionRanges
contains a complete list of component version ranges that are vulnerable. Ranges can be inclusive, denoted via a bracket, ( '[', ']' ), or exclusive, denoted via a parenthesis, ( '(', ')' )
GET vulnerability details using anonymous, non-authenticated requests
The response for anonymous, non-authenticated requests retrieves limited vulnerability details.
Example:
curl 'http://localhost:8070/api/v2/vulnerabilities/CVE-2017-5929'
Response:
{ "identifier": "CVE-2017-5929", "vulnerabilityLink": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929", "source": { "shortName": "CVE", "longName": "National Vulnerability Database" }, "mainSeverity": { "source": "cve_cvss_3", "score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "severityScores": [ { "source": "cve_cvss_2", "score": 7.5 }, { "source": "sonatype_cvss_3", "score": 9.8 } ], "weakness": null, "categories": null, "description": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.", "explanationMarkdown": "The `RemoteStreamAppenderClient` class in `logback-classic` and the `SocketNode` classes in `logback-classic` and `logback-access` allow data to be deserialized over a Java `Socket`, via an `ObjectInputStream`, without validating the data beforehand. When data is received from the `Socket`, to be logged, it is deserialized into Java objects. An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the `Socket`, which may result in execution of arbitrary code when those objects are deserialized.\n\nNote that although `logback-core` is implicated by the Logback project [here](https://jira.qos.ch/browse/LOGBACK-1254), the Sonatype Security Research team discovered that the vulnerability is actually present in the `logback-classic` and `logback-access` components.\n\n*Advisory Deviation Notice*: The Sonatype Security Research team discovered that this vulnerability was first introduced in version 0.3.0 of `logback-classic` and version 0.6.0 of `logback-access`, as opposed to being present in *all* versions prior to 1.2.0, as stated in [the advisory](https://nvd.nist.gov/vuln/detail/CVE-2017-5929).", "detectionMarkdown": null, "recommendationMarkdown": null, "advisories": null, "researchType": "DEEP_DIVE", "isAdvancedVulnerabilityDetection": false, "detectionType": null }