nexmo-community / pvpwham Goto Github PK
View Code? Open in Web Editor NEWSend your friends to Whamhalla with this Python script
Send your friends to Whamhalla with this Python script
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
CVE | Severity | Dependency | Type | Fixed in (nexmo version) | Remediation Available | |
---|---|---|---|---|---|---|
CVE-2022-23491 | 7.5 | certifi-2018.11.29-py2.py3-none-any.whl | Transitive | 2.4.0 | ✅ | |
CVE-2022-29217 | 7.5 | PyJWT-1.7.1-py2.py3-none-any.whl | Transitive | 2.4.0 | ||
CVE-2019-11324 | 7.5 | urllib3-1.23-py2.py3-none-any.whl | Transitive | 2.4.0 | ||
CVE-2021-33503 | 7.5 | urllib3-1.23-py2.py3-none-any.whl | Transitive | 2.4.0 | ✅ | |
CVE-2020-26137 | 6.5 | urllib3-1.23-py2.py3-none-any.whl | Transitive | 2.4.0 | ||
CVE-2019-9740 | 6.1 | urllib3-1.23-py2.py3-none-any.whl | Transitive | 2.4.0 | ✅ | |
CVE-2019-11236 | 6.1 | urllib3-1.23-py2.py3-none-any.whl | Transitive | 2.4.0 |
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/9f/e0/accfc1b56b57e9750eba272e24c4dddeac86852c2bebd1236674d7887e8a/certifi-2018.11.29-py2.py3-none-any.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Publish Date: 2022-12-07
URL: CVE-2022-23491
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491
Release Date: 2022-12-07
Fix Resolution (certifi): 2022.12.7
Direct dependency fix Resolution (nexmo): 2.4.0
⛑️ Automatic Remediation is available for this issue
JSON Web Token implementation in Python
Library home page: https://files.pythonhosted.org/packages/87/8b/6a9f14b5f781697e51259d81657e6048fd31a113229cf346880bb7545565/PyJWT-1.7.1-py2.py3-none-any.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms()
to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms()
has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
Publish Date: 2022-05-24
URL: CVE-2022-29217
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217
Release Date: 2022-05-24
Fix Resolution (PyJWT): 2.4.0
Direct dependency fix Resolution (nexmo): 2.4.0
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
Publish Date: 2019-04-18
URL: CVE-2019-11324
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324
Release Date: 2019-04-18
Fix Resolution (urllib3): 1.24.2
Direct dependency fix Resolution (nexmo): 2.4.0
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution (urllib3): 1.26.5
Direct dependency fix Resolution (nexmo): 2.4.0
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution (urllib3): 1.25.9
Direct dependency fix Resolution (nexmo): 2.4.0
⛑️ Automatic Remediation is available for this issue
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
Publish Date: 2019-03-13
URL: CVE-2019-9740
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740
Release Date: 2019-03-13
Fix Resolution (urllib3): 1.24.3
Direct dependency fix Resolution (nexmo): 2.4.0
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
Publish Date: 2019-04-15
URL: CVE-2019-11236
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r64q-w8jr-g9qp
Release Date: 2019-04-15
Fix Resolution (urllib3): 1.24.3
Direct dependency fix Resolution (nexmo): 2.4.0
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/60/c7/99b33c53cf3f20a97a4c4bfd3ab66dcc93d99da0a97cc9597aa36ae6bb62/cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
CVE | Severity | Dependency | Type | Fixed in (cryptography version) | Remediation Available | |
---|---|---|---|---|---|---|
CVE-2020-36242 | 9.1 | cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl | Direct | 3.3.2 | ||
CVE-2023-0286 | 7.4 | cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl | Direct | OpenSSL_1_0_2a--OpenSSL_1_0_2u;OpenSSL_1_1_1a--OpenSSL_1_1_1s;cryptography - 39.0.1 | ✅ | |
CVE-2023-23931 | 6.5 | cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl | Direct | 39.0.1 | ||
CVE-2020-25659 | 5.9 | cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl | Direct | 3.2 | ✅ |
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/60/c7/99b33c53cf3f20a97a4c4bfd3ab66dcc93d99da0a97cc9597aa36ae6bb62/cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Publish Date: 2021-02-07
URL: CVE-2020-36242
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-02-07
Fix Resolution: 3.3.2
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/60/c7/99b33c53cf3f20a97a4c4bfd3ab66dcc93d99da0a97cc9597aa36ae6bb62/cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
Publish Date: 2023-02-08
URL: CVE-2023-0286
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-x4qr-2fvf-3mr5
Release Date: 2023-02-08
Fix Resolution: OpenSSL_1_0_2a--OpenSSL_1_0_2u;OpenSSL_1_1_1a--OpenSSL_1_1_1s;cryptography - 39.0.1
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/60/c7/99b33c53cf3f20a97a4c4bfd3ab66dcc93d99da0a97cc9597aa36ae6bb62/cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into
would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes
) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into
was originally introduced in cryptography 1.8.
Publish Date: 2023-02-07
URL: CVE-2023-23931
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931
Release Date: 2023-02-07
Fix Resolution: 39.0.1
⛑️ Automatic Remediation is available for this issue
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/60/c7/99b33c53cf3f20a97a4c4bfd3ab66dcc93d99da0a97cc9597aa36ae6bb62/cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
Publish Date: 2021-01-11
URL: CVE-2020-25659
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hggm-jpg3-v476
Release Date: 2021-01-11
Fix Resolution: 3.2
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
CVE | Severity | Dependency | Type | Fixed in (flake8 version) | Remediation Available | |
---|---|---|---|---|---|---|
CVE-2022-40897 | 5.9 | setuptools-59.6.0-py3-none-any.whl | Transitive | 3.7.0 |
Easily download, build, install, upgrade, and uninstall Python packages
Library home page: https://files.pythonhosted.org/packages/b0/3a/88b210db68e56854d0bcf4b38e165e03be377e13907746f825790f3df5bf/setuptools-59.6.0-py3-none-any.whl
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in base branch: main
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
Publish Date: 2022-12-23
URL: CVE-2022-40897
Base Score Metrics:
Type: Upgrade version
Origin: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
Release Date: 2022-12-23
Fix Resolution (setuptools): 65.5.1
Direct dependency fix Resolution (flake8): 3.7.0
A light weight Python library for the Spotify Web API
Library home page: https://files.pythonhosted.org/packages/59/46/3c957255c96910a8a0e2d9c25db1de51a8676ebba01d7966bedc6e748822/spotipy-2.4.4.tar.gz
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
CVE | Severity | Dependency | Type | Fixed in (spotipy version) | Remediation Available | |
---|---|---|---|---|---|---|
CVE-2023-23608 | 4.3 | spotipy-2.4.4.tar.gz | Direct | 2.22.1 |
A light weight Python library for the Spotify Web API
Library home page: https://files.pythonhosted.org/packages/59/46/3c957255c96910a8a0e2d9c25db1de51a8676ebba01d7966bedc6e748822/spotipy-2.4.4.tar.gz
Path to dependency file: /Pipfile
Path to vulnerable library: /Pipfile
Dependency Hierarchy:
Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d
Found in base branch: main
Spotipy is a light weight Python library for the Spotify Web API. In versions prior to 2.22.1, if a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended. The code Spotipy uses to parse URIs and URLs allows an attacker to insert arbitrary characters into the path that is used for API requests. Because it is possible to include "..", an attacker can redirect for example a track lookup via spotifyApi.track() to an arbitrary API endpoint like playlists, but this is possible for other endpoints as well. The impact of this vulnerability depends heavily on what operations a client application performs when it handles a URI from a user and how it uses the responses it receives from the API. This issue is patched in version 2.22.1.
Publish Date: 2023-01-26
URL: CVE-2023-23608
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23608
Release Date: 2023-01-26
Fix Resolution: 2.22.1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.