View Code? Open in Web Editor
NEW
This project forked from salesforce /cloudsplaining
Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.
Home Page: https://cloudsplaining.readthedocs.io/
License: BSD 3-Clause "New" or "Revised" License
Python 95.81%
Shell 0.42%
Ruby 3.77%
cloudsplaining's People
cloudsplaining's Issues
CVE-2020-25659 - Medium Severity Vulnerability
Vulnerable Library - cryptography-2.9-cp35-abi3-manylinux2010_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/8f/2d/29d2638b8df016526182594166c220913dafba3da0019b0776ff1bbc8ede/cryptography-2.9-cp35-abi3-manylinux2010_x86_64.whl
Path to dependency file: cloudsplaining/examples/jira-tickets/requirements.txt
Path to vulnerable library: cloudsplaining/examples/jira-tickets/requirements.txt
Dependency Hierarchy:
❌ cryptography-2.9-cp35-abi3-manylinux2010_x86_64.whl (Vulnerable Library)
Vulnerability Details
python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
Publish Date: 2021-01-11
URL: CVE-2020-25659
CVSS 2 Score Details (4.3 )
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: pyca/cryptography@58494b4
Release Date: 2020-10-26
Fix Resolution: Replace or update the following file: rsa.py
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Library - jquery-3.3.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Path to dependency file: cloudsplaining/index.html
Path to vulnerable library: cloudsplaining/index.html
Dependency Hierarchy:
❌ jquery-3.3.1.min.js (Vulnerable Library)
Found in HEAD commit: fa9618a8b879d410756272ddbac7d5de9c4c9c84
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2020-36242 - High Severity Vulnerability
Vulnerable Library - cryptography-2.9-cp35-abi3-manylinux2010_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/8f/2d/29d2638b8df016526182594166c220913dafba3da0019b0776ff1bbc8ede/cryptography-2.9-cp35-abi3-manylinux2010_x86_64.whl
Path to dependency file: cloudsplaining/examples/jira-tickets/requirements.txt
Path to vulnerable library: cloudsplaining/examples/jira-tickets/requirements.txt
Dependency Hierarchy:
❌ cryptography-2.9-cp35-abi3-manylinux2010_x86_64.whl (Vulnerable Library)
Vulnerability Details
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Publish Date: 2021-02-07
URL: CVE-2020-36242
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
Release Date: 2021-02-07
Fix Resolution: cryptography - 3.3.2
⛑️ Automatic Remediation is available for this issue
CVE-2019-11358 - Medium Severity Vulnerability
Vulnerable Library - jquery-3.3.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Path to dependency file: cloudsplaining/index.html
Path to vulnerable library: cloudsplaining/index.html
Dependency Hierarchy:
❌ jquery-3.3.1.min.js (Vulnerable Library)
Found in HEAD commit: fa9618a8b879d410756272ddbac7d5de9c4c9c84
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Library - jquery-3.3.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Path to dependency file: cloudsplaining/index.html
Path to vulnerable library: cloudsplaining/index.html
Dependency Hierarchy:
❌ jquery-3.3.1.min.js (Vulnerable Library)
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0