{"meta":{"code":200},"results":{"components":[{"extended-objects":[{"confidence":1.0,"sha1":"6760d4578f89646425fa0cb8e519896eca8c69da","name":"libacl.so.1.1.0","timestamp":1369299888,"binary-type":"elf-shared-x86_64","matching-method":"signature","fullpath":["whalesay.tar","cc88f763e297503d2407d6b462b2b390a6fd006b30f51c8efa03dd88fa801b89/layer.tar","lib/x86_64-linux-gnu/libacl.so.1.1.0"],"type":"native"}],"objects":["libacl.so.1.1.0"],"version":"2.2.52-1","lib":"acl","distro_version":"2.2.52-1","distro":"ubuntu","latest_version":null,"vuln-count":{"total":1,"exact":0,"historical":1},"vulns":[{"vuln":{"cve":"CVE-2009-4411","summary":"The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack.","cvss":"3.7","published":"2009-12-24T16:30:00","modified":"2017-08-17T01:31:34","published-epoch":"1261672200","modified-epoch":"1502933494","cwe":"CWE-264","cvss_access_vector":"LOCAL","cvss_access_complexity":"HIGH","cvss_authentication":"NONE","cvss_confidentiality_impact":"PARTIAL","cvss_integrity_impact":"PARTIAL","cvss_availability_impact":"PARTIAL","cvss_source":"http://nvd.nist.gov","cvss_created":"2009-12-25T11:27:00","cvss_created-epoch":"1261740420","cvss2_vector":"AV:L/AC:H/Au:N:/C:P/I:P/A:P","cvss3_vector":null,"cvss3_score":"0"},"exact":false,"timestamp-objects":[]}],"tags":["acl"],"short_version":"2.2.52-1","latest_cmp":null,"homepage":null,"url":null,"codetype":"Native","coverity_scan":null},{"extended-objects":[{"confidence":0.9620493358633776,"sha1":"b3bad620d363c6ca832559c0d6de51037a1608b8","name":"libapt-pkg.so.4.12.0","timestamp":1426638505,"binary-type":"elf-shared-x86_64","matching-method":"signature","fullpath":["whalesay.tar","cc88f763e297503d2407d6b462b2b390a6fd006b30f51c8efa03dd88fa801b89/layer.tar","usr/lib/x86_64-linux-gnu/libapt-pkg.so.4.12.0"],"type":"native"}],"objects":["libapt-pkg.so.4.12.0"],"version":"1.0.1ubuntu2.7","lib":"apt","distro_version":"1.0.1ubuntu2.7","distro":"ubuntu","latest_version":null,"vuln-count":{"total":16,"exact":0,"historical":16},"vulns":[{"vuln":{"cve":"CVE-2014-0478","summary":"APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature.","cvss":"4.0","published":"2014-06-17T14:55:06","modified":"2017-12-22T02:29:12","published-epoch":"1403016906","modified-epoch":"1513909752","cwe":"CWE-20","cvss_access_vector":"NETWORK","cvss_access_complexity":"HIGH","cvss_authentication":"NONE","cvss_confidentiality_impact":"NONE","cvss_integrity_impact":"PARTIAL","cvss_availability_impact":"PARTIAL","cvss_source":"http://nvd.nist.gov","cvss_created":"2014-06-17T11:39:17","cvss_created-epoch":"1403005157","cvss2_vector":"AV:N/AC:H/Au:N:/C:N/I:P/A:P","cvss3_vector":null,"cvss3_score":"0"},"exact":false,"invalidation":{"reason":"Vendor patched","reason_text":"Distribution vendor has backported the fix for this vulnerability","type":"distro-backport"}},{"vuln":{"cve":"CVE-2014-0487","summary":"APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.","cvss":"7.5","published":"2014-11-03T22:55:07","modified":"2014-11-04T22:13:31","published-epoch":"1415055307","modified-epoch":"1415139211","cwe":null,"cvss_access_vector":"NETWORK","cvss_access_complexity":"LOW","cvss_authentication":"NONE","cvss_confidentiality_impact":"PARTIAL","cvss_integrity_impact":"PARTIAL","cvss_availability_impact":"PARTIAL","cvss_source":"http://nvd.nist.gov","cvss_created":"2014-11-04T12:50:38","cvss_created-epoch":"1415105438","cvss2
