Git Product home page Git Product logo

pvpwham's People

Contributors

aaronbassett avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

pvpwham's Issues

nexmo-2.3.0-py2.py3-none-any.whl: 7 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - nexmo-2.3.0-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nexmo version) Remediation Available
CVE-2022-23491 High 7.5 certifi-2018.11.29-py2.py3-none-any.whl Transitive 2.4.0
CVE-2022-29217 High 7.5 PyJWT-1.7.1-py2.py3-none-any.whl Transitive 2.4.0
CVE-2019-11324 High 7.5 urllib3-1.23-py2.py3-none-any.whl Transitive 2.4.0
CVE-2021-33503 High 7.5 urllib3-1.23-py2.py3-none-any.whl Transitive 2.4.0
CVE-2020-26137 Medium 6.5 urllib3-1.23-py2.py3-none-any.whl Transitive 2.4.0
CVE-2019-9740 Medium 6.1 urllib3-1.23-py2.py3-none-any.whl Transitive 2.4.0
CVE-2019-11236 Medium 6.1 urllib3-1.23-py2.py3-none-any.whl Transitive 2.4.0

Details

CVE-2022-23491

Vulnerable Library - certifi-2018.11.29-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/9f/e0/accfc1b56b57e9750eba272e24c4dddeac86852c2bebd1236674d7887e8a/certifi-2018.11.29-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • nexmo-2.3.0-py2.py3-none-any.whl (Root Library)
    • requests-2.21.0-py2.py3-none-any.whl
      • certifi-2018.11.29-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution (certifi): 2022.12.7

Direct dependency fix Resolution (nexmo): 2.4.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-29217

Vulnerable Library - PyJWT-1.7.1-py2.py3-none-any.whl

JSON Web Token implementation in Python

Library home page: https://files.pythonhosted.org/packages/87/8b/6a9f14b5f781697e51259d81657e6048fd31a113229cf346880bb7545565/PyJWT-1.7.1-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • nexmo-2.3.0-py2.py3-none-any.whl (Root Library)
    • PyJWT-1.7.1-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms() to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms() has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

Publish Date: 2022-05-24

URL: CVE-2022-29217

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217

Release Date: 2022-05-24

Fix Resolution (PyJWT): 2.4.0

Direct dependency fix Resolution (nexmo): 2.4.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-11324

Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • nexmo-2.3.0-py2.py3-none-any.whl (Root Library)
    • requests-2.21.0-py2.py3-none-any.whl
      • urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Publish Date: 2019-04-18

URL: CVE-2019-11324

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324

Release Date: 2019-04-18

Fix Resolution (urllib3): 1.24.2

Direct dependency fix Resolution (nexmo): 2.4.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-33503

Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • nexmo-2.3.0-py2.py3-none-any.whl (Root Library)
    • requests-2.21.0-py2.py3-none-any.whl
      • urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution (urllib3): 1.26.5

Direct dependency fix Resolution (nexmo): 2.4.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-26137

Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • nexmo-2.3.0-py2.py3-none-any.whl (Root Library)
    • requests-2.21.0-py2.py3-none-any.whl
      • urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution (urllib3): 1.25.9

Direct dependency fix Resolution (nexmo): 2.4.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-9740

Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • nexmo-2.3.0-py2.py3-none-any.whl (Root Library)
    • requests-2.21.0-py2.py3-none-any.whl
      • urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Publish Date: 2019-03-13

URL: CVE-2019-9740

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740

Release Date: 2019-03-13

Fix Resolution (urllib3): 1.24.3

Direct dependency fix Resolution (nexmo): 2.4.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-11236

Vulnerable Library - urllib3-1.23-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • nexmo-2.3.0-py2.py3-none-any.whl (Root Library)
    • requests-2.21.0-py2.py3-none-any.whl
      • urllib3-1.23-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.

Publish Date: 2019-04-15

URL: CVE-2019-11236

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r64q-w8jr-g9qp

Release Date: 2019-04-15

Fix Resolution (urllib3): 1.24.3

Direct dependency fix Resolution (nexmo): 2.4.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl: 4 vulnerabilities (highest severity is: 9.1)

Vulnerable Library - cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/60/c7/99b33c53cf3f20a97a4c4bfd3ab66dcc93d99da0a97cc9597aa36ae6bb62/cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cryptography version) Remediation Available
CVE-2020-36242 Critical 9.1 cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl Direct 3.3.2
CVE-2023-0286 High 7.4 cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl Direct OpenSSL_1_0_2a--OpenSSL_1_0_2u;OpenSSL_1_1_1a--OpenSSL_1_1_1s;cryptography - 39.0.1
CVE-2023-23931 Medium 6.5 cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl Direct 39.0.1
CVE-2020-25659 Medium 5.9 cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl Direct 3.2

Details

CVE-2020-36242

Vulnerable Library - cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/60/c7/99b33c53cf3f20a97a4c4bfd3ab66dcc93d99da0a97cc9597aa36ae6bb62/cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Publish Date: 2021-02-07

URL: CVE-2020-36242

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-07

Fix Resolution: 3.3.2

⛑️ Automatic Remediation is available for this issue

CVE-2023-0286

Vulnerable Library - cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/60/c7/99b33c53cf3f20a97a4c4bfd3ab66dcc93d99da0a97cc9597aa36ae6bb62/cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Publish Date: 2023-02-08

URL: CVE-2023-0286

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x4qr-2fvf-3mr5

Release Date: 2023-02-08

Fix Resolution: OpenSSL_1_0_2a--OpenSSL_1_0_2u;OpenSSL_1_1_1a--OpenSSL_1_1_1s;cryptography - 39.0.1

⛑️ Automatic Remediation is available for this issue

CVE-2023-23931

Vulnerable Library - cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/60/c7/99b33c53cf3f20a97a4c4bfd3ab66dcc93d99da0a97cc9597aa36ae6bb62/cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.

Publish Date: 2023-02-07

URL: CVE-2023-23931

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931

Release Date: 2023-02-07

Fix Resolution: 39.0.1

⛑️ Automatic Remediation is available for this issue

CVE-2020-25659

Vulnerable Library - cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/60/c7/99b33c53cf3f20a97a4c4bfd3ab66dcc93d99da0a97cc9597aa36ae6bb62/cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • cryptography-2.4.2-cp34-abi3-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Publish Date: 2021-01-11

URL: CVE-2020-25659

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hggm-jpg3-v476

Release Date: 2021-01-11

Fix Resolution: 3.2

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

flake8-3.6.0-py2.py3-none-any.whl: 1 vulnerabilities (highest severity is: 5.9)

Vulnerable Library - flake8-3.6.0-py2.py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (flake8 version) Remediation Available
CVE-2022-40897 Medium 5.9 setuptools-59.6.0-py3-none-any.whl Transitive 3.7.0

Details

CVE-2022-40897

Vulnerable Library - setuptools-59.6.0-py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/b0/3a/88b210db68e56854d0bcf4b38e165e03be377e13907746f825790f3df5bf/setuptools-59.6.0-py3-none-any.whl

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • flake8-3.6.0-py2.py3-none-any.whl (Root Library)
    • setuptools-59.6.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

Publish Date: 2022-12-23

URL: CVE-2022-40897

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

Release Date: 2022-12-23

Fix Resolution (setuptools): 65.5.1

Direct dependency fix Resolution (flake8): 3.7.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

spotipy-2.4.4.tar.gz: 1 vulnerabilities (highest severity is: 4.3)

Vulnerable Library - spotipy-2.4.4.tar.gz

A light weight Python library for the Spotify Web API

Library home page: https://files.pythonhosted.org/packages/59/46/3c957255c96910a8a0e2d9c25db1de51a8676ebba01d7966bedc6e748822/spotipy-2.4.4.tar.gz

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spotipy version) Remediation Available
CVE-2023-23608 Medium 4.3 spotipy-2.4.4.tar.gz Direct 2.22.1

Details

CVE-2023-23608

Vulnerable Library - spotipy-2.4.4.tar.gz

A light weight Python library for the Spotify Web API

Library home page: https://files.pythonhosted.org/packages/59/46/3c957255c96910a8a0e2d9c25db1de51a8676ebba01d7966bedc6e748822/spotipy-2.4.4.tar.gz

Path to dependency file: /Pipfile

Path to vulnerable library: /Pipfile

Dependency Hierarchy:

  • spotipy-2.4.4.tar.gz (Vulnerable Library)

Found in HEAD commit: 699d0c05e6aaaf7d410332344577ef9505035d6d

Found in base branch: main

Vulnerability Details

Spotipy is a light weight Python library for the Spotify Web API. In versions prior to 2.22.1, if a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended. The code Spotipy uses to parse URIs and URLs allows an attacker to insert arbitrary characters into the path that is used for API requests. Because it is possible to include "..", an attacker can redirect for example a track lookup via spotifyApi.track() to an arbitrary API endpoint like playlists, but this is possible for other endpoints as well. The impact of this vulnerability depends heavily on what operations a client application performs when it handles a URI from a user and how it uses the responses it receives from the API. This issue is patched in version 2.22.1.

Publish Date: 2023-01-26

URL: CVE-2023-23608

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23608

Release Date: 2023-01-26

Fix Resolution: 2.22.1

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.