Git Product home page Git Product logo

olethrosbot's Introduction

Olethros Bot Deploy to Azure

Made with ❤️ by @jamestiotio

Olethros Bot is a utility bot that provides multiple functions for the purposes of SUTD Class 19F07 Telegram Group.

This bot is deployed on Microsoft Azure as a Flask Web App (in a Linux Docker Container) under its App Services (I'm using my Azure for Students free subscription).

Settings

  • Operating System: Debian 9
  • Runtime Stack: Python 3.7
  • Deployment Method (ScmType): LocalGit (for Kudu Build Server)
  • Startup Command: gunicorn --bind=0.0.0.0 --timeout 0 application:app
  • HTTP Version: 2.0
  • HTTPS Only: On
  • Minimum TLS Version: 1.2
  • Application Settings: 
    [
{
  "name": "ADMIN_LIST",
  "value": "[]",
  "slotSetting": false
},
{
  "name": "BOT_TOKEN",
  "value": "<id>:<token>",
  "slotSetting": false
},
{
  "name": "EMAIL",
  "value": "",
  "slotSetting": false
},
{
  "name": "main_chat",
  "value": "-1",
  "slotSetting": false
},
{
  "name": "MONGODB_ATLAS_CONNECTION_STRING",
  "value": "mongodb+srv://<username>:<password>@<app-name>.azure.mongodb.net/<database>?retryWrites=true&w=majority",
  "slotSetting": false
},
{
  "name": "private_chat",
  "value": "0",
  "slotSetting": false
},
{
  "name": "WEBHOOK_URL",
  "value": "",
  "slotSetting": false
},
{
  "name": "WEBSITE_HTTPLOGGING_RETENTION_DAYS",
  "value": "30",
  "slotSetting": false
},
{
  "name": "WEBSITE_TIME_ZONE",
  "value": "Asia/Singapore",
  "slotSetting": false
}
]

MongoDB Atlas schema is coming soon.

Reminder to set your commit credentials (username and password) for deployment authentication purposes.

You can import a local .json file to a MongoDB Atlas collection by running: mongoimport --host <replSetName>/<hostname1><:port>,<hostname2><:port>,<hostname3><:port>,<...> --ssl --username <USERNAME> --password <PASSWORD> --authenticationDatabase <DBNAME> --db <DATABASE> --collection <COLLECTION> --type json --file <FILENAME>.json --jsonArray.

The cert.pem and key.pem files are required for the upcoming webhook implementation as I will be using a self-signed SSL certificate.

After successful deployment, start the web app (if it is not yet started) and run the bot by going to https://<app-name>.azurewebsites.net/<bot-token>. It should return an OK. The purpose of putting <bot-token> there is to prevent anyone else from just running the bot as and when they like it. This is also to prevent exposing too much obvious endpoints of the bot to the Internet for security purposes. After running the bot, do not go to the homepage (https://<app-name>.azurewebsites.net/) as it will disable the bot. Alternatively, you can disable the homepage route entirely.

NOTE: If the bot sleeps after a few hours without any HTTP requests (even with the Always On setting enabled), use Uptime Robot to schedule a free HTTP request at a regular interval (I used a 1-hour interval).

Functions

Currently, these are the available functions of this bot:

Birthday Tracking

Start tracking using the /track command.

Feel-good Message

Send a feel-good message by using the /feelgood command.

Dice Roller

Credit to @treetrnk for this feature. Roll dices using the /roll <args>, /r <args> or /rf [<args>] commands. Please follow the proper dice notation.

Code Tester

Credit to @veetaw and @GingerPlusPlus for this feature. Execute snippets of code of various programming languages by using the /run <language> <code> [\stdin <stdin>] command. Might be useful for SUTD 10.009 Digital World.

Upcoming Features

User Message Frequency

Generate an Excel sheet with a table and a pie chart of the Telegram group's message frequency from the group members. The openpyxl library would be needed.

Reminder

Set and (auto-)delete reminders for each school day or in a specified timing. An Azure-based MongoDB Atlas database was established for this particular function. Add your Azure App's Outbound IP Addresses to MongoDB Atlas' IP Whitelist. To set a reminder, use the /remindme <time> <"to"/"that"> <reminder-text> command.

Internal Voting System

Establish a voting system internally within the group so as to not depend on an external voting bot such as @countmeinbot.

Karma Credit System

Implement a karma credit system (similar to a social credit system) using upvotes and downvotes (similar to Reddit) or possibly, through the use of designated stickers. A karma leaderboard can be displayed if requested. Extra care needs to be taken for this system to not go horribly wrong as it might lead to the destruction of some friendships.

olethrosbot's People

Contributors

dependabot[bot] avatar jamestiotio avatar mend-bolt-for-github[bot] avatar

Watchers

avatar avatar avatar

olethrosbot's Issues

CVE-2020-14422 (Medium) detected in ipaddress-1.0.23-py2.py3-none-any.whl - autoclosed

CVE-2020-14422 - Medium Severity Vulnerability

Vulnerable Library - ipaddress-1.0.23-py2.py3-none-any.whl

IPv4/IPv6 manipulation library

Library home page: https://files.pythonhosted.org/packages/c2/f8/49697181b1651d8347d24c095ce46c7346c37335ddc7d255833e7cde674d/ipaddress-1.0.23-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • python_telegram_bot-11.1.0-py2.py3-none-any.whl (Root Library)
    • cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl
      • ipaddress-1.0.23-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.

Publish Date: 2020-06-18

URL: CVE-2020-14422

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422

Release Date: 2020-06-18

Fix Resolution: v3.5.10,v3.6.12,v3.7.9,v3.8.4v3.9.0

Step up your Open Source Security Game with Mend here

CVE-2021-33503 (High) detected in urllib3-1.25.7-py2.py3-none-any.whl - autoclosed

CVE-2021-33503 - High Severity Vulnerability

Vulnerable Library - urllib3-1.25.7-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/b4/40/a9837291310ee1ccc242ceb6ebfd9eb21539649f193a7c8c86ba15b98539/urllib3-1.25.7-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • requests-2.22.0-py2.py3-none-any.whl (Root Library)
    • urllib3-1.25.7-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution (urllib3): 1.26.5

Direct dependency fix Resolution (requests): 2.25.0

Step up your Open Source Security Game with Mend here

CVE-2022-23491 (High) detected in certifi-2019.11.28-py2.py3-none-any.whl - autoclosed

CVE-2022-23491 - High Severity Vulnerability

Vulnerable Library - certifi-2019.11.28-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/b9/63/df50cac98ea0d5b006c55a399c3bf1db9da7b5a24de7890bc9cfd5dd9e99/certifi-2019.11.28-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • requests-2.22.0-py2.py3-none-any.whl (Root Library)
    • certifi-2019.11.28-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution: certifi - 2022.12.07

Step up your Open Source Security Game with Mend here

CVE-2020-7212 (High) detected in urllib3-1.25.7-py2.py3-none-any.whl - autoclosed

CVE-2020-7212 - High Severity Vulnerability

Vulnerable Library - urllib3-1.25.7-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/b4/40/a9837291310ee1ccc242ceb6ebfd9eb21539649f193a7c8c86ba15b98539/urllib3-1.25.7-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • requests-2.22.0-py2.py3-none-any.whl (Root Library)
    • urllib3-1.25.7-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).

Publish Date: 2020-03-06

URL: CVE-2020-7212

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hmv2-79q8-fv6g

Release Date: 2020-03-09

Fix Resolution (urllib3): 1.25.8

Direct dependency fix Resolution (requests): 2.23.0

Step up your Open Source Security Game with Mend here

CVE-2023-23934 (Low) detected in Werkzeug-0.16.0-py2.py3-none-any.whl - autoclosed

CVE-2023-23934 - Low Severity Vulnerability

Vulnerable Library - Werkzeug-0.16.0-py2.py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/ce/42/3aeda98f96e85fd26180534d36570e4d18108d62ae36f87694b476b83d6f/Werkzeug-0.16.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Flask-1.0.2-py2.py3-none-any.whl (Root Library)
    • Werkzeug-0.16.0-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

Publish Date: 2023-02-14

URL: CVE-2023-23934

CVSS 3 Score Details (2.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Adjacent
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

Step up your Open Source Security Game with Mend here

CVE-2022-29361 (High) detected in Werkzeug-0.16.0-py2.py3-none-any.whl - autoclosed

CVE-2022-29361 - High Severity Vulnerability

Vulnerable Library - Werkzeug-0.16.0-py2.py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/ce/42/3aeda98f96e85fd26180534d36570e4d18108d62ae36f87694b476b83d6f/Werkzeug-0.16.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Flask-1.0.2-py2.py3-none-any.whl (Root Library)
    • Werkzeug-0.16.0-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body.

Publish Date: 2022-05-25

URL: CVE-2022-29361

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29361

Release Date: 2022-05-25

Fix Resolution: Werkzeug - 2.1.1

Step up your Open Source Security Game with Mend here

CVE-2023-38325 (High) detected in cryptography-40.0.2-cp36-abi3-manylinux_2_28_x86_64.whl

CVE-2023-38325 - High Severity Vulnerability

Vulnerable Library - cryptography-40.0.2-cp36-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/8e/34/f54dbfc6d12fa34a50f03bf01319d585e7e9bddd68ad28299b4998e3098b/cryptography-40.0.2-cp36-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

  • cryptography-40.0.2-cp36-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

Publish Date: 2023-07-14

URL: CVE-2023-38325

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-38325

Release Date: 2023-07-14

Fix Resolution: 41.0.2

Step up your Open Source Security Game with Mend here

CVE-2020-26137 (Medium) detected in urllib3-1.25.7-py2.py3-none-any.whl - autoclosed

CVE-2020-26137 - Medium Severity Vulnerability

Vulnerable Library - urllib3-1.25.7-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/b4/40/a9837291310ee1ccc242ceb6ebfd9eb21539649f193a7c8c86ba15b98539/urllib3-1.25.7-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • requests-2.22.0-py2.py3-none-any.whl (Root Library)
    • urllib3-1.25.7-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution (urllib3): 1.25.9

Direct dependency fix Resolution (requests): 2.23.0

Step up your Open Source Security Game with Mend here

CVE-2020-25659 (Medium) detected in cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl - autoclosed

CVE-2020-25659 - Medium Severity Vulnerability

Vulnerable Library - cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/e2/67/4597fc5d5de01bb44887844647ab8e73239079dd478c35c52d58a9eb3d45/cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • python_telegram_bot-11.1.0-py2.py3-none-any.whl (Root Library)
    • cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Publish Date: 2021-01-11

URL: CVE-2020-25659

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hggm-jpg3-v476

Release Date: 2021-01-11

Fix Resolution (cryptography): 3.2

Direct dependency fix Resolution (python-telegram-bot): 12.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-40899 (High) detected in future-0.16.0.tar.gz - autoclosed

CVE-2022-40899 - High Severity Vulnerability

Vulnerable Library - future-0.16.0.tar.gz

Clean single-source support for Python 3 and 2

Library home page: https://files.pythonhosted.org/packages/00/2b/8d082ddfed935f3608cc61140df6dcbf0edea1bc3ab52fb6c29ae3e81e85/future-0.16.0.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

  • future-0.16.0.tar.gz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.

Publish Date: 2022-12-23

URL: CVE-2022-40899

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2023-25577 (High) detected in Werkzeug-0.16.0-py2.py3-none-any.whl - autoclosed

CVE-2023-25577 - High Severity Vulnerability

Vulnerable Library - Werkzeug-0.16.0-py2.py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/ce/42/3aeda98f96e85fd26180534d36570e4d18108d62ae36f87694b476b83d6f/Werkzeug-0.16.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Flask-1.0.2-py2.py3-none-any.whl (Root Library)
    • Werkzeug-0.16.0-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.

Publish Date: 2023-02-14

URL: CVE-2023-25577

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

Step up your Open Source Security Game with Mend here

CVE-2020-28493 (Medium) detected in Jinja2-2.10.3-py2.py3-none-any.whl - autoclosed

CVE-2020-28493 - Medium Severity Vulnerability

Vulnerable Library - Jinja2-2.10.3-py2.py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/65/e0/eb35e762802015cab1ccee04e8a277b03f1d8e53da3ec3106882ec42558b/Jinja2-2.10.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Flask-1.0.2-py2.py3-none-any.whl (Root Library)
    • Jinja2-2.10.3-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

Publish Date: 2021-02-01

URL: CVE-2020-28493

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493

Release Date: 2021-02-01

Fix Resolution: Jinja2 - 2.11.3

Step up your Open Source Security Game with Mend here

CVE-2023-0286 (High) detected in cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl - autoclosed

CVE-2023-0286 - High Severity Vulnerability

Vulnerable Library - cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/e2/67/4597fc5d5de01bb44887844647ab8e73239079dd478c35c52d58a9eb3d45/cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • python_telegram_bot-11.1.0-py2.py3-none-any.whl (Root Library)
    • cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Publish Date: 2023-02-08

URL: CVE-2023-0286

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openssl.org/news/vulnerabilities.html

Release Date: 2023-02-08

Fix Resolution: openssl-3.0.8

Step up your Open Source Security Game with Mend here

CVE-2023-49083 (Critical) detected in cryptography-40.0.2-cp36-abi3-manylinux_2_28_x86_64.whl

CVE-2023-49083 - Critical Severity Vulnerability

Vulnerable Library - cryptography-40.0.2-cp36-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/8e/34/f54dbfc6d12fa34a50f03bf01319d585e7e9bddd68ad28299b4998e3098b/cryptography-40.0.2-cp36-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

  • cryptography-40.0.2-cp36-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

Publish Date: 2023-11-29

URL: CVE-2023-49083

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-49083

Release Date: 2023-11-29

Fix Resolution: cryptography - 41.0.6

Step up your Open Source Security Game with Mend here

CVE-2023-23931 (Medium) detected in cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl - autoclosed

CVE-2023-23931 - Medium Severity Vulnerability

Vulnerable Library - cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/e2/67/4597fc5d5de01bb44887844647ab8e73239079dd478c35c52d58a9eb3d45/cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • python_telegram_bot-11.1.0-py2.py3-none-any.whl (Root Library)
    • cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.

Publish Date: 2023-02-07

URL: CVE-2023-23931

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931

Release Date: 2023-02-07

Fix Resolution: cryptography - 39.0.1

Step up your Open Source Security Game with Mend here

CVE-2020-36242 (High) detected in cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl - autoclosed

CVE-2020-36242 - High Severity Vulnerability

Vulnerable Library - cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/e2/67/4597fc5d5de01bb44887844647ab8e73239079dd478c35c52d58a9eb3d45/cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • python_telegram_bot-11.1.0-py2.py3-none-any.whl (Root Library)
    • cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Publish Date: 2021-02-07

URL: CVE-2020-36242

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-07

Fix Resolution (cryptography): 3.3.2

Direct dependency fix Resolution (python-telegram-bot): 12.0.0

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.