diff --git a/data/insecure_full.json b/data/insecure_full.json
index b99065f0..bcece28a 100644
--- a/data/insecure_full.json
+++ b/data/insecure_full.json
@@ -2,7 +2,7 @@
"$meta": {
"advisory": "PyUp.io metadata",
"base_domain": "https://pyup.io",
- "timestamp": 1711951247
+ "timestamp": 1714543250
},
"10cent10": [
{
@@ -292,16 +292,6 @@
}
],
"acryl-datahub": [
- {
- "advisory": "DataHub's AuthServiceClient, particularly versions below 0.8.45, creates JSON strings using format strings with user-controlled data. This approach lets potential attackers alter these JSON strings and forward them to the backend, causing potential misuse and authentication bypasses. This could lead to the creation of system accounts, potentially resulting in full system compromise. This vulnerability was discovered and reported by the GitHub Security lab and is being tracked under GHSL-2022-081.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-7wc6-p6c4-522c",
- "cve": "CVE-2023-25561",
- "id": "pyup.io-63339",
- "more_info_path": "/vulnerabilities/CVE-2023-25561/63339",
- "specs": [
- "<0.8.45"
- ],
- "v": "<0.8.45"
- },
{
"advisory": "In DataHub versions prior to 0.8.45, session cookies are only cleared upon new sign-ins, not during logouts. This allows potential attackers to bypass authentication checks using the AuthUtils.hasValidSessionCookie() method by using a cookie from a logged-out session. Consequently, any logged-out session cookie might be considered valid, leading to an authentication bypass. Users are advised to upgrade to version 0.8.45 to rectify this vulnerability. Currently, there are no known workarounds. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-083.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-3974-hxjh-m3jj\r\nhttps://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/datahub-frontend/app/auth/AuthUtils.java#L78",
"cve": "CVE-2023-25562",
@@ -313,10 +303,10 @@
"v": "<0.8.45"
},
{
- "advisory": "DataHub's AuthServiceClient, specifically versions prior to 0.8.45, creates JSON strings using format strings containing user-controlled data. This method enables potential attackers to manipulate these JSON strings and forward them to the backend, leading to potential misuse and authentication bypasses. Such misuse could result in the generation of system accounts, potentially leading to full system compromise. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-080.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-6rpf-5cfg-h8f3",
- "cve": "CVE-2023-25560",
- "id": "pyup.io-63340",
- "more_info_path": "/vulnerabilities/CVE-2023-25560/63340",
+ "advisory": "DataHub's AuthServiceClient, particularly versions below 0.8.45, creates JSON strings using format strings with user-controlled data. This approach lets potential attackers alter these JSON strings and forward them to the backend, causing potential misuse and authentication bypasses. This could lead to the creation of system accounts, potentially resulting in full system compromise. This vulnerability was discovered and reported by the GitHub Security lab and is being tracked under GHSL-2022-081.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-7wc6-p6c4-522c",
+ "cve": "CVE-2023-25561",
+ "id": "pyup.io-63339",
+ "more_info_path": "/vulnerabilities/CVE-2023-25561/63339",
"specs": [
"<0.8.45"
],
@@ -332,6 +322,16 @@
],
"v": "<0.8.45"
},
+ {
+ "advisory": "DataHub's AuthServiceClient, specifically versions prior to 0.8.45, creates JSON strings using format strings containing user-controlled data. This method enables potential attackers to manipulate these JSON strings and forward them to the backend, leading to potential misuse and authentication bypasses. Such misuse could result in the generation of system accounts, potentially leading to full system compromise. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-080.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-6rpf-5cfg-h8f3",
+ "cve": "CVE-2023-25560",
+ "id": "pyup.io-63340",
+ "more_info_path": "/vulnerabilities/CVE-2023-25560/63340",
+ "specs": [
+ "<0.8.45"
+ ],
+ "v": "<0.8.45"
+ },
{
"advisory": "DataHub under 0.8.45 frontend, acting as a proxy, is found to have a vulnerability where it doesn't properly construct URLs when forwarding data to the DataHub Metadata Store (GMS), potentially allowing external users to reroute requests from the DataHub Frontend to any host. This could enable attackers to reroute a request from the frontend proxy to any other server and return the result. The vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-076.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-5w2h-q83m-65xg",
"cve": "CVE-2023-25557",
@@ -410,9 +410,9 @@
"actipy": [
{
"advisory": "Actipy 1.1.0 updates its dependency 'numpy' requirement to '>=1.22' to include security fixes.",
- "cve": "CVE-2021-41496",
- "id": "pyup.io-51303",
- "more_info_path": "/vulnerabilities/CVE-2021-41496/51303",
+ "cve": "CVE-2021-34141",
+ "id": "pyup.io-51296",
+ "more_info_path": "/vulnerabilities/CVE-2021-34141/51296",
"specs": [
"<1.1.0"
],
@@ -420,9 +420,9 @@
},
{
"advisory": "Actipy 1.1.0 updates its dependency 'numpy' requirement to '>=1.22' to include security fixes.",
- "cve": "CVE-2021-34141",
- "id": "pyup.io-51296",
- "more_info_path": "/vulnerabilities/CVE-2021-34141/51296",
+ "cve": "CVE-2021-41496",
+ "id": "pyup.io-51303",
+ "more_info_path": "/vulnerabilities/CVE-2021-41496/51303",
"specs": [
"<1.1.0"
],
@@ -607,6 +607,18 @@
"v": "<101.0.3"
}
],
+ "ahc-tools": [
+ {
+ "advisory": "Directory traversal vulnerability in eNovance eDeploy allows remote attackers to create arbitrary directories and files and consequently cause a denial of service (resource consumption) via a (dot dot) the session parameter.",
+ "cve": "CVE-2014-3702",
+ "id": "pyup.io-70427",
+ "more_info_path": "/vulnerabilities/CVE-2014-3702/70427",
+ "specs": [
+ "<1.6.0"
+ ],
+ "v": "<1.6.0"
+ }
+ ],
"ahjo": [
{
"advisory": "Ahjo 3.1.1 updates its dependency 'setuptools' to v65.5.1 to include a security fix.",
@@ -1077,12 +1089,24 @@
"v": "<1.6.5"
}
],
+ "ail": [
+ {
+ "advisory": "Global.py in AIL framework 2.8 allows path traversal.",
+ "cve": "CVE-2020-8545",
+ "id": "pyup.io-70578",
+ "more_info_path": "/vulnerabilities/CVE-2020-8545/70578",
+ "specs": [
+ "<2.9"
+ ],
+ "v": "<2.9"
+ }
+ ],
"aim": [
{
"advisory": "Aim 1.2.13 updates its dependency 'pillow' to v6.2.2 to include security fixes.",
- "cve": "CVE-2020-5310",
- "id": "pyup.io-48607",
- "more_info_path": "/vulnerabilities/CVE-2020-5310/48607",
+ "cve": "CVE-2020-5311",
+ "id": "pyup.io-48613",
+ "more_info_path": "/vulnerabilities/CVE-2020-5311/48613",
"specs": [
"<1.2.13"
],
@@ -1090,9 +1114,9 @@
},
{
"advisory": "Aim 1.2.13 updates its dependency 'pillow' to v6.2.2 to include security fixes.",
- "cve": "CVE-2020-5311",
- "id": "pyup.io-48613",
- "more_info_path": "/vulnerabilities/CVE-2020-5311/48613",
+ "cve": "CVE-2020-5310",
+ "id": "pyup.io-48607",
+ "more_info_path": "/vulnerabilities/CVE-2020-5310/48607",
"specs": [
"<1.2.13"
],
@@ -1165,7 +1189,7 @@
],
"aiob": [
{
- "advisory": "AIOHTTP 3.8.1 can report a \"ValueError: Invalid IPv6 URL\" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application.\r\nAlias:\r\nGHSA-rwqr-c348-m5wr",
+ "advisory": "AIOHTTP 3.8.1 can report a \"ValueError: Invalid IPv6 URL\" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application.\r\nAlias: GHSA-rwqr-c348-m5wr",
"cve": "CVE-2022-33124",
"id": "pyup.io-62742",
"more_info_path": "/vulnerabilities/CVE-2022-33124/62742",
@@ -1287,14 +1311,14 @@
"v": "<3.8.0"
},
{
- "advisory": "Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel).\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg",
- "cve": "CVE-2023-47627",
- "id": "pyup.io-62326",
- "more_info_path": "/vulnerabilities/CVE-2023-47627/62326",
+ "advisory": "** Disputed ** AIOHTTP 3.8.1 can report a \"ValueError: Invalid IPv6 URL\" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application",
+ "cve": "CVE-2022-33124",
+ "id": "pyup.io-68501",
+ "more_info_path": "/vulnerabilities/CVE-2022-33124/68501",
"specs": [
- "<3.8.6"
+ "<3.8.1"
],
- "v": "<3.8.6"
+ "v": "<3.8.1"
},
{
"advisory": "Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix.\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9",
@@ -1306,6 +1330,16 @@
],
"v": "<3.8.6"
},
+ {
+ "advisory": "Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel).\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg",
+ "cve": "CVE-2023-47627",
+ "id": "pyup.io-62326",
+ "more_info_path": "/vulnerabilities/CVE-2023-47627/62326",
+ "specs": [
+ "<3.8.6"
+ ],
+ "v": "<3.8.6"
+ },
{
"advisory": "Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request.\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2",
"cve": "CVE-2023-49081",
@@ -2188,7 +2222,7 @@
"v": "<4.2.1.0"
},
{
- "advisory": "Aldryn-django 4.2.10.0 upgrades its Django dependency to 4.2.10 due to the CVE-2024-24680.",
+ "advisory": "Aldryn-django 4.2.10.0 upgrades its Django dependency to 4.2.10 due to CVE-2024-24680.",
"cve": "CVE-2024-24680",
"id": "pyup.io-65010",
"more_info_path": "/vulnerabilities/CVE-2024-24680/65010",
@@ -2198,7 +2232,7 @@
"v": "<4.2.10.0"
},
{
- "advisory": "Aldryn-django 4.2.3.0 upgrades its Django dependency to 4.2.3 due to the CVE-2023-36053.",
+ "advisory": "Aldryn-django 4.2.3.0 upgrades its Django dependency to 4.2.3 due to CVE-2023-36053.",
"cve": "CVE-2023-36053",
"id": "pyup.io-65014",
"more_info_path": "/vulnerabilities/CVE-2023-36053/65014",
@@ -2367,6 +2401,18 @@
"v": ">0"
}
],
+ "algoseek-connector": [
+ {
+ "advisory": "Algoseek-connector version 2.1.3 addresses a security vulnerability in the sqlparse library by updating from version \"^0.4.4\" to \"^0.5.0\", in response to the security advisory GHSA-2m57-hf25-phgg.",
+ "cve": "PVE-2024-67887",
+ "id": "pyup.io-67981",
+ "more_info_path": "/vulnerabilities/PVE-2024-67887/67981",
+ "specs": [
+ "<2.1.3"
+ ],
+ "v": "<2.1.3"
+ }
+ ],
"allennlp": [
{
"advisory": "allennlp 0.6.1 upgrades flask to avoid security vulnerability.",
@@ -2485,6 +2531,18 @@
"v": "<0.9.2"
}
],
+ "altvmasterlist": [
+ {
+ "advisory": "Altvmasterlist version 3.1.0 updates its IDNA dependency from version 3.6 to 3.7 to fix a denial of service vulnerability.",
+ "cve": "CVE-2022-45061",
+ "id": "pyup.io-67623",
+ "more_info_path": "/vulnerabilities/CVE-2022-45061/67623",
+ "specs": [
+ "<3.1.0"
+ ],
+ "v": "<3.1.0"
+ }
+ ],
"alvaro": [
{
"advisory": "Alvaro 1.1.1 replaced Pickle with JSON to prevent code injection vulnerabilities.\r\nhttps://github.com/edgecase963/Alvaro/commit/d87c53359e7edde827add46a7870d4192eef0451",
@@ -2747,16 +2805,6 @@
],
"v": "<1.2.3"
},
- {
- "advisory": "Ansible 1.5.4 includes a fix for CVE-2014-4657: The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.",
- "cve": "CVE-2014-4657",
- "id": "pyup.io-25617",
- "more_info_path": "/vulnerabilities/CVE-2014-4657/25617",
- "specs": [
- "<1.5.4"
- ],
- "v": "<1.5.4"
- },
{
"advisory": "Ansible 1.5.4 includes a fix for CVE-2014-2686: Ansible prior to 1.5.4 mishandles the evaluation of some strings.\r\nhttps://groups.google.com/forum/#!searchin/ansible-project/1.5.4/ansible-project/MUQxiKwSQDc/id6aVaawVboJ",
"cve": "CVE-2014-2686",
@@ -2768,14 +2816,14 @@
"v": "<1.5.4"
},
{
- "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4660: Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the \"deb http://user:pass@server:port/\" format.\r\nhttps://www.openwall.com/lists/oss-security/2014/06/26/19",
- "cve": "CVE-2014-4660",
- "id": "pyup.io-42918",
- "more_info_path": "/vulnerabilities/CVE-2014-4660/42918",
+ "advisory": "Ansible 1.5.4 includes a fix for CVE-2014-4657: The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.",
+ "cve": "CVE-2014-4657",
+ "id": "pyup.io-25617",
+ "more_info_path": "/vulnerabilities/CVE-2014-4657/25617",
"specs": [
- "<1.5.5"
+ "<1.5.4"
],
- "v": "<1.5.5"
+ "v": "<1.5.4"
},
{
"advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4658: The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.",
@@ -2787,6 +2835,16 @@
],
"v": "<1.5.5"
},
+ {
+ "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4660: Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the \"deb http://user:pass@server:port/\" format.\r\nhttps://www.openwall.com/lists/oss-security/2014/06/26/19",
+ "cve": "CVE-2014-4660",
+ "id": "pyup.io-42918",
+ "more_info_path": "/vulnerabilities/CVE-2014-4660/42918",
+ "specs": [
+ "<1.5.5"
+ ],
+ "v": "<1.5.5"
+ },
{
"advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4659: Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the \"deb http://user:pass@server:port/\" format.",
"cve": "CVE-2014-4659",
@@ -2838,20 +2896,20 @@
"v": "<1.6.7"
},
{
- "advisory": "Ansible 1.7.0 avoids templating raw lookup strings.\r\nhttps://github.com/ansible/ansible/commit/650e967b30f26c285441fb848a408044c51ad622",
- "cve": "PVE-2022-45329",
- "id": "pyup.io-45329",
- "more_info_path": "/vulnerabilities/PVE-2022-45329/45329",
+ "advisory": "Ansible 1.7.0 adds path checking for relative/escaped tar filenames in the ansible-galaxy command.\r\nhttps://github.com/ansible/ansible/commit/92382c41810a4496e7f894696da645fe5151c232",
+ "cve": "PVE-2021-25622",
+ "id": "pyup.io-25622",
+ "more_info_path": "/vulnerabilities/PVE-2021-25622/25622",
"specs": [
"<1.7"
],
"v": "<1.7"
},
{
- "advisory": "Ansible 1.7.0 adds path checking for relative/escaped tar filenames in the ansible-galaxy command.\r\nhttps://github.com/ansible/ansible/commit/92382c41810a4496e7f894696da645fe5151c232",
- "cve": "PVE-2021-25622",
- "id": "pyup.io-25622",
- "more_info_path": "/vulnerabilities/PVE-2021-25622/25622",
+ "advisory": "Ansible 1.7.0 avoids templating raw lookup strings.\r\nhttps://github.com/ansible/ansible/commit/650e967b30f26c285441fb848a408044c51ad622",
+ "cve": "PVE-2022-45329",
+ "id": "pyup.io-45329",
+ "more_info_path": "/vulnerabilities/PVE-2022-45329/45329",
"specs": [
"<1.7"
],
@@ -2909,20 +2967,20 @@
"v": "<2.1.4.0,>2.1.4.0,<2.2.1.0"
},
{
- "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8614: A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing a remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614",
- "cve": "CVE-2016-8614",
- "id": "pyup.io-42916",
- "more_info_path": "/vulnerabilities/CVE-2016-8614/42916",
+ "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8628: Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628",
+ "cve": "CVE-2016-8628",
+ "id": "pyup.io-42915",
+ "more_info_path": "/vulnerabilities/CVE-2016-8628/42915",
"specs": [
"<2.2.0"
],
"v": "<2.2.0"
},
{
- "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8628: Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628",
- "cve": "CVE-2016-8628",
- "id": "pyup.io-42915",
- "more_info_path": "/vulnerabilities/CVE-2016-8628/42915",
+ "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8614: A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing a remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614",
+ "cve": "CVE-2016-8614",
+ "id": "pyup.io-42916",
+ "more_info_path": "/vulnerabilities/CVE-2016-8614/42916",
"specs": [
"<2.2.0"
],
@@ -2981,24 +3039,36 @@
"v": "<2.9.23"
},
{
- "advisory": "A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1956464",
- "cve": "CVE-2021-3532",
- "id": "pyup.io-42923",
- "more_info_path": "/vulnerabilities/CVE-2021-3532/42923",
+ "advisory": "A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6.",
+ "cve": "CVE-2020-10709",
+ "id": "pyup.io-70602",
+ "more_info_path": "/vulnerabilities/CVE-2020-10709/70602",
"specs": [
- ">0"
+ "<3.5.6",
+ ">=3.6.0,<3.6.4"
],
- "v": ">0"
+ "v": "<3.5.6,>=3.6.0,<3.6.4"
},
{
- "advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability.",
- "cve": "CVE-2020-25636",
- "id": "pyup.io-54229",
- "more_info_path": "/vulnerabilities/CVE-2020-25636/54229",
+ "advisory": "A vulnerability was found in Ansible Tower before 3.6.1 where an attacker with low privilege could retrieve usernames and passwords credentials from the new RHSM saved in plain text into the database at '/api/v2/config' when applying the Ansible Tower license.",
+ "cve": "CVE-2019-14890",
+ "id": "pyup.io-70527",
+ "more_info_path": "/vulnerabilities/CVE-2019-14890/70527",
"specs": [
- ">=0"
+ "<3.6.1"
],
- "v": ">=0"
+ "v": "<3.6.1"
+ },
+ {
+ "advisory": "An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.",
+ "cve": "CVE-2022-1632",
+ "id": "pyup.io-62625",
+ "more_info_path": "/vulnerabilities/CVE-2022-1632/62625",
+ "specs": [
+ "==2.0",
+ "==4.0"
+ ],
+ "v": "==2.0,==4.0"
},
{
"advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality.",
@@ -3010,6 +3080,16 @@
],
"v": ">=0"
},
+ {
+ "advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability.",
+ "cve": "CVE-2020-25636",
+ "id": "pyup.io-54229",
+ "more_info_path": "/vulnerabilities/CVE-2020-25636/54229",
+ "specs": [
+ ">=0"
+ ],
+ "v": ">=0"
+ },
{
"advisory": "In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.",
"cve": "CVE-2018-10874",
@@ -3066,6 +3146,16 @@
],
"v": ">=2.3.0,<2.3.3,>=2.4.0,<2.4.1"
},
+ {
+ "advisory": "A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.",
+ "cve": "CVE-2022-3697",
+ "id": "pyup.io-54564",
+ "more_info_path": "/vulnerabilities/CVE-2022-3697/54564",
+ "specs": [
+ ">=2.5.0,<7.0.0"
+ ],
+ "v": ">=2.5.0,<7.0.0"
+ },
{
"advisory": "Ansible 2.5.14, 2.6.11 and 2.7.5 include a fix for CVE-2018-16876: Ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16876",
"cve": "CVE-2018-16876",
@@ -3139,10 +3229,10 @@
"v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.11,>=2.9.0a0,<2.9.7"
},
{
- "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1738: A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738",
- "cve": "CVE-2020-1738",
- "id": "pyup.io-42873",
- "more_info_path": "/vulnerabilities/CVE-2020-1738/42873",
+ "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1736: A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736",
+ "cve": "CVE-2020-1736",
+ "id": "pyup.io-42875",
+ "more_info_path": "/vulnerabilities/CVE-2020-1736/42875",
"specs": [
">=2.7.0a0,<2.7.17",
">=2.8.0a0,<2.8.9",
@@ -3151,10 +3241,10 @@
"v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6"
},
{
- "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1739: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739",
- "cve": "CVE-2020-1739",
- "id": "pyup.io-42871",
- "more_info_path": "/vulnerabilities/CVE-2020-1739/42871",
+ "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684",
+ "cve": "CVE-2020-10684",
+ "id": "pyup.io-42864",
+ "more_info_path": "/vulnerabilities/CVE-2020-10684/42864",
"specs": [
">=2.7.0a0,<2.7.17",
">=2.8.0a0,<2.8.9",
@@ -3163,10 +3253,10 @@
"v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6"
},
{
- "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1740: A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740",
- "cve": "CVE-2020-1740",
- "id": "pyup.io-42869",
- "more_info_path": "/vulnerabilities/CVE-2020-1740/42869",
+ "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1738: A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738",
+ "cve": "CVE-2020-1738",
+ "id": "pyup.io-42873",
+ "more_info_path": "/vulnerabilities/CVE-2020-1738/42873",
"specs": [
">=2.7.0a0,<2.7.17",
">=2.8.0a0,<2.8.9",
@@ -3175,10 +3265,10 @@
"v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6"
},
{
- "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1736: A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736",
- "cve": "CVE-2020-1736",
- "id": "pyup.io-42875",
- "more_info_path": "/vulnerabilities/CVE-2020-1736/42875",
+ "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1739: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739",
+ "cve": "CVE-2020-1739",
+ "id": "pyup.io-42871",
+ "more_info_path": "/vulnerabilities/CVE-2020-1739/42871",
"specs": [
">=2.7.0a0,<2.7.17",
">=2.8.0a0,<2.8.9",
@@ -3199,10 +3289,10 @@
"v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6"
},
{
- "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684",
- "cve": "CVE-2020-10684",
- "id": "pyup.io-42864",
- "more_info_path": "/vulnerabilities/CVE-2020-10684/42864",
+ "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1740: A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740",
+ "cve": "CVE-2020-1740",
+ "id": "pyup.io-42869",
+ "more_info_path": "/vulnerabilities/CVE-2020-1740/42869",
"specs": [
">=2.7.0a0,<2.7.17",
">=2.8.0a0,<2.8.9",
@@ -3281,6 +3371,16 @@
],
"v": "<1.9.5,==2.0.0"
},
+ {
+ "advisory": "A flaw was found in Ansible if an Ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world-writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.",
+ "cve": "CVE-2021-3533",
+ "id": "pyup.io-66667",
+ "more_info_path": "/vulnerabilities/CVE-2021-3533/66667",
+ "specs": [
+ "<2.12.0b1"
+ ],
+ "v": "<2.12.0b1"
+ },
{
"advisory": "An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.",
"cve": "CVE-2024-0690",
@@ -3314,17 +3414,6 @@
],
"v": "==2.0,==2.1"
},
- {
- "advisory": "An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.",
- "cve": "CVE-2022-1632",
- "id": "pyup.io-62625",
- "more_info_path": "/vulnerabilities/CVE-2022-1632/62625",
- "specs": [
- "==2.0",
- "==4.0"
- ],
- "v": "==2.0,==4.0"
- },
{
"advisory": "An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.",
"cve": "CVE-2020-14330",
@@ -3446,16 +3535,6 @@
],
"v": ">=0,<2.9.6"
},
- {
- "advisory": "A flaw was found in Ansible if an Ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world-writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.",
- "cve": "CVE-2021-3533",
- "id": "pyup.io-66667",
- "more_info_path": "/vulnerabilities/CVE-2021-3533/66667",
- "specs": [
- ">=0,<3.0.0"
- ],
- "v": ">=0,<3.0.0"
- },
{
"advisory": "Ansible 2.4.0.0rc1 includes a security fix: There is a mismatch between two hash formats that causes the generation of a relatively shorter salt value (8 characters), which would make it easier to do dictionary/brute force attacks.\r\nhttps://github.com/ansible/ansible/commit/f5aa9df1fddb4448d5d81fbb9d03bb82a16eda52",
"cve": "PVE-2023-60874",
@@ -3511,16 +3590,6 @@
],
"v": ">=2.5.0,<2.5.5,>=2.4.0,<2.4.5"
},
- {
- "advisory": "A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.",
- "cve": "CVE-2022-3697",
- "id": "pyup.io-54564",
- "more_info_path": "/vulnerabilities/CVE-2022-3697/54564",
- "specs": [
- ">=2.5.0,<7.0.0"
- ],
- "v": ">=2.5.0,<7.0.0"
- },
{
"advisory": "A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.",
"cve": "CVE-2019-14905",
@@ -3569,6 +3638,16 @@
],
"v": ">=2.8.0a1,<2.8.19,>=2.9.0b1,<2.9.18"
},
+ {
+ "advisory": "A vulnerability in versions of the Ansible solaris_zone module permits an attacker to execute arbitrary commands on a Solaris host. This issue arises when the module checks the zone name by using a basic 'ps' command, enabling the attack through a maliciously crafted zone name. This flaw poses a risk to various versions of Ansible Engine, exposing systems to potential unauthorized command execution.",
+ "cve": "CVE-2019-14904",
+ "id": "pyup.io-68097",
+ "more_info_path": "/vulnerabilities/CVE-2019-14904/68097",
+ "specs": [
+ ">=2.9.0,<2.9.2"
+ ],
+ "v": ">=2.9.0,<2.9.2"
+ },
{
"advisory": "An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.",
"cve": "CVE-2020-10691",
@@ -4049,10 +4128,10 @@
"v": "<1.10.14"
},
{
- "advisory": "Apache-airflow 1.10.3 sets HttpOnly flag to cookies by default.\r\nhttps://github.com/apache/airflow/commit/1211dddfd7167fd90575f40dd6734b0af9aec8b7",
- "cve": "PVE-2022-51848",
- "id": "pyup.io-51848",
- "more_info_path": "/vulnerabilities/PVE-2022-51848/51848",
+ "advisory": "Apache-airflow 1.10.3 updates its dependency 'gunicorn' minimum requirement to v19.5.0 to include a security fix.",
+ "cve": "CVE-2018-1000164",
+ "id": "pyup.io-51833",
+ "more_info_path": "/vulnerabilities/CVE-2018-1000164/51833",
"specs": [
"<1.10.3"
],
@@ -4069,60 +4148,60 @@
"v": "<1.10.3"
},
{
- "advisory": "Apache-airflow 1.10.3 updates its dependency 'gunicorn' minimum requirement to v19.5.0 to include a security fix.",
- "cve": "CVE-2018-1000164",
- "id": "pyup.io-51833",
- "more_info_path": "/vulnerabilities/CVE-2018-1000164/51833",
+ "advisory": "Apache-airflow 1.10.3 sets HttpOnly flag to cookies by default.\r\nhttps://github.com/apache/airflow/commit/1211dddfd7167fd90575f40dd6734b0af9aec8b7",
+ "cve": "PVE-2022-51848",
+ "id": "pyup.io-51848",
+ "more_info_path": "/vulnerabilities/PVE-2022-51848/51848",
"specs": [
"<1.10.3"
],
"v": "<1.10.3"
},
{
- "advisory": "Apache-airflow 1.9.0a0 includes a security fix: An individual with the capacity to create or modify Charts holds the potential to run any code they desire on the Airflow server.",
- "cve": "PVE-2023-99964",
- "id": "pyup.io-60877",
- "more_info_path": "/vulnerabilities/PVE-2023-99964/60877",
+ "advisory": "Apache-airflow 1.9.0a0 includes a security fix: When navigating to a page where the 'dag_id' parameter is specified as an HTML tag, the tag is rendered. This is because it uses the Markup tag, which subsequently marks HTML as safe. This presents cross-site scripting vulnerabilities due to the display of unsanitized user input.",
+ "cve": "PVE-2023-99965",
+ "id": "pyup.io-60876",
+ "more_info_path": "/vulnerabilities/PVE-2023-99965/60876",
"specs": [
"<1.9.0a0"
],
"v": "<1.9.0a0"
},
{
- "advisory": "Apache-airflow 1.9.0a0 includes a security fix: When navigating to a page where the 'dag_id' parameter is specified as an HTML tag, the tag is rendered. This is because it uses the Markup tag, which subsequently marks HTML as safe. This presents cross-site scripting vulnerabilities due to the display of unsanitized user input.",
- "cve": "PVE-2023-99965",
- "id": "pyup.io-60876",
- "more_info_path": "/vulnerabilities/PVE-2023-99965/60876",
+ "advisory": "Apache-airflow 1.9.0a0 includes a security fix: An individual with the capacity to create or modify Charts holds the potential to run any code they desire on the Airflow server.",
+ "cve": "PVE-2023-99964",
+ "id": "pyup.io-60877",
+ "more_info_path": "/vulnerabilities/PVE-2023-99964/60877",
"specs": [
"<1.9.0a0"
],
"v": "<1.9.0a0"
},
{
- "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-28710.",
- "cve": "CVE-2023-28710",
- "id": "pyup.io-63173",
- "more_info_path": "/vulnerabilities/CVE-2023-28710/63173",
+ "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Sqoop provider integration. Therefore, it is affected by CVE-2023-25693.",
+ "cve": "CVE-2023-25693",
+ "id": "pyup.io-63178",
+ "more_info_path": "/vulnerabilities/CVE-2023-25693/63178",
"specs": [
"<2.0.0b1"
],
"v": "<2.0.0b1"
},
{
- "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Amazon provider integration. Therefore, it is affected by CVE-2023-25956.",
- "cve": "CVE-2023-25956",
- "id": "pyup.io-63177",
- "more_info_path": "/vulnerabilities/CVE-2023-25956/63177",
+ "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-28710.",
+ "cve": "CVE-2023-28710",
+ "id": "pyup.io-63173",
+ "more_info_path": "/vulnerabilities/CVE-2023-28710/63173",
"specs": [
"<2.0.0b1"
],
"v": "<2.0.0b1"
},
{
- "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Docker provider integration. Therefore, it is affected by CVE-2022-38362.",
- "cve": "CVE-2022-38362",
- "id": "pyup.io-63172",
- "more_info_path": "/vulnerabilities/CVE-2022-38362/63172",
+ "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2023-28706.",
+ "cve": "CVE-2023-28706",
+ "id": "pyup.io-63174",
+ "more_info_path": "/vulnerabilities/CVE-2023-28706/63174",
"specs": [
"<2.0.0b1"
],
@@ -4139,20 +4218,20 @@
"v": "<2.0.0b1"
},
{
- "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2023-28706.",
- "cve": "CVE-2023-28706",
- "id": "pyup.io-63174",
- "more_info_path": "/vulnerabilities/CVE-2023-28706/63174",
+ "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Google Cloud provider integration. Therefore, it is affected by CVE-2023-25691.",
+ "cve": "CVE-2023-25691",
+ "id": "pyup.io-63175",
+ "more_info_path": "/vulnerabilities/CVE-2023-25691/63175",
"specs": [
"<2.0.0b1"
],
"v": "<2.0.0b1"
},
{
- "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Google Cloud provider integration. Therefore, it is affected by CVE-2023-25691.",
- "cve": "CVE-2023-25691",
- "id": "pyup.io-63175",
- "more_info_path": "/vulnerabilities/CVE-2023-25691/63175",
+ "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-40195.",
+ "cve": "CVE-2023-40195",
+ "id": "pyup.io-63170",
+ "more_info_path": "/vulnerabilities/CVE-2023-40195/63170",
"specs": [
"<2.0.0b1"
],
@@ -4169,30 +4248,30 @@
"v": "<2.0.0b1"
},
{
- "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-40195.",
- "cve": "CVE-2023-40195",
- "id": "pyup.io-63170",
- "more_info_path": "/vulnerabilities/CVE-2023-40195/63170",
+ "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Amazon provider integration. Therefore, it is affected by CVE-2023-25956.",
+ "cve": "CVE-2023-25956",
+ "id": "pyup.io-63177",
+ "more_info_path": "/vulnerabilities/CVE-2023-25956/63177",
"specs": [
"<2.0.0b1"
],
"v": "<2.0.0b1"
},
{
- "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2022-46421.",
- "cve": "CVE-2022-46421",
- "id": "pyup.io-63180",
- "more_info_path": "/vulnerabilities/CVE-2022-46421/63180",
+ "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Docker provider integration. Therefore, it is affected by CVE-2022-38362.",
+ "cve": "CVE-2022-38362",
+ "id": "pyup.io-63172",
+ "more_info_path": "/vulnerabilities/CVE-2022-38362/63172",
"specs": [
"<2.0.0b1"
],
"v": "<2.0.0b1"
},
{
- "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Sqoop provider integration. Therefore, it is affected by CVE-2023-25693.",
- "cve": "CVE-2023-25693",
- "id": "pyup.io-63178",
- "more_info_path": "/vulnerabilities/CVE-2023-25693/63178",
+ "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2022-46421.",
+ "cve": "CVE-2022-46421",
+ "id": "pyup.io-63180",
+ "more_info_path": "/vulnerabilities/CVE-2022-46421/63180",
"specs": [
"<2.0.0b1"
],
@@ -4298,6 +4377,16 @@
],
"v": "<2.6.0"
},
+ {
+ "advisory": "The details page for task instances in the user interface is subject to a stored XSS vulnerability. This problem pertains to Apache Airflow versions prior to 2.6.0.\r\nhttps://github.com/apache/airflow/pull/30447/commits/3d894f7a643e9319f5c48e343ac39b248dedaa9b\r\nhttps://github.com/apache/airflow/pull/30779/commits/7c566f7ef4b33175aafc4f89f94fb2096b093940",
+ "cve": "CVE-2023-29247",
+ "id": "pyup.io-63344",
+ "more_info_path": "/vulnerabilities/CVE-2023-29247/63344",
+ "specs": [
+ "<2.6.0"
+ ],
+ "v": "<2.6.0"
+ },
{
"advisory": "Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.6.0.",
"cve": "CVE-2023-25754",
@@ -4309,14 +4398,14 @@
"v": "<2.6.0"
},
{
- "advisory": "The details page for task instances in the user interface is subject to a stored XSS vulnerability. This problem pertains to Apache Airflow versions prior to 2.6.0.\r\nhttps://github.com/apache/airflow/pull/30447/commits/3d894f7a643e9319f5c48e343ac39b248dedaa9b\r\nhttps://github.com/apache/airflow/pull/30779/commits/7c566f7ef4b33175aafc4f89f94fb2096b093940",
- "cve": "CVE-2023-29247",
- "id": "pyup.io-63344",
- "more_info_path": "/vulnerabilities/CVE-2023-29247/63344",
+ "advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected",
+ "cve": "CVE-2023-22887",
+ "id": "pyup.io-62890",
+ "more_info_path": "/vulnerabilities/CVE-2023-22887/62890",
"specs": [
- "<2.6.0"
+ "<2.6.3"
],
- "v": "<2.6.0"
+ "v": "<2.6.3"
},
{
"advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected",
@@ -4349,30 +4438,20 @@
"v": "<2.6.3"
},
{
- "advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected",
- "cve": "CVE-2023-22887",
- "id": "pyup.io-62890",
- "more_info_path": "/vulnerabilities/CVE-2023-22887/62890",
- "specs": [
- "<2.6.3"
- ],
- "v": "<2.6.3"
- },
- {
- "advisory": "Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.\r\n\r\nUsers of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.",
- "cve": "CVE-2023-37379",
- "id": "pyup.io-65002",
- "more_info_path": "/vulnerabilities/CVE-2023-37379/65002",
+ "advisory": "Apache-airflow 2.7.0 disables default allowing the testing of connections in UI, API and CLI for security reasons.\r\nhttps://github.com/apache/airflow/pull/32052",
+ "cve": "PVE-2023-60952",
+ "id": "pyup.io-60952",
+ "more_info_path": "/vulnerabilities/PVE-2023-60952/60952",
"specs": [
"<2.7.0"
],
"v": "<2.7.0"
},
{
- "advisory": "Apache-airflow 2.7.0 disables default allowing the testing of connections in UI, API and CLI for security reasons.\r\nhttps://github.com/apache/airflow/pull/32052",
- "cve": "PVE-2023-60952",
- "id": "pyup.io-60952",
- "more_info_path": "/vulnerabilities/PVE-2023-60952/60952",
+ "advisory": "Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and\u00a0Apache Airflow before 2.7.0 are affected by the\u00a0Validation of OpenSSL Certificate vulnerability.\r\n\r\nThe default SSL context with SSL library did not check a server's X.509\u00a0certificate.\u00a0 Instead, the code accepted any certificate, which could\u00a0result in the disclosure of mail server credentials or mail contents\u00a0when the client connects to an attacker in a MITM position.\r\n\r\nUsers are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability",
+ "cve": "CVE-2023-39441",
+ "id": "pyup.io-65020",
+ "more_info_path": "/vulnerabilities/CVE-2023-39441/65020",
"specs": [
"<2.7.0"
],
@@ -4389,10 +4468,10 @@
"v": "<2.7.0"
},
{
- "advisory": "Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and\u00a0Apache Airflow before 2.7.0 are affected by the\u00a0Validation of OpenSSL Certificate vulnerability.\r\n\r\nThe default SSL context with SSL library did not check a server's X.509\u00a0certificate.\u00a0 Instead, the code accepted any certificate, which could\u00a0result in the disclosure of mail server credentials or mail contents\u00a0when the client connects to an attacker in a MITM position.\r\n\r\nUsers are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability",
- "cve": "CVE-2023-39441",
- "id": "pyup.io-65020",
- "more_info_path": "/vulnerabilities/CVE-2023-39441/65020",
+ "advisory": "Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.\r\n\r\nUsers of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.",
+ "cve": "CVE-2023-37379",
+ "id": "pyup.io-65002",
+ "more_info_path": "/vulnerabilities/CVE-2023-37379/65002",
"specs": [
"<2.7.0"
],
@@ -4479,20 +4558,20 @@
"v": "<=2.3.2"
},
{
- "advisory": "Apache-airflow 2.3.2 and prior versions ship with vulnerable dependencies (click == 7.1.2).",
- "cve": "PVE-2022-47833",
- "id": "pyup.io-49785",
- "more_info_path": "/vulnerabilities/PVE-2022-47833/49785",
+ "advisory": "Apache-airflow 2.3.2 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).",
+ "cve": "CVE-2022-29217",
+ "id": "pyup.io-49786",
+ "more_info_path": "/vulnerabilities/CVE-2022-29217/49786",
"specs": [
"<=2.3.2"
],
"v": "<=2.3.2"
},
{
- "advisory": "Apache-airflow 2.3.2 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).",
- "cve": "CVE-2022-29217",
- "id": "pyup.io-49786",
- "more_info_path": "/vulnerabilities/CVE-2022-29217/49786",
+ "advisory": "Apache-airflow 2.3.2 and prior versions ship with vulnerable dependencies (click == 7.1.2).",
+ "cve": "PVE-2022-47833",
+ "id": "pyup.io-49785",
+ "more_info_path": "/vulnerabilities/PVE-2022-47833/49785",
"specs": [
"<=2.3.2"
],
@@ -4538,16 +4617,6 @@
],
"v": ">=0,<1.10.11rc1"
},
- {
- "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.",
- "cve": "CVE-2020-11983",
- "id": "pyup.io-54181",
- "more_info_path": "/vulnerabilities/CVE-2020-11983/54181",
- "specs": [
- ">=0,<1.10.11rc1"
- ],
- "v": ">=0,<1.10.11rc1"
- },
{
"advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.",
"cve": "CVE-2020-11981",
@@ -4578,6 +4647,16 @@
],
"v": ">=0,<1.10.11rc1"
},
+ {
+ "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.",
+ "cve": "CVE-2020-11983",
+ "id": "pyup.io-54181",
+ "more_info_path": "/vulnerabilities/CVE-2020-11983/54181",
+ "specs": [
+ ">=0,<1.10.11rc1"
+ ],
+ "v": ">=0,<1.10.11rc1"
+ },
{
"advisory": "In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.",
"cve": "CVE-2020-17511",
@@ -4629,20 +4708,20 @@
"v": ">=0,<1.10.3b1"
},
{
- "advisory": "Versions of Apache Airflow prior to 1.10.5 expose a vulnerability where the Databricks operator logs API keys in plaintext during task execution. This exposure results from the operator encouraging users to input their API key into a connection's \"extra\" field, which the Databricks hook subsequently logs, leading to information exposure.\r\nhttps://github.com/apache/airflow/pull/5635/commits/89f015e6c89392b6de61dab8ab90182e6ee42b74",
- "cve": "PVE-2024-99796",
- "id": "pyup.io-66019",
- "more_info_path": "/vulnerabilities/PVE-2024-99796/66019",
+ "advisory": "In Apache Airflow before 1.10.5 when running with the \"classic\" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new \"RBAC\" UI is unaffected.",
+ "cve": "CVE-2019-12398",
+ "id": "pyup.io-54139",
+ "more_info_path": "/vulnerabilities/CVE-2019-12398/54139",
"specs": [
">=0,<1.10.5"
],
"v": ">=0,<1.10.5"
},
{
- "advisory": "In Apache Airflow before 1.10.5 when running with the \"classic\" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new \"RBAC\" UI is unaffected.",
- "cve": "CVE-2019-12398",
- "id": "pyup.io-54139",
- "more_info_path": "/vulnerabilities/CVE-2019-12398/54139",
+ "advisory": "Versions of Apache Airflow prior to 1.10.5 expose a vulnerability where the Databricks operator logs API keys in plaintext during task execution. This exposure results from the operator encouraging users to input their API key into a connection's \"extra\" field, which the Databricks hook subsequently logs, leading to information exposure.\r\nhttps://github.com/apache/airflow/pull/5635/commits/89f015e6c89392b6de61dab8ab90182e6ee42b74",
+ "cve": "PVE-2024-99796",
+ "id": "pyup.io-66019",
+ "more_info_path": "/vulnerabilities/PVE-2024-99796/66019",
"specs": [
">=0,<1.10.5"
],
@@ -4679,20 +4758,20 @@
"v": ">=0,<1.9.0"
},
{
- "advisory": "In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.",
- "cve": "CVE-2017-17835",
- "id": "pyup.io-53948",
- "more_info_path": "/vulnerabilities/CVE-2017-17835/53948",
+ "advisory": "It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for this is to upgrade to Apache Airflow 1.9.0 or above.",
+ "cve": "CVE-2017-12614",
+ "id": "pyup.io-53928",
+ "more_info_path": "/vulnerabilities/CVE-2017-12614/53928",
"specs": [
">=0,<1.9.0"
],
"v": ">=0,<1.9.0"
},
{
- "advisory": "It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for this is to upgrade to Apache Airflow 1.9.0 or above.",
- "cve": "CVE-2017-12614",
- "id": "pyup.io-53928",
- "more_info_path": "/vulnerabilities/CVE-2017-12614/53928",
+ "advisory": "In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.",
+ "cve": "CVE-2017-17835",
+ "id": "pyup.io-53948",
+ "more_info_path": "/vulnerabilities/CVE-2017-17835/53948",
"specs": [
">=0,<1.9.0"
],
@@ -4729,20 +4808,20 @@
"v": ">=0,<2.3.0"
},
{
- "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).",
- "cve": "CVE-2022-41131",
- "id": "pyup.io-54592",
- "more_info_path": "/vulnerabilities/CVE-2022-41131/54592",
+ "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).",
+ "cve": "CVE-2022-40954",
+ "id": "pyup.io-54588",
+ "more_info_path": "/vulnerabilities/CVE-2022-40954/54588",
"specs": [
">=0,<2.3.0"
],
"v": ">=0,<2.3.0"
},
{
- "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).",
- "cve": "CVE-2022-40954",
- "id": "pyup.io-54588",
- "more_info_path": "/vulnerabilities/CVE-2022-40954/54588",
+ "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).",
+ "cve": "CVE-2022-41131",
+ "id": "pyup.io-54592",
+ "more_info_path": "/vulnerabilities/CVE-2022-41131/54592",
"specs": [
">=0,<2.3.0"
],
@@ -4799,20 +4878,20 @@
"v": ">=0,<2.4.1"
},
{
- "advisory": "In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.",
- "cve": "CVE-2022-43985",
- "id": "pyup.io-54567",
- "more_info_path": "/vulnerabilities/CVE-2022-43985/54567",
+ "advisory": "In Apache Airflow versions prior to 2.4.2, the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument.",
+ "cve": "CVE-2022-43982",
+ "id": "pyup.io-54568",
+ "more_info_path": "/vulnerabilities/CVE-2022-43982/54568",
"specs": [
">=0,<2.4.2"
],
"v": ">=0,<2.4.2"
},
{
- "advisory": "In Apache Airflow versions prior to 2.4.2, the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument.",
- "cve": "CVE-2022-43982",
- "id": "pyup.io-54568",
- "more_info_path": "/vulnerabilities/CVE-2022-43982/54568",
+ "advisory": "In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.",
+ "cve": "CVE-2022-43985",
+ "id": "pyup.io-54567",
+ "more_info_path": "/vulnerabilities/CVE-2022-43985/54567",
"specs": [
">=0,<2.4.2"
],
@@ -4859,20 +4938,20 @@
"v": ">=0,<2.6.3"
},
{
- "advisory": "Apache Airflow, in versions before 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2\u00a0Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.",
- "cve": "CVE-2023-48291",
- "id": "pyup.io-65191",
- "more_info_path": "/vulnerabilities/CVE-2023-48291/65191",
+ "advisory": "Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.",
+ "cve": "CVE-2023-50783",
+ "id": "pyup.io-65201",
+ "more_info_path": "/vulnerabilities/CVE-2023-50783/65201",
"specs": [
">=0,<2.8.0b1"
],
"v": ">=0,<2.8.0b1"
},
{
- "advisory": "Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.",
- "cve": "CVE-2023-50783",
- "id": "pyup.io-65201",
- "more_info_path": "/vulnerabilities/CVE-2023-50783/65201",
+ "advisory": "Apache Airflow, in versions before 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2\u00a0Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.",
+ "cve": "CVE-2023-48291",
+ "id": "pyup.io-65191",
+ "more_info_path": "/vulnerabilities/CVE-2023-48291/65191",
"specs": [
">=0,<2.8.0b1"
],
@@ -4898,6 +4977,26 @@
],
"v": ">=0,<2.8.1"
},
+ {
+ "advisory": "Apache Airflow is affected by a vulnerability impacting versions before 2.8.2, where authenticated users can access DAG code and import errors for DAGs without required permissions via the API and UI. To mitigate this risk, upgrading to version 2.8.2 or newer is recommended.",
+ "cve": "CVE-2023-46052",
+ "id": "pyup.io-68475",
+ "more_info_path": "/vulnerabilities/CVE-2023-46052/68475",
+ "specs": [
+ ">=0,<2.8.2"
+ ],
+ "v": ">=0,<2.8.2"
+ },
+ {
+ "advisory": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view.\u00a0With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability",
+ "cve": "CVE-2023-46051",
+ "id": "pyup.io-68489",
+ "more_info_path": "/vulnerabilities/CVE-2023-46051/68489",
+ "specs": [
+ ">=0,<2.8.2"
+ ],
+ "v": ">=0,<2.8.2"
+ },
{
"advisory": "Apache-airflow 1.10.15 and 2.0.2 include a fix for CVE-2021-28359: The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).",
"cve": "CVE-2021-28359",
@@ -4931,20 +5030,20 @@
"v": ">=1.10.0,<2.7.0"
},
{
- "advisory": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue only affects Apache Airflow 2.0.0.",
- "cve": "CVE-2021-26697",
- "id": "pyup.io-54461",
- "more_info_path": "/vulnerabilities/CVE-2021-26697/54461",
+ "advisory": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.",
+ "cve": "CVE-2021-26559",
+ "id": "pyup.io-54168",
+ "more_info_path": "/vulnerabilities/CVE-2021-26559/54168",
"specs": [
">=2.0.0,<2.0.1"
],
"v": ">=2.0.0,<2.0.1"
},
{
- "advisory": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.",
- "cve": "CVE-2021-26559",
- "id": "pyup.io-54168",
- "more_info_path": "/vulnerabilities/CVE-2021-26559/54168",
+ "advisory": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue only affects Apache Airflow 2.0.0.",
+ "cve": "CVE-2021-26697",
+ "id": "pyup.io-54461",
+ "more_info_path": "/vulnerabilities/CVE-2021-26697/54461",
"specs": [
">=2.0.0,<2.0.1"
],
@@ -4971,20 +5070,20 @@
"v": ">=2.2.4,<2.3.4rc1"
},
{
- "advisory": "In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.",
- "cve": "CVE-2022-40754",
- "id": "pyup.io-54715",
- "more_info_path": "/vulnerabilities/CVE-2022-40754/54715",
+ "advisory": "In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.",
+ "cve": "CVE-2022-40604",
+ "id": "pyup.io-54551",
+ "more_info_path": "/vulnerabilities/CVE-2022-40604/54551",
"specs": [
">=2.3.0,<2.4.0b1"
],
"v": ">=2.3.0,<2.4.0b1"
},
{
- "advisory": "In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.",
- "cve": "CVE-2022-40604",
- "id": "pyup.io-54551",
- "more_info_path": "/vulnerabilities/CVE-2022-40604/54551",
+ "advisory": "In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.",
+ "cve": "CVE-2022-40754",
+ "id": "pyup.io-54715",
+ "more_info_path": "/vulnerabilities/CVE-2022-40754/54715",
"specs": [
">=2.3.0,<2.4.0b1"
],
@@ -5162,16 +5261,6 @@
],
"v": "<=2021.3.3"
},
- {
- "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).",
- "cve": "CVE-2021-33026",
- "id": "pyup.io-49926",
- "more_info_path": "/vulnerabilities/CVE-2021-33026/49926",
- "specs": [
- "<=2021.3.3"
- ],
- "v": "<=2021.3.3"
- },
{
"advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).",
"cve": "CVE-2021-29621",
@@ -5212,6 +5301,16 @@
],
"v": "<=2021.3.3"
},
+ {
+ "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).",
+ "cve": "CVE-2021-33026",
+ "id": "pyup.io-49926",
+ "more_info_path": "/vulnerabilities/CVE-2021-33026/49926",
+ "specs": [
+ "<=2021.3.3"
+ ],
+ "v": "<=2021.3.3"
+ },
{
"advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (urllib3 == 1.25.11).",
"cve": "CVE-2021-33503",
@@ -5422,16 +5521,6 @@
],
"v": "<=2021.3.3"
},
- {
- "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).",
- "cve": "CVE-2021-33026",
- "id": "pyup.io-49942",
- "more_info_path": "/vulnerabilities/CVE-2021-33026/49942",
- "specs": [
- "<=2021.3.3"
- ],
- "v": "<=2021.3.3"
- },
{
"advisory": "apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).",
"cve": "CVE-2023-25754",
@@ -5472,6 +5561,16 @@
],
"v": "<=2021.3.3"
},
+ {
+ "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).",
+ "cve": "CVE-2021-33026",
+ "id": "pyup.io-49942",
+ "more_info_path": "/vulnerabilities/CVE-2021-33026/49942",
+ "specs": [
+ "<=2021.3.3"
+ ],
+ "v": "<=2021.3.3"
+ },
{
"advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (urllib3 == 1.25.11).",
"cve": "CVE-2021-33503",
@@ -6238,16 +6337,6 @@
}
],
"apache-airflow-backport-providers-slack": [
- {
- "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).",
- "cve": "CVE-2021-33026",
- "id": "pyup.io-49990",
- "more_info_path": "/vulnerabilities/CVE-2021-33026/49990",
- "specs": [
- "<=2021.3.3"
- ],
- "v": "<=2021.3.3"
- },
{
"advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).",
"cve": "CVE-2021-41265",
@@ -6368,6 +6457,16 @@
],
"v": "<=2021.3.3"
},
+ {
+ "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).",
+ "cve": "CVE-2021-33026",
+ "id": "pyup.io-49990",
+ "more_info_path": "/vulnerabilities/CVE-2021-33026/49990",
+ "specs": [
+ "<=2021.3.3"
+ ],
+ "v": "<=2021.3.3"
+ },
{
"advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).",
"cve": "CVE-2021-29621",
@@ -6524,16 +6623,6 @@
],
"v": "<=2021.3.3"
},
- {
- "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).",
- "cve": "CVE-2021-33026",
- "id": "pyup.io-50006",
- "more_info_path": "/vulnerabilities/CVE-2021-33026/50006",
- "specs": [
- "<=2021.3.3"
- ],
- "v": "<=2021.3.3"
- },
{
"advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).",
"cve": "CVE-2021-37712",
@@ -6603,6 +6692,16 @@
"<=2021.3.3"
],
"v": "<=2021.3.3"
+ },
+ {
+ "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).",
+ "cve": "CVE-2021-33026",
+ "id": "pyup.io-50006",
+ "more_info_path": "/vulnerabilities/CVE-2021-33026/50006",
+ "specs": [
+ "<=2021.3.3"
+ ],
+ "v": "<=2021.3.3"
}
],
"apache-airflow-backport-providers-tableau": [
@@ -6666,16 +6765,6 @@
}
],
"apache-airflow-providers-airbyte": [
- {
- "advisory": "Apache-airflow-providers-airbyte 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).",
- "cve": "PVE-2021-42852",
- "id": "pyup.io-49838",
- "more_info_path": "/vulnerabilities/PVE-2021-42852/49838",
- "specs": [
- "<=3.0.0"
- ],
- "v": "<=3.0.0"
- },
{
"advisory": "Apache-airflow-providers-airbyte 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).",
"cve": "PVE-2022-47833",
@@ -6695,6 +6784,16 @@
"<=3.0.0"
],
"v": "<=3.0.0"
+ },
+ {
+ "advisory": "Apache-airflow-providers-airbyte 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).",
+ "cve": "PVE-2021-42852",
+ "id": "pyup.io-49838",
+ "more_info_path": "/vulnerabilities/PVE-2021-42852/49838",
+ "specs": [
+ "<=3.0.0"
+ ],
+ "v": "<=3.0.0"
}
],
"apache-airflow-providers-amazon": [
@@ -7088,16 +7187,6 @@
}
],
"apache-airflow-providers-databricks": [
- {
- "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).",
- "cve": "PVE-2021-42852",
- "id": "pyup.io-49826",
- "more_info_path": "/vulnerabilities/PVE-2021-42852/49826",
- "specs": [
- "<=3.0.0"
- ],
- "v": "<=3.0.0"
- },
{
"advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).",
"cve": "PVE-2022-47833",
@@ -7117,6 +7206,16 @@
"<=3.0.0"
],
"v": "<=3.0.0"
+ },
+ {
+ "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).",
+ "cve": "PVE-2021-42852",
+ "id": "pyup.io-49826",
+ "more_info_path": "/vulnerabilities/PVE-2021-42852/49826",
+ "specs": [
+ "<=3.0.0"
+ ],
+ "v": "<=3.0.0"
}
],
"apache-airflow-providers-datadog": [
@@ -7352,6 +7451,16 @@
}
],
"apache-airflow-providers-microsoft-azure": [
+ {
+ "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).",
+ "cve": "PVE-2021-42852",
+ "id": "pyup.io-49877",
+ "more_info_path": "/vulnerabilities/PVE-2021-42852/49877",
+ "specs": [
+ "<=4.0.0"
+ ],
+ "v": "<=4.0.0"
+ },
{
"advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).",
"cve": "PVE-2022-47833",
@@ -7371,16 +7480,6 @@
"<=4.0.0"
],
"v": "<=4.0.0"
- },
- {
- "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).",
- "cve": "PVE-2021-42852",
- "id": "pyup.io-49877",
- "more_info_path": "/vulnerabilities/PVE-2021-42852/49877",
- "specs": [
- "<=4.0.0"
- ],
- "v": "<=4.0.0"
}
],
"apache-airflow-providers-microsoft-mssql": [
@@ -7818,16 +7917,6 @@
}
],
"apache-airflow-providers-slack": [
- {
- "advisory": "Apache-airflow-providers-slack 5.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).",
- "cve": "PVE-2021-42852",
- "id": "pyup.io-49853",
- "more_info_path": "/vulnerabilities/PVE-2021-42852/49853",
- "specs": [
- "<=5.0.0"
- ],
- "v": "<=5.0.0"
- },
{
"advisory": "Apache-airflow-providers-slack 5.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).",
"cve": "PVE-2022-47833",
@@ -7847,6 +7936,16 @@
"<=5.0.0"
],
"v": "<=5.0.0"
+ },
+ {
+ "advisory": "Apache-airflow-providers-slack 5.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).",
+ "cve": "PVE-2021-42852",
+ "id": "pyup.io-49853",
+ "more_info_path": "/vulnerabilities/PVE-2021-42852/49853",
+ "specs": [
+ "<=5.0.0"
+ ],
+ "v": "<=5.0.0"
}
],
"apache-airflow-providers-snowflake": [
@@ -7861,20 +7960,20 @@
"v": "<=3.0.0"
},
{
- "advisory": "Apache-airflow-providers-snowflake 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).",
- "cve": "PVE-2022-47833",
- "id": "pyup.io-49848",
- "more_info_path": "/vulnerabilities/PVE-2022-47833/49848",
+ "advisory": "Apache-airflow-providers-snowflake 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).",
+ "cve": "CVE-2022-29217",
+ "id": "pyup.io-49849",
+ "more_info_path": "/vulnerabilities/CVE-2022-29217/49849",
"specs": [
"<=3.0.0"
],
"v": "<=3.0.0"
},
{
- "advisory": "Apache-airflow-providers-snowflake 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).",
- "cve": "CVE-2022-29217",
- "id": "pyup.io-49849",
- "more_info_path": "/vulnerabilities/CVE-2022-29217/49849",
+ "advisory": "Apache-airflow-providers-snowflake 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).",
+ "cve": "PVE-2022-47833",
+ "id": "pyup.io-49848",
+ "more_info_path": "/vulnerabilities/PVE-2022-47833/49848",
"specs": [
"<=3.0.0"
],
@@ -8060,6 +8159,16 @@
],
"v": "<3.0.0"
},
+ {
+ "advisory": "Apache-dolphinscheduler 3.0.0 (Python SDK) corresponds to DolphinScheduler version 3.0.0, which updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.",
+ "cve": "CVE-2018-11307",
+ "id": "pyup.io-50544",
+ "more_info_path": "/vulnerabilities/CVE-2018-11307/50544",
+ "specs": [
+ "<3.0.0"
+ ],
+ "v": "<3.0.0"
+ },
{
"advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.",
"cve": "CVE-2020-10969",
@@ -8320,16 +8429,6 @@
],
"v": "<3.0.0"
},
- {
- "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.",
- "cve": "CVE-2018-11307",
- "id": "pyup.io-50544",
- "more_info_path": "/vulnerabilities/CVE-2018-11307/50544",
- "specs": [
- "<3.0.0"
- ],
- "v": "<3.0.0"
- },
{
"advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.",
"cve": "CVE-2018-19360",
@@ -8765,6 +8864,16 @@
],
"v": "<0.13.1"
},
+ {
+ "advisory": "Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.",
+ "cve": "CVE-2023-46226",
+ "id": "pyup.io-70407",
+ "more_info_path": "/vulnerabilities/CVE-2023-46226/70407",
+ "specs": [
+ "<1.3.0"
+ ],
+ "v": "<1.3.0"
+ },
{
"advisory": "Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB. This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.4 of iotdb-web-workbench onwards.",
"cve": "CVE-2023-30771",
@@ -9094,9 +9203,9 @@
},
{
"advisory": "Apache-superset 1.2.0 updates NPM packages for security fixes.\r\nhttps://github.com/apache/superset/pull/13367",
- "cve": "CVE-2020-28477",
- "id": "pyup.io-41791",
- "more_info_path": "/vulnerabilities/CVE-2020-28477/41791",
+ "cve": "CVE-2021-3807",
+ "id": "pyup.io-45803",
+ "more_info_path": "/vulnerabilities/CVE-2021-3807/45803",
"specs": [
"<1.2.0"
],
@@ -9104,9 +9213,9 @@
},
{
"advisory": "Apache-superset 1.2.0 updates NPM packages for security fixes.\r\nhttps://github.com/apache/superset/pull/13367",
- "cve": "CVE-2021-3807",
- "id": "pyup.io-45803",
- "more_info_path": "/vulnerabilities/CVE-2021-3807/45803",
+ "cve": "CVE-2020-28477",
+ "id": "pyup.io-41791",
+ "more_info_path": "/vulnerabilities/CVE-2020-28477/41791",
"specs": [
"<1.2.0"
],
@@ -9172,16 +9281,6 @@
],
"v": "<2.1.2"
},
- {
- "advisory": "Apache-superset 3.0.0 updates its dependency 'flask_caching' to v1.11.1 to include a security fix.",
- "cve": "CVE-2021-33026",
- "id": "pyup.io-61921",
- "more_info_path": "/vulnerabilities/CVE-2021-33026/61921",
- "specs": [
- "<3.0.0"
- ],
- "v": "<3.0.0"
- },
{
"advisory": "Apache-superset 3.0.0 updates its NPM dependency 'ansi-regex' to include a security fix.",
"cve": "CVE-2021-3807",
@@ -9202,6 +9301,16 @@
],
"v": "<3.0.0"
},
+ {
+ "advisory": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.",
+ "cve": "CVE-2023-42502",
+ "id": "pyup.io-65227",
+ "more_info_path": "/vulnerabilities/CVE-2023-42502/65227",
+ "specs": [
+ "<3.0.0"
+ ],
+ "v": "<3.0.0"
+ },
{
"advisory": "An authenticated user with read permissions on database connection metadata could potentially access sensitive information such as the connection's username. This issue affects Apache Superset before 3.0.0.",
"cve": "CVE-2023-42505",
@@ -9213,10 +9322,10 @@
"v": "<3.0.0"
},
{
- "advisory": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.",
- "cve": "CVE-2023-42502",
- "id": "pyup.io-65227",
- "more_info_path": "/vulnerabilities/CVE-2023-42502/65227",
+ "advisory": "Apache-superset 3.0.0 updates its dependency 'flask_caching' to v1.11.1 to include a security fix.",
+ "cve": "CVE-2021-33026",
+ "id": "pyup.io-61921",
+ "more_info_path": "/vulnerabilities/CVE-2021-33026/61921",
"specs": [
"<3.0.0"
],
@@ -9276,6 +9385,17 @@
],
"v": "<=1.5.2,==2.0.0"
},
+ {
+ "advisory": "Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.",
+ "cve": "CVE-2022-43717",
+ "id": "pyup.io-54616",
+ "more_info_path": "/vulnerabilities/CVE-2022-43717/54616",
+ "specs": [
+ "<=1.5.2",
+ "==2.0.0"
+ ],
+ "v": "<=1.5.2,==2.0.0"
+ },
{
"advisory": "Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.",
"cve": "CVE-2022-43718",
@@ -9298,17 +9418,6 @@
],
"v": "<=1.5.2,==2.0.0"
},
- {
- "advisory": "Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.",
- "cve": "CVE-2022-43717",
- "id": "pyup.io-54616",
- "more_info_path": "/vulnerabilities/CVE-2022-43717/54616",
- "specs": [
- "<=1.5.2",
- "==2.0.0"
- ],
- "v": "<=1.5.2,==2.0.0"
- },
{
"advisory": "An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1",
"cve": "CVE-2023-27525",
@@ -9339,16 +9448,6 @@
],
"v": "<=2.0.1"
},
- {
- "advisory": "Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like\u00a0sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0.",
- "cve": "CVE-2023-39265",
- "id": "pyup.io-65000",
- "more_info_path": "/vulnerabilities/CVE-2023-39265/65000",
- "specs": [
- "<=2.1.0"
- ],
- "v": "<=2.1.0"
- },
{
"advisory": "Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.",
"cve": "CVE-2023-36388",
@@ -9370,10 +9469,10 @@
"v": "<=2.1.0"
},
{
- "advisory": "A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0.",
- "cve": "CVE-2023-27526",
- "id": "pyup.io-62904",
- "more_info_path": "/vulnerabilities/CVE-2023-27526/62904",
+ "advisory": "Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like\u00a0sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0.",
+ "cve": "CVE-2023-39265",
+ "id": "pyup.io-65000",
+ "more_info_path": "/vulnerabilities/CVE-2023-39265/65000",
"specs": [
"<=2.1.0"
],
@@ -9389,6 +9488,16 @@
],
"v": "<=2.1.0"
},
+ {
+ "advisory": "A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0.",
+ "cve": "CVE-2023-27526",
+ "id": "pyup.io-62904",
+ "more_info_path": "/vulnerabilities/CVE-2023-27526/62904",
+ "specs": [
+ "<=2.1.0"
+ ],
+ "v": "<=2.1.0"
+ },
{
"advisory": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0.",
"cve": "CVE-2023-39264",
@@ -9420,10 +9529,10 @@
"v": ">=0,<0.32.0"
},
{
- "advisory": "Apache Superset versions before 0.34.0 are susceptible to a Cross-site Scripting (XSS) vulnerability that involves an issue through FAB list views.\r\nhttps://github.com/apache/superset/commit/b62d7e3e8eaa80e201af3141fb4fe26c39e1ff79",
- "cve": "PVE-2024-99800",
- "id": "pyup.io-66015",
- "more_info_path": "/vulnerabilities/PVE-2024-99800/66015",
+ "advisory": "Cross-site Scripting (XSS) vulnerabilities have been detected in versions of apache-superset before 0.34.0, specifically through its Markup viz feature. XSS attacks manipulate a web application to execute malicious scripts on a client's browser, performing actions usually blocked by browser security, such as hijacking user sessions or exposing sensitive information. These attacks exploit the application\u2019s failure to sufficiently sanitize, validate, or escape user input, particularly special characters in dynamic content. Different XSS attacks include Stored, Reflected, DOM-based, and Mutated types, each with unique methods of injecting harmful code. To mitigate XSS risks, implementations should include sanitizing data inputs, encoding special characters, disabling client-side scripts where possible, redirecting invalid requests, detecting simultaneous logins, enforcing Content Security Policies, and understanding the security implications of third-party library usage.\r\nhttps://github.com/apache/superset/commit/0c5db55d55471c1c61c0750733733c157551b2d8",
+ "cve": "PVE-2024-99797",
+ "id": "pyup.io-66018",
+ "more_info_path": "/vulnerabilities/PVE-2024-99797/66018",
"specs": [
">=0,<0.34.0"
],
@@ -9440,10 +9549,10 @@
"v": ">=0,<0.34.0"
},
{
- "advisory": "Cross-site Scripting (XSS) vulnerabilities have been detected in versions of apache-superset before 0.34.0, specifically through its Markup viz feature. XSS attacks manipulate a web application to execute malicious scripts on a client's browser, performing actions usually blocked by browser security, such as hijacking user sessions or exposing sensitive information. These attacks exploit the application\u2019s failure to sufficiently sanitize, validate, or escape user input, particularly special characters in dynamic content. Different XSS attacks include Stored, Reflected, DOM-based, and Mutated types, each with unique methods of injecting harmful code. To mitigate XSS risks, implementations should include sanitizing data inputs, encoding special characters, disabling client-side scripts where possible, redirecting invalid requests, detecting simultaneous logins, enforcing Content Security Policies, and understanding the security implications of third-party library usage.\r\nhttps://github.com/apache/superset/commit/0c5db55d55471c1c61c0750733733c157551b2d8",
- "cve": "PVE-2024-99797",
- "id": "pyup.io-66018",
- "more_info_path": "/vulnerabilities/PVE-2024-99797/66018",
+ "advisory": "Apache Superset versions before 0.34.0 are susceptible to a Cross-site Scripting (XSS) vulnerability that involves an issue through FAB list views.\r\nhttps://github.com/apache/superset/commit/b62d7e3e8eaa80e201af3141fb4fe26c39e1ff79",
+ "cve": "PVE-2024-99800",
+ "id": "pyup.io-66015",
+ "more_info_path": "/vulnerabilities/PVE-2024-99800/66015",
"specs": [
">=0,<0.34.0"
],
@@ -9510,20 +9619,20 @@
"v": ">=0,<1.3.1"
},
{
- "advisory": "Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.",
- "cve": "CVE-2021-42250",
- "id": "pyup.io-54375",
- "more_info_path": "/vulnerabilities/CVE-2021-42250/54375",
+ "advisory": "Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.",
+ "cve": "CVE-2021-41972",
+ "id": "pyup.io-54371",
+ "more_info_path": "/vulnerabilities/CVE-2021-41972/54371",
"specs": [
">=0,<1.3.2"
],
"v": ">=0,<1.3.2"
},
{
- "advisory": "Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.",
- "cve": "CVE-2021-41972",
- "id": "pyup.io-54371",
- "more_info_path": "/vulnerabilities/CVE-2021-41972/54371",
+ "advisory": "Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.",
+ "cve": "CVE-2021-42250",
+ "id": "pyup.io-54375",
+ "more_info_path": "/vulnerabilities/CVE-2021-42250/54375",
"specs": [
">=0,<1.3.2"
],
@@ -9560,10 +9669,10 @@
"v": ">=0,<1.5.1"
},
{
- "advisory": "Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets.\u00a0\u00a0\r\nThis vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.",
- "cve": "CVE-2023-46104",
- "id": "pyup.io-65186",
- "more_info_path": "/vulnerabilities/CVE-2023-46104/65186",
+ "advisory": "An authenticated Gamma user can create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts. This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue.",
+ "cve": "CVE-2023-49734",
+ "id": "pyup.io-65195",
+ "more_info_path": "/vulnerabilities/CVE-2023-49734/65195",
"specs": [
">=0,<2.1.3",
">=3.0.0,<3.0.2"
@@ -9571,10 +9680,10 @@
"v": ">=0,<2.1.3,>=3.0.0,<3.0.2"
},
{
- "advisory": "An authenticated Gamma user can create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts. This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue.",
- "cve": "CVE-2023-49734",
- "id": "pyup.io-65195",
- "more_info_path": "/vulnerabilities/CVE-2023-49734/65195",
+ "advisory": "Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets.\u00a0\u00a0\r\nThis vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.",
+ "cve": "CVE-2023-46104",
+ "id": "pyup.io-65186",
+ "more_info_path": "/vulnerabilities/CVE-2023-46104/65186",
"specs": [
">=0,<2.1.3",
">=3.0.0,<3.0.2"
@@ -9592,6 +9701,61 @@
],
"v": ">=0,<2.1.3,>=3.0.0,<3.0.2"
},
+ {
+ "advisory": "A vulnerability in various versions of Apache Superset allows authenticated users with alert creation privileges to execute a specially crafted SQL statement, leading to a database error. This error, improperly handled, could expose sensitive information in the alert's error log. Users are advised to upgrade their systems to mitigate this issue.",
+ "cve": "CVE-2023-29134",
+ "id": "pyup.io-68480",
+ "more_info_path": "/vulnerabilities/CVE-2023-29134/68480",
+ "specs": [
+ ">=0,<3.0.4",
+ ">=3.1.0,<3.1.1"
+ ],
+ "v": ">=0,<3.0.4,>=3.1.0,<3.1.1"
+ },
+ {
+ "advisory": "A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.",
+ "cve": "CVE-2024-22299",
+ "id": "pyup.io-68490",
+ "more_info_path": "/vulnerabilities/CVE-2024-22299/68490",
+ "specs": [
+ ">=0,<3.0.4",
+ ">=3.1.0,<3.1.1"
+ ],
+ "v": ">=0,<3.0.4,>=3.1.0,<3.1.1"
+ },
+ {
+ "advisory": "Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.",
+ "cve": "CVE-2024-30178",
+ "id": "pyup.io-68494",
+ "more_info_path": "/vulnerabilities/CVE-2024-30178/68494",
+ "specs": [
+ ">=0,<3.0.4",
+ ">=3.1.0,<3.1.1"
+ ],
+ "v": ">=0,<3.0.4,>=3.1.0,<3.1.1"
+ },
+ {
+ "advisory": "Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1, which fixes the issue.",
+ "cve": "CVE-2024-22149",
+ "id": "pyup.io-68495",
+ "more_info_path": "/vulnerabilities/CVE-2024-22149/68495",
+ "specs": [
+ ">=0,<3.0.4",
+ ">=3.1.0,<3.1.1"
+ ],
+ "v": ">=0,<3.0.4,>=3.1.0,<3.1.1"
+ },
+ {
+ "advisory": "A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.",
+ "cve": "CVE-2023-45935",
+ "id": "pyup.io-68496",
+ "more_info_path": "/vulnerabilities/CVE-2023-45935/68496",
+ "specs": [
+ ">=0,<3.0.4",
+ ">=3.1.0,<3.1.1"
+ ],
+ "v": ">=0,<3.0.4,>=3.1.0,<3.1.1"
+ },
{
"advisory": "An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability.",
"cve": "CVE-2023-32672",
@@ -9962,6 +10126,18 @@
"v": "<0.5.1"
}
],
+ "aptdaemon": [
+ {
+ "advisory": "There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.",
+ "cve": "CVE-2020-15703",
+ "id": "pyup.io-70576",
+ "more_info_path": "/vulnerabilities/CVE-2020-15703/70576",
+ "specs": [
+ "<=1.1.1"
+ ],
+ "v": "<=1.1.1"
+ }
+ ],
"aqtinstall": [
{
"advisory": "Aqtinstall 2.1.0 uses SHA-256 checksums from trusted mirrors only.\r\nhttps://github.com/miurahr/aqtinstall/pull/493",
@@ -9984,20 +10160,20 @@
"v": "<2.1.0rc2"
},
{
- "advisory": "Aqtinstall 2.1.0rc2 uses 'defusedxml' instead of 'xml.etree.ElementTree' to avoid XXE attacks.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0",
- "cve": "CVE-2013-1664",
- "id": "pyup.io-47852",
- "more_info_path": "/vulnerabilities/CVE-2013-1664/47852",
+ "advisory": "Aqtinstall 2.1.0rc2 uses 'secrets' instead of 'random' module to generate cryptographically safe numbers.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0",
+ "cve": "PVE-2022-47013",
+ "id": "pyup.io-47013",
+ "more_info_path": "/vulnerabilities/PVE-2022-47013/47013",
"specs": [
"<2.1.0rc2"
],
"v": "<2.1.0rc2"
},
{
- "advisory": "Aqtinstall 2.1.0rc2 uses 'secrets' instead of 'random' module to generate cryptographically safe numbers.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0",
- "cve": "PVE-2022-47013",
- "id": "pyup.io-47013",
- "more_info_path": "/vulnerabilities/PVE-2022-47013/47013",
+ "advisory": "Aqtinstall 2.1.0rc2 uses 'defusedxml' instead of 'xml.etree.ElementTree' to avoid XXE attacks.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0",
+ "cve": "CVE-2013-1664",
+ "id": "pyup.io-47852",
+ "more_info_path": "/vulnerabilities/CVE-2013-1664/47852",
"specs": [
"<2.1.0rc2"
],
@@ -10145,9 +10321,9 @@
},
{
"advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.",
- "cve": "CVE-2018-11694",
- "id": "pyup.io-52815",
- "more_info_path": "/vulnerabilities/CVE-2018-11694/52815",
+ "cve": "CVE-2019-18797",
+ "id": "pyup.io-52811",
+ "more_info_path": "/vulnerabilities/CVE-2019-18797/52811",
"specs": [
"<0.13.0"
],
@@ -10155,9 +10331,9 @@
},
{
"advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.",
- "cve": "CVE-2019-18797",
- "id": "pyup.io-52811",
- "more_info_path": "/vulnerabilities/CVE-2019-18797/52811",
+ "cve": "CVE-2018-11694",
+ "id": "pyup.io-52815",
+ "more_info_path": "/vulnerabilities/CVE-2018-11694/52815",
"specs": [
"<0.13.0"
],
@@ -10409,9 +10585,9 @@
},
{
"advisory": "Argo-workflows 6.4.7 (Python SDK) is compatible with Argo-workflows core v3.4.7, which upgrades docker to v20.10.24 to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/pull/10868",
- "cve": "CVE-2023-28840",
- "id": "pyup.io-54979",
- "more_info_path": "/vulnerabilities/CVE-2023-28840/54979",
+ "cve": "CVE-2023-28841",
+ "id": "pyup.io-54995",
+ "more_info_path": "/vulnerabilities/CVE-2023-28841/54995",
"specs": [
"<6.4.7"
],
@@ -10419,9 +10595,9 @@
},
{
"advisory": "Argo-workflows 6.4.7 (Python SDK) is compatible with Argo-workflows core v3.4.7, which upgrades docker to v20.10.24 to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/pull/10868",
- "cve": "CVE-2023-28841",
- "id": "pyup.io-54995",
- "more_info_path": "/vulnerabilities/CVE-2023-28841/54995",
+ "cve": "CVE-2023-28840",
+ "id": "pyup.io-54979",
+ "more_info_path": "/vulnerabilities/CVE-2023-28840/54979",
"specs": [
"<6.4.7"
],
@@ -10450,14 +10626,14 @@
],
"aries-cloudagent": [
{
- "advisory": "Version 0.12.0rc1 of Aries-cloudagent updates its readthedocs-sphinx-search dependency from 0.1.1 to 1.3.2 for security reasons.\r\nhttps://github.com/hyperledger/aries-cloudagent-python/pull/2712/commits/8d7592de2aacf12cf90f2023d362e665d528361e",
- "cve": "PVE-2024-65513",
- "id": "pyup.io-65513",
- "more_info_path": "/vulnerabilities/PVE-2024-65513/65513",
+ "advisory": "Aries-cloudagent 0.12.0 upgrades its readthedocs-sphinx-search from 0.1.1 to 1.3.2 in response to GHSA-xgfm-fjx6-62mj: This vulnerability could have let attackers insert arbitrary HTML into search results via a crafted search query, due to inadequate escaping of user content.",
+ "cve": "PVE-2024-67615",
+ "id": "pyup.io-67615",
+ "more_info_path": "/vulnerabilities/PVE-2024-67615/67615",
"specs": [
- "<0.12.0rc1"
+ "<0.12.0"
],
- "v": "<0.12.0rc1"
+ "v": "<0.12.0"
},
{
"advisory": "Aries-cloudagent is affected by a Insufficient Verification of Data Authenticity vulnerability. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation 'document.proof' was not factored into the final 'verified' value ('true'/'false') on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own.\r\nhttps://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm",
@@ -10608,6 +10784,28 @@
"v": "<0.3"
}
],
+ "askbot": [
+ {
+ "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Askbot before 0.7.49 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) tag or (2) user search forms.",
+ "cve": "CVE-2014-2236",
+ "id": "pyup.io-70425",
+ "more_info_path": "/vulnerabilities/CVE-2014-2236/70425",
+ "specs": [
+ "<0.7.49"
+ ],
+ "v": "<0.7.49"
+ },
+ {
+ "advisory": "Cross-site scripting (XSS) vulnerability in Askbot before 0.7.49 allows remote attackers to inject arbitrary web script or HTML via vectors related to the question search form.",
+ "cve": "CVE-2014-2235",
+ "id": "pyup.io-70426",
+ "more_info_path": "/vulnerabilities/CVE-2014-2235/70426",
+ "specs": [
+ "<0.7.49"
+ ],
+ "v": "<0.7.49"
+ }
+ ],
"aspeak": [
{
"advisory": "Aspeak 6.0.0 updates its dependency 'openssl' to version '0.10.55' to include a security fix.\r\nhttps://github.com/kxxt/aspeak/pull/76\r\nhttps://github.com/kxxt/aspeak/commit/17cbe32ed4c17bc57683688390691686946a4cbc\r\nhttps://github.com/advisories/GHSA-xcf7-rvmh-g6q4",
@@ -10697,11 +10895,21 @@
}
],
"astropy": [
+ {
+ "advisory": "Astropy 3.0.1 updates cfitsio to v3.43: NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43. NOTE: this CVE refers to the issues not covered by CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849. One example is ftp_status in drvrnet.c mishandling a long string beginning with a '4' character.",
+ "cve": "CVE-2019-1010060",
+ "id": "pyup.io-70530",
+ "more_info_path": "/vulnerabilities/CVE-2019-1010060/70530",
+ "specs": [
+ "<3.0.1"
+ ],
+ "v": "<3.0.1"
+ },
{
"advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.",
- "cve": "CVE-2018-3849",
- "id": "pyup.io-48548",
- "more_info_path": "/vulnerabilities/CVE-2018-3849/48548",
+ "cve": "CVE-2018-3847",
+ "id": "pyup.io-48549",
+ "more_info_path": "/vulnerabilities/CVE-2018-3847/48549",
"specs": [
"<3.0.1"
],
@@ -10709,9 +10917,9 @@
},
{
"advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.",
- "cve": "CVE-2018-3846",
- "id": "pyup.io-48550",
- "more_info_path": "/vulnerabilities/CVE-2018-3846/48550",
+ "cve": "CVE-2018-3849",
+ "id": "pyup.io-48548",
+ "more_info_path": "/vulnerabilities/CVE-2018-3849/48548",
"specs": [
"<3.0.1"
],
@@ -10719,9 +10927,9 @@
},
{
"advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.",
- "cve": "CVE-2018-3847",
- "id": "pyup.io-48549",
- "more_info_path": "/vulnerabilities/CVE-2018-3847/48549",
+ "cve": "CVE-2018-3846",
+ "id": "pyup.io-48550",
+ "more_info_path": "/vulnerabilities/CVE-2018-3846/48550",
"specs": [
"<3.0.1"
],
@@ -11481,9 +11689,9 @@
},
{
"advisory": "Autogluon 0.5.3 updates its dependency 'transformers' requirement to \">=4.23.0,<4.24.0\" to include security fixes.",
- "cve": "PVE-2022-51450",
- "id": "pyup.io-51940",
- "more_info_path": "/vulnerabilities/PVE-2022-51450/51940",
+ "cve": "CVE-2022-1941",
+ "id": "pyup.io-51994",
+ "more_info_path": "/vulnerabilities/CVE-2022-1941/51994",
"specs": [
"<0.5.3"
],
@@ -11491,9 +11699,9 @@
},
{
"advisory": "Autogluon 0.5.3 updates its dependency 'transformers' requirement to \">=4.23.0,<4.24.0\" to include security fixes.",
- "cve": "CVE-2022-1941",
- "id": "pyup.io-51994",
- "more_info_path": "/vulnerabilities/CVE-2022-1941/51994",
+ "cve": "PVE-2022-51450",
+ "id": "pyup.io-51940",
+ "more_info_path": "/vulnerabilities/PVE-2022-51450/51940",
"specs": [
"<0.5.3"
],
@@ -11541,9 +11749,9 @@
},
{
"advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.",
- "cve": "PVE-2021-42426",
- "id": "pyup.io-48620",
- "more_info_path": "/vulnerabilities/PVE-2021-42426/48620",
+ "cve": "CVE-2021-44228",
+ "id": "pyup.io-48621",
+ "more_info_path": "/vulnerabilities/CVE-2021-44228/48621",
"specs": [
">=0.4.0,<0.4.1"
],
@@ -11551,9 +11759,9 @@
},
{
"advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.",
- "cve": "CVE-2021-45105",
- "id": "pyup.io-48623",
- "more_info_path": "/vulnerabilities/CVE-2021-45105/48623",
+ "cve": "CVE-2021-45046",
+ "id": "pyup.io-48622",
+ "more_info_path": "/vulnerabilities/CVE-2021-45046/48622",
"specs": [
">=0.4.0,<0.4.1"
],
@@ -11571,9 +11779,9 @@
},
{
"advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.",
- "cve": "CVE-2021-45046",
- "id": "pyup.io-48622",
- "more_info_path": "/vulnerabilities/CVE-2021-45046/48622",
+ "cve": "PVE-2021-42426",
+ "id": "pyup.io-48620",
+ "more_info_path": "/vulnerabilities/PVE-2021-42426/48620",
"specs": [
">=0.4.0,<0.4.1"
],
@@ -11581,9 +11789,9 @@
},
{
"advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.",
- "cve": "CVE-2021-44228",
- "id": "pyup.io-48621",
- "more_info_path": "/vulnerabilities/CVE-2021-44228/48621",
+ "cve": "CVE-2021-45105",
+ "id": "pyup.io-48623",
+ "more_info_path": "/vulnerabilities/CVE-2021-45105/48623",
"specs": [
">=0.4.0,<0.4.1"
],
@@ -11638,6 +11846,18 @@
"v": ">=0.4.0,<0.4.3,>=0.5.0,<0.5.2"
}
],
+ "automationhat": [
+ {
+ "advisory": "Automationhat version 0.2.0 improves thread safety by making ads1015.read() function thread-safe, particularly when \"auto_lights\" is activated. Previously, asynchronous reads from the \"update_lights\" thread interfered with main thread ADC reads, leading to random erroneous readings.",
+ "cve": "PVE-2024-70556",
+ "id": "pyup.io-70556",
+ "more_info_path": "/vulnerabilities/PVE-2024-70556/70556",
+ "specs": [
+ "<0.2.0"
+ ],
+ "v": "<0.2.0"
+ }
+ ],
"automatoes": [
{
"advisory": "Automatoes 0.9.7 updates its dependency 'cryptography' to v3.4.4 to include a security fix.",
@@ -12308,20 +12528,20 @@
"v": "<1.5.18"
},
{
- "advisory": "Awsiotsdk 1.6.1 includes a fix for CVE-2021-40829: Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS.",
- "cve": "CVE-2021-40829",
- "id": "pyup.io-42781",
- "more_info_path": "/vulnerabilities/CVE-2021-40829/42781",
+ "advisory": "Awsiotsdk 1.6.1 includes a fix for CVE-2021-40830: The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system\u2019s default trust-store. Attackers with access to a host\u2019s trust stores or able to compromise a certificate authority already in the host's trust-store (note: the attacker must also be able to spoof DNS in this case), may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust-store to correct this issue.\r\nhttps://github.com/aws/aws-iot-device-sdk-python-v2",
+ "cve": "CVE-2021-40830",
+ "id": "pyup.io-42782",
+ "more_info_path": "/vulnerabilities/CVE-2021-40830/42782",
"specs": [
"<1.6.1"
],
"v": "<1.6.1"
},
{
- "advisory": "Awsiotsdk 1.6.1 includes a fix for CVE-2021-40830: The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system\u2019s default trust-store. Attackers with access to a host\u2019s trust stores or able to compromise a certificate authority already in the host's trust-store (note: the attacker must also be able to spoof DNS in this case), may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust-store to correct this issue.\r\nhttps://github.com/aws/aws-iot-device-sdk-python-v2",
- "cve": "CVE-2021-40830",
- "id": "pyup.io-42782",
- "more_info_path": "/vulnerabilities/CVE-2021-40830/42782",
+ "advisory": "Awsiotsdk 1.6.1 includes a fix for CVE-2021-40829: Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS.",
+ "cve": "CVE-2021-40829",
+ "id": "pyup.io-42781",
+ "more_info_path": "/vulnerabilities/CVE-2021-40829/42781",
"specs": [
"<1.6.1"
],
@@ -12422,6 +12642,18 @@
"v": "<1.0.11184"
}
],
+ "azure-smtp-relay": [
+ {
+ "advisory": "Azure-smtp-relay version 1.0.6 has updated its aiosmtpd dependency to version 1.4.5 to address the security vulnerability identified in CVE-2024-27305.",
+ "cve": "CVE-2024-27305",
+ "id": "pyup.io-68073",
+ "more_info_path": "/vulnerabilities/CVE-2024-27305/68073",
+ "specs": [
+ "<1.0.6"
+ ],
+ "v": "<1.0.6"
+ }
+ ],
"azureml-contrib-jupyterrun": [
{
"advisory": "Azureml-contrib-jupyterrun is a malicious package, typosquatting. It aims at targeting Azure environments.\r\nhttps://blog.sonatype.com/careful-out-there-open-source-attacks-continue-to-be-on-the-uptick",
@@ -12835,20 +13067,20 @@
"v": "<0.4.1"
},
{
- "advisory": "Baybe 0.8.2 has updated its onnx dependency to version 1.16.0 or newer to address the security issue CVE-2024-27318.",
+ "advisory": "Baybe 0.8.2 has updated its onnx dependency to version 1.16.0 or newer to address the security issue CVE-2024-27319.",
"cve": "CVE-2024-27318",
- "id": "pyup.io-66978",
- "more_info_path": "/vulnerabilities/CVE-2024-27318/66978",
+ "id": "pyup.io-66984",
+ "more_info_path": "/vulnerabilities/CVE-2024-27318/66984",
"specs": [
"<0.8.2"
],
"v": "<0.8.2"
},
{
- "advisory": "Baybe 0.8.2 has updated its onnx dependency to version 1.16.0 or newer to address the security issue CVE-2024-27319.",
+ "advisory": "Baybe 0.8.2 has updated its onnx dependency to version 1.16.0 or newer to address the security issue CVE-2024-27318.",
"cve": "CVE-2024-27318",
- "id": "pyup.io-66984",
- "more_info_path": "/vulnerabilities/CVE-2024-27318/66984",
+ "id": "pyup.io-66978",
+ "more_info_path": "/vulnerabilities/CVE-2024-27318/66978",
"specs": [
"<0.8.2"
],
@@ -12995,6 +13227,46 @@
],
"v": "<1.6.4"
},
+ {
+ "advisory": "The search bar code in bkr/server/widgets.py in Beaker before 20.1 does not escape tags in string literals when producing JSON.",
+ "cve": "CVE-2015-3161",
+ "id": "pyup.io-70479",
+ "more_info_path": "/vulnerabilities/CVE-2015-3161/70479",
+ "specs": [
+ "<20.1"
+ ],
+ "v": "<20.1"
+ },
+ {
+ "advisory": "The admin pages for power types and key types in Beaker before 20.1 do not have any access controls, which allows remote authenticated users to modify power types and key types via navigating to $BEAKER/powertypes and $BEAKER/keytypes respectively.",
+ "cve": "CVE-2015-3163",
+ "id": "pyup.io-70477",
+ "more_info_path": "/vulnerabilities/CVE-2015-3163/70477",
+ "specs": [
+ "<20.1"
+ ],
+ "v": "<20.1"
+ },
+ {
+ "advisory": "Cross-site scripting (XSS) vulnerability in the edit comment dialog in bkr/server/widgets.py in Beaker 20.1 allows remote authenticated users to inject arbitrary web script or HTML via writing a crafted comment on an acked or nacked canceled job.",
+ "cve": "CVE-2015-3162",
+ "id": "pyup.io-70478",
+ "more_info_path": "/vulnerabilities/CVE-2015-3162/70478",
+ "specs": [
+ "<20.1"
+ ],
+ "v": "<20.1"
+ },
+ {
+ "advisory": "XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beaker before 20.1 allows remote authenticated users to obtain sensitive information via submitting job XML to the server containing entity references which reference files from the Beaker server's file system.",
+ "cve": "CVE-2015-3160",
+ "id": "pyup.io-70480",
+ "more_info_path": "/vulnerabilities/CVE-2015-3160/70480",
+ "specs": [
+ "<20.1"
+ ],
+ "v": "<20.1"
+ },
{
"advisory": "The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.",
"cve": "CVE-2013-7489",
@@ -13006,6 +13278,18 @@
"v": "<=1.11.0"
}
],
+ "beancount-import": [
+ {
+ "advisory": "Beancount-import version 1.4.0 has upgraded `@babel/traverse` from 7.13.0 to 7.23.3 in the frontend to address the security issue detailed in CVE-2023-45133.",
+ "cve": "CVE-2023-45133",
+ "id": "pyup.io-68055",
+ "more_info_path": "/vulnerabilities/CVE-2023-45133/68055",
+ "specs": [
+ "<1.4.0"
+ ],
+ "v": "<1.4.0"
+ }
+ ],
"beautifulsup4": [
{
"advisory": "Beautifulsup4 is a malicious package. It injects obfuscated JS code that replaces crypto addresses in developer clipboards.",
@@ -13528,7 +13812,7 @@
],
"binwalk": [
{
- "advisory": "A vulnerability, which was classified as problematic, was found in ReFirm Labs binwalk up to 2.3.2. Affected is an unknown function of the file src/binwalk/modules/extractor.py of the component Archive Extraction Handler. The manipulation leads to symlink following. It is possible to launch the attack remotely. Upgrading to version 2.3.3 is able to address this issue. The name of the patch is fa0c0bd59b8588814756942fe4cb5452e76c1dcd. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216876.",
+ "advisory": "A vulnerability, which was classified as problematic, was found in ReFirm Labs binwalk up to 2.3.2. Affected is an unknown function of the file src/binwalk/modules/extractor.py of the component Archive Extraction Handler. The manipulation leads to symlink following. It is possible to launch the attack remotely. Upgrading to version 2.3.3 can address this issue. The name of the patch is fa0c0bd59b8588814756942fe4cb5452e76c1dcd. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216876.",
"cve": "CVE-2021-4287",
"id": "pyup.io-54630",
"more_info_path": "/vulnerabilities/CVE-2021-4287/54630",
@@ -13609,6 +13893,16 @@
}
],
"bitlyshortener": [
+ {
+ "advisory": "A recent update has significantly reduced the quota for free token-generated links in a specific service, dropping from 1000 to 50 links per month. This reduction severely limits the utility of the service for users who rely on the free token. Consequently, maintenance for the associated package is being discontinued, even though the package will still function with the new restricted quota.",
+ "cve": "PVE-2024-69617",
+ "id": "pyup.io-69617",
+ "more_info_path": "/vulnerabilities/PVE-2024-69617/69617",
+ "specs": [
+ "<0.7.0"
+ ],
+ "v": "<0.7.0"
+ },
{
"advisory": "Due to a sudden upstream breaking change by Bitly, versions of 'bitlyshortener' <0.5.0 can generate an invalid short URL when a vanity domain exists.",
"cve": "PVE-2023-55202",
@@ -13653,9 +13947,9 @@
},
{
"advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4",
- "cve": "CVE-2023-0216",
- "id": "pyup.io-59613",
- "more_info_path": "/vulnerabilities/CVE-2023-0216/59613",
+ "cve": "CVE-2023-0217",
+ "id": "pyup.io-59609",
+ "more_info_path": "/vulnerabilities/CVE-2023-0217/59609",
"specs": [
"<5.3.1"
],
@@ -13663,9 +13957,19 @@
},
{
"advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4",
- "cve": "CVE-2022-3996",
- "id": "pyup.io-59617",
- "more_info_path": "/vulnerabilities/CVE-2022-3996/59617",
+ "cve": "CVE-2022-4450",
+ "id": "pyup.io-59615",
+ "more_info_path": "/vulnerabilities/CVE-2022-4450/59615",
+ "specs": [
+ "<5.3.1"
+ ],
+ "v": "<5.3.1"
+ },
+ {
+ "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix an Expected Behavior Violation vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4",
+ "cve": "CVE-2023-23931",
+ "id": "pyup.io-59616",
+ "more_info_path": "/vulnerabilities/CVE-2023-23931/59616",
"specs": [
"<5.3.1"
],
@@ -13673,9 +13977,9 @@
},
{
"advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4",
- "cve": "CVE-2022-4450",
- "id": "pyup.io-59615",
- "more_info_path": "/vulnerabilities/CVE-2022-4450/59615",
+ "cve": "CVE-2022-3996",
+ "id": "pyup.io-59617",
+ "more_info_path": "/vulnerabilities/CVE-2022-3996/59617",
"specs": [
"<5.3.1"
],
@@ -13683,9 +13987,9 @@
},
{
"advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4",
- "cve": "CVE-2023-0401",
- "id": "pyup.io-59608",
- "more_info_path": "/vulnerabilities/CVE-2023-0401/59608",
+ "cve": "CVE-2023-0216",
+ "id": "pyup.io-59613",
+ "more_info_path": "/vulnerabilities/CVE-2023-0216/59613",
"specs": [
"<5.3.1"
],
@@ -13693,19 +13997,19 @@
},
{
"advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4",
- "cve": "CVE-2023-0217",
- "id": "pyup.io-59609",
- "more_info_path": "/vulnerabilities/CVE-2023-0217/59609",
+ "cve": "CVE-2022-4203",
+ "id": "pyup.io-59614",
+ "more_info_path": "/vulnerabilities/CVE-2022-4203/59614",
"specs": [
"<5.3.1"
],
"v": "<5.3.1"
},
{
- "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix an Expected Behavior Violation vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4",
- "cve": "CVE-2023-23931",
- "id": "pyup.io-59616",
- "more_info_path": "/vulnerabilities/CVE-2023-23931/59616",
+ "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4",
+ "cve": "CVE-2023-0401",
+ "id": "pyup.io-59608",
+ "more_info_path": "/vulnerabilities/CVE-2023-0401/59608",
"specs": [
"<5.3.1"
],
@@ -13731,16 +14035,6 @@
],
"v": "<5.3.1"
},
- {
- "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4",
- "cve": "CVE-2022-4203",
- "id": "pyup.io-59614",
- "more_info_path": "/vulnerabilities/CVE-2022-4203/59614",
- "specs": [
- "<5.3.1"
- ],
- "v": "<5.3.1"
- },
{
"advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Use After Free vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4",
"cve": "CVE-2023-0215",
@@ -13839,6 +14133,16 @@
}
],
"blackboardsync": [
+ {
+ "advisory": "Blackboardsync 0.11.1rc.1 sets the pyqt5-qt5 version in the Pipfile and updates PyQt5 due to a security release addressing a recent cURL vulnerability. This update, specific to macOS, resolves an issue where the Pipfile.lock was not valid on other platforms, ensuring compatibility across different operating systems. The PyQt5 version is also updated in the pyproject.toml to maintain security and functionality.",
+ "cve": "PVE-2024-67002",
+ "id": "pyup.io-67002",
+ "more_info_path": "/vulnerabilities/PVE-2024-67002/67002",
+ "specs": [
+ "<0.11.1rc.1"
+ ],
+ "v": "<0.11.1rc.1"
+ },
{
"advisory": "Blackboardsync 0.9.8 updates its dependency 'certifi' from 2023.5.7 to 2023.7.22 to include a security fix.",
"cve": "CVE-2023-37920",
@@ -14267,9 +14571,9 @@
},
{
"advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.",
- "cve": "CVE-2021-41184",
- "id": "pyup.io-42815",
- "more_info_path": "/vulnerabilities/CVE-2021-41184/42815",
+ "cve": "CVE-2021-41182",
+ "id": "pyup.io-42772",
+ "more_info_path": "/vulnerabilities/CVE-2021-41182/42772",
"specs": [
"<2.4.2"
],
@@ -14287,9 +14591,9 @@
},
{
"advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.",
- "cve": "CVE-2021-41182",
- "id": "pyup.io-42772",
- "more_info_path": "/vulnerabilities/CVE-2021-41182/42772",
+ "cve": "CVE-2021-41184",
+ "id": "pyup.io-42815",
+ "more_info_path": "/vulnerabilities/CVE-2021-41184/42815",
"specs": [
"<2.4.2"
],
@@ -14372,10 +14676,10 @@
],
"borgmatic": [
{
- "advisory": "Borgmatic is vulnerable to shell injection within the PostgreSQL hook.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2",
- "cve": "PVE-2024-64386",
- "id": "pyup.io-64386",
- "more_info_path": "/vulnerabilities/PVE-2024-64386/64386",
+ "advisory": "Borgmatic is vulnerable to shell injection within the \"borgmatic borg\" action.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2",
+ "cve": "PVE-2024-64394",
+ "id": "pyup.io-64394",
+ "more_info_path": "/vulnerabilities/PVE-2024-64394/64394",
"specs": [
"<1.8.7"
],
@@ -14392,10 +14696,10 @@
"v": "<1.8.7"
},
{
- "advisory": "Borgmatic is vulnerable to shell injection within the SQLite hook.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2",
- "cve": "PVE-2024-64393",
- "id": "pyup.io-64393",
- "more_info_path": "/vulnerabilities/PVE-2024-64393/64393",
+ "advisory": "Borgmatic is vulnerable to shell injection within the PostgreSQL hook.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2",
+ "cve": "PVE-2024-64386",
+ "id": "pyup.io-64386",
+ "more_info_path": "/vulnerabilities/PVE-2024-64386/64386",
"specs": [
"<1.8.7"
],
@@ -14412,10 +14716,10 @@
"v": "<1.8.7"
},
{
- "advisory": "Borgmatic is vulnerable to shell injection within the \"borgmatic borg\" action.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2",
- "cve": "PVE-2024-64394",
- "id": "pyup.io-64394",
- "more_info_path": "/vulnerabilities/PVE-2024-64394/64394",
+ "advisory": "Borgmatic is vulnerable to shell injection within the SQLite hook.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2",
+ "cve": "PVE-2024-64393",
+ "id": "pyup.io-64393",
+ "more_info_path": "/vulnerabilities/PVE-2024-64393/64393",
"specs": [
"<1.8.7"
],
@@ -15048,9 +15352,9 @@
},
{
"advisory": "C2cwsgiutils 4.0.0 updates its dependency 'pipenv' to v2020.5.28 to include security fixes.",
- "cve": "CVE-2019-11324",
- "id": "pyup.io-53060",
- "more_info_path": "/vulnerabilities/CVE-2019-11324/53060",
+ "cve": "CVE-2019-11236",
+ "id": "pyup.io-53059",
+ "more_info_path": "/vulnerabilities/CVE-2019-11236/53059",
"specs": [
"<4.0.0"
],
@@ -15058,9 +15362,9 @@
},
{
"advisory": "C2cwsgiutils 4.0.0 updates its dependency 'pipenv' to v2020.5.28 to include security fixes.",
- "cve": "CVE-2019-11236",
- "id": "pyup.io-53059",
- "more_info_path": "/vulnerabilities/CVE-2019-11236/53059",
+ "cve": "CVE-2019-11324",
+ "id": "pyup.io-53060",
+ "more_info_path": "/vulnerabilities/CVE-2019-11324/53060",
"specs": [
"<4.0.0"
],
@@ -15219,6 +15523,16 @@
"<2.4.1"
],
"v": "<2.4.1"
+ },
+ {
+ "advisory": "Calendar-view 2.4.2 has upgraded its Pillow dependency from version 10.2.0 to 10.3.0 to address the security issue identified in CVE-2024-28219.",
+ "cve": "CVE-2024-28219",
+ "id": "pyup.io-67927",
+ "more_info_path": "/vulnerabilities/CVE-2024-28219/67927",
+ "specs": [
+ "<2.4.2"
+ ],
+ "v": "<2.4.2"
}
],
"calibreweb": [
@@ -15459,6 +15773,18 @@
"v": "<0.24.1"
}
],
+ "canada-holiday": [
+ {
+ "advisory": "Canada-holiday 1.1.4 upgrades its black dependency to version 24.3.0, addressing the ReDoS vulnerability identified in CVE-2024-21503.",
+ "cve": "CVE-2024-21503",
+ "id": "pyup.io-67444",
+ "more_info_path": "/vulnerabilities/CVE-2024-21503/67444",
+ "specs": [
+ "<1.1.4"
+ ],
+ "v": "<1.1.4"
+ }
+ ],
"cancat": [
{
"advisory": "Cancat 2.0.0 and prior uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.",
@@ -15553,6 +15879,18 @@
"v": "<1.4.0"
}
],
+ "canto-curses": [
+ {
+ "advisory": "canto_curses/guibase.py in Canto Curses before 0.9.0 allows remote feed servers to execute arbitrary commands via shell metacharacters in a URL in a feed.",
+ "cve": "CVE-2013-7416",
+ "id": "pyup.io-67960",
+ "more_info_path": "/vulnerabilities/CVE-2013-7416/67960",
+ "specs": [
+ "<0.9.0"
+ ],
+ "v": "<0.9.0"
+ }
+ ],
"canvaslms": [
{
"advisory": "Canvaslms 2.18 updates its dependency 'pygments' to version '2.15.1' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/dbosk/canvaslms/pull/100",
@@ -15631,6 +15969,18 @@
"v": ">0"
}
],
+ "capycli": [
+ {
+ "advisory": "Capycli 2.4.0 updates its dependency 'idna' to v3.7 to include a security fix.",
+ "cve": "CVE-2024-3651",
+ "id": "pyup.io-68074",
+ "more_info_path": "/vulnerabilities/CVE-2024-3651/68074",
+ "specs": [
+ "<2.4.0"
+ ],
+ "v": "<2.4.0"
+ }
+ ],
"carla": [
{
"advisory": "Carla 0.9.11 includes a fix for a potential race condition vulnerability: Sorts vehicles by ID to avoid race condition in Traffic Manager.\r\nhttps://github.com/carla-simulator/carla/pull/3438",
@@ -15781,6 +16131,26 @@
}
],
"cassandra-medusa": [
+ {
+ "advisory": "Cassandra-medusa version 0.20.0 upgrades its Pycryptodome dependency to 3.19.1 from the previous version 3.19.0, aiming to address the security concerns outlined in CVE-2023-52323.",
+ "cve": "CVE-2023-52323",
+ "id": "pyup.io-67422",
+ "more_info_path": "/vulnerabilities/CVE-2023-52323/67422",
+ "specs": [
+ "<0.20.0"
+ ],
+ "v": "<0.20.0"
+ },
+ {
+ "advisory": "Cassandra-medusa version 0.20.0 has upgraded its Cryptography dependency to version 42.0.2 from 35.0, in response to CVE-2023-6129.",
+ "cve": "CVE-2023-6129",
+ "id": "pyup.io-67139",
+ "more_info_path": "/vulnerabilities/CVE-2023-6129/67139",
+ "specs": [
+ "<0.20.0"
+ ],
+ "v": "<0.20.0"
+ },
{
"advisory": "Cassandra-medusa 0.9.1 fixes MinIO support that had unsecured access.\r\nhttps://github.com/thelastpickle/cassandra-medusa/commit/2edb8afd9e0961fb3cf390322c0f59066967de84",
"cve": "PVE-2021-42517",
@@ -15825,16 +16195,6 @@
],
"v": "<0.26"
},
- {
- "advisory": "Catboost 1.2.1 updates its NPM dependency 'semver' to version '5.7.2' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/d0183bfcf67525a3ad9f4427e23f1472ad9f588c",
- "cve": "CVE-2022-25883",
- "id": "pyup.io-60757",
- "more_info_path": "/vulnerabilities/CVE-2022-25883/60757",
- "specs": [
- "<1.2.1"
- ],
- "v": "<1.2.1"
- },
{
"advisory": "Catboost 1.2.1 updates its NPM dependency 'tar' to version '6.1.15' to include a fix for an Arbitrary File Write vulnerability.\r\nhttps://github.com/catboost/catboost/commit/f54bd997762dede21c31022ae27b7fd5be36c925",
"cve": "CVE-2021-37713",
@@ -15876,20 +16236,30 @@
"v": "<1.2.1"
},
{
- "advisory": "Catboost 1.2.1 updates its dependency 'snappy-java' to version '1.1.10.1' to include a fix for a DoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/b51a3b2302a1d6b1a596b406efef347c872d9a0e",
- "cve": "CVE-2023-34455",
- "id": "pyup.io-60767",
- "more_info_path": "/vulnerabilities/CVE-2023-34455/60767",
+ "advisory": "Catboost 1.2.1 updates its NPM dependency 'minimist' to version '1.2.8' to include a fix for a Prototype Pollution vulnerability.\r\nhttps://github.com/catboost/catboost/commit/63b0cd67faf62ba3fcd7281044dad144f8b6ff4d",
+ "cve": "CVE-2021-44906",
+ "id": "pyup.io-60755",
+ "more_info_path": "/vulnerabilities/CVE-2021-44906/60755",
"specs": [
"<1.2.1"
],
"v": "<1.2.1"
},
{
- "advisory": "Catboost 1.2.1 updates its dependency 'jackson-databind' to version '2.13.4.2' to include a fix for a DoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/e88f390a4e2630c9e8a5b82cd01c053a9fd29795",
- "cve": "CVE-2022-42003",
- "id": "pyup.io-60769",
- "more_info_path": "/vulnerabilities/CVE-2022-42003/60769",
+ "advisory": "Catboost 1.2.1 updates its dependency 'nanoid' to version '3.3.6' to include a fix for an Information Exposure vulnerability.\r\nhttps://github.com/catboost/catboost/commit/9381a56a05fc7f2b8cecc323c5b26aa60d3703f0",
+ "cve": "CVE-2021-23566",
+ "id": "pyup.io-60761",
+ "more_info_path": "/vulnerabilities/CVE-2021-23566/60761",
+ "specs": [
+ "<1.2.1"
+ ],
+ "v": "<1.2.1"
+ },
+ {
+ "advisory": "Catboost 1.2.1 updates its NPM dependency 'minimatch' to version '3.1.2' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/3b9820e0bfb7b9e34dbaf0403e95e0dcdc9d9ba3",
+ "cve": "CVE-2022-3517",
+ "id": "pyup.io-60744",
+ "more_info_path": "/vulnerabilities/CVE-2022-3517/60744",
"specs": [
"<1.2.1"
],
@@ -15906,30 +16276,70 @@
"v": "<1.2.1"
},
{
- "advisory": "Catboost 1.2.1 updates its NPM dependency 'minimatch' to version '3.1.2' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/3b9820e0bfb7b9e34dbaf0403e95e0dcdc9d9ba3",
- "cve": "CVE-2022-3517",
- "id": "pyup.io-60744",
- "more_info_path": "/vulnerabilities/CVE-2022-3517/60744",
+ "advisory": "Catboost 1.2.1 updates its dependency 'jackson-databind' to version '2.13.4.2' to include a fix for a DoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/e88f390a4e2630c9e8a5b82cd01c053a9fd29795",
+ "cve": "CVE-2022-42003",
+ "id": "pyup.io-60769",
+ "more_info_path": "/vulnerabilities/CVE-2022-42003/60769",
"specs": [
"<1.2.1"
],
"v": "<1.2.1"
},
{
- "advisory": "Catboost 1.2.1 updates its NPM dependency 'webpack' to version '5.76.0' to include a fix for a Sandbox Bypass vulnerability.\r\nhttps://github.com/catboost/catboost/commit/e132d847a527827023eb67165e11f1b05a19564f",
- "cve": "CVE-2023-28154",
- "id": "pyup.io-60751",
- "more_info_path": "/vulnerabilities/CVE-2023-28154/60751",
+ "advisory": "Catboost 1.2.1 updates its dependency 'snappy-java' to version '1.1.10.1' to include a fix for a DoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/b51a3b2302a1d6b1a596b406efef347c872d9a0e",
+ "cve": "CVE-2023-34455",
+ "id": "pyup.io-60767",
+ "more_info_path": "/vulnerabilities/CVE-2023-34455/60767",
"specs": [
"<1.2.1"
],
"v": "<1.2.1"
},
{
- "advisory": "Catboost 1.2.1 updates its dependency 'nanoid' to version '3.3.6' to include a fix for an Information Exposure vulnerability.\r\nhttps://github.com/catboost/catboost/commit/9381a56a05fc7f2b8cecc323c5b26aa60d3703f0",
- "cve": "CVE-2021-23566",
- "id": "pyup.io-60761",
- "more_info_path": "/vulnerabilities/CVE-2021-23566/60761",
+ "advisory": "Catboost 1.2.1 updates its dependency 'postcss' to version '8.4.27' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/8143d912bc7364b488ae5a33e2c83e29b988420f",
+ "cve": "CVE-2021-23368",
+ "id": "pyup.io-60760",
+ "more_info_path": "/vulnerabilities/CVE-2021-23368/60760",
+ "specs": [
+ "<1.2.1"
+ ],
+ "v": "<1.2.1"
+ },
+ {
+ "advisory": "Catboost 1.2.1 updates its dependency 'junit:junit' to version '4.13.1' to include a fix for an Information Exposure vulnerability.\r\nhttps://github.com/catboost/catboost/commit/95a9dca46d21133005b3d6d66be165384ba77f2d",
+ "cve": "CVE-2020-15250",
+ "id": "pyup.io-60765",
+ "more_info_path": "/vulnerabilities/CVE-2020-15250/60765",
+ "specs": [
+ "<1.2.1"
+ ],
+ "v": "<1.2.1"
+ },
+ {
+ "advisory": "Catboost 1.2.1 updates its NPM dependency 'semver' to version '5.7.2' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/d0183bfcf67525a3ad9f4427e23f1472ad9f588c",
+ "cve": "CVE-2022-25883",
+ "id": "pyup.io-60757",
+ "more_info_path": "/vulnerabilities/CVE-2022-25883/60757",
+ "specs": [
+ "<1.2.1"
+ ],
+ "v": "<1.2.1"
+ },
+ {
+ "advisory": "Catboost 1.2.1 updates its dependency 'jackson-databind' to version '2.13.4.2' to include a fix for a DoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/e88f390a4e2630c9e8a5b82cd01c053a9fd29795",
+ "cve": "CVE-2022-42004",
+ "id": "pyup.io-60770",
+ "more_info_path": "/vulnerabilities/CVE-2022-42004/60770",
+ "specs": [
+ "<1.2.1"
+ ],
+ "v": "<1.2.1"
+ },
+ {
+ "advisory": "Catboost 1.2.1 updates its NPM dependency 'webpack' to version '5.76.0' to include a fix for a Sandbox Bypass vulnerability.\r\nhttps://github.com/catboost/catboost/commit/e132d847a527827023eb67165e11f1b05a19564f",
+ "cve": "CVE-2023-28154",
+ "id": "pyup.io-60751",
+ "more_info_path": "/vulnerabilities/CVE-2023-28154/60751",
"specs": [
"<1.2.1"
],
@@ -15976,20 +16386,10 @@
"v": "<1.2.1"
},
{
- "advisory": "Catboost 1.2.1 updates its NPM dependency 'minimist' to version '1.2.8' to include a fix for a Prototype Pollution vulnerability.\r\nhttps://github.com/catboost/catboost/commit/63b0cd67faf62ba3fcd7281044dad144f8b6ff4d",
- "cve": "CVE-2021-44906",
- "id": "pyup.io-60755",
- "more_info_path": "/vulnerabilities/CVE-2021-44906/60755",
- "specs": [
- "<1.2.1"
- ],
- "v": "<1.2.1"
- },
- {
- "advisory": "Catboost 1.2.1 updates its dependency 'snappy-java' to version '1.1.10.1' to include a fix for an Integer Overflow vulnerability.\r\nhttps://github.com/catboost/catboost/commit/b51a3b2302a1d6b1a596b406efef347c872d9a0e",
- "cve": "CVE-2023-34454",
- "id": "pyup.io-60766",
- "more_info_path": "/vulnerabilities/CVE-2023-34454/60766",
+ "advisory": "Catboost 1.2.1 updates its NPM dependency 'tenser' to version '5.19.2' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/28aa3945fe8664bfbf0dd1d1cd2e04f6aca398b5",
+ "cve": "CVE-2022-25858",
+ "id": "pyup.io-60717",
+ "more_info_path": "/vulnerabilities/CVE-2022-25858/60717",
"specs": [
"<1.2.1"
],
@@ -16006,20 +16406,10 @@
"v": "<1.2.1"
},
{
- "advisory": "Catboost 1.2.1 updates its NPM dependency 'tenser' to version '5.19.2' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/28aa3945fe8664bfbf0dd1d1cd2e04f6aca398b5",
- "cve": "CVE-2022-25858",
- "id": "pyup.io-60717",
- "more_info_path": "/vulnerabilities/CVE-2022-25858/60717",
- "specs": [
- "<1.2.1"
- ],
- "v": "<1.2.1"
- },
- {
- "advisory": "Catboost 1.2.1 updates its dependency 'jackson-databind' to version '2.13.4.2' to include a fix for a DoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/e88f390a4e2630c9e8a5b82cd01c053a9fd29795",
- "cve": "CVE-2022-42004",
- "id": "pyup.io-60770",
- "more_info_path": "/vulnerabilities/CVE-2022-42004/60770",
+ "advisory": "Catboost 1.2.1 updates its dependency 'snappy-java' to version '1.1.10.1' to include a fix for an Integer Overflow vulnerability.\r\nhttps://github.com/catboost/catboost/commit/b51a3b2302a1d6b1a596b406efef347c872d9a0e",
+ "cve": "CVE-2023-34454",
+ "id": "pyup.io-60766",
+ "more_info_path": "/vulnerabilities/CVE-2023-34454/60766",
"specs": [
"<1.2.1"
],
@@ -16056,20 +16446,10 @@
"v": "<1.2.1"
},
{
- "advisory": "Catboost 1.2.1 updates its dependency 'junit:junit' to version '4.13.1' to include a fix for an Information Exposure vulnerability.\r\nhttps://github.com/catboost/catboost/commit/95a9dca46d21133005b3d6d66be165384ba77f2d",
- "cve": "CVE-2020-15250",
- "id": "pyup.io-60765",
- "more_info_path": "/vulnerabilities/CVE-2020-15250/60765",
- "specs": [
- "<1.2.1"
- ],
- "v": "<1.2.1"
- },
- {
- "advisory": "Catboost 1.2.1 updates its dependency 'postcss' to version '8.4.27' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/8143d912bc7364b488ae5a33e2c83e29b988420f",
- "cve": "CVE-2021-23368",
- "id": "pyup.io-60760",
- "more_info_path": "/vulnerabilities/CVE-2021-23368/60760",
+ "advisory": "Catboost 1.2.1 updates its NPM dependency 'tar' to version '6.1.15' to include a fix for an Arbitrary File Write vulnerability.\r\nhttps://github.com/catboost/catboost/commit/f54bd997762dede21c31022ae27b7fd5be36c925",
+ "cve": "CVE-2021-37701",
+ "id": "pyup.io-60746",
+ "more_info_path": "/vulnerabilities/CVE-2021-37701/60746",
"specs": [
"<1.2.1"
],
@@ -16085,16 +16465,6 @@
],
"v": "<1.2.1"
},
- {
- "advisory": "Catboost 1.2.1 updates its NPM dependency 'tar' to version '6.1.15' to include a fix for an Arbitrary File Write vulnerability.\r\nhttps://github.com/catboost/catboost/commit/f54bd997762dede21c31022ae27b7fd5be36c925",
- "cve": "CVE-2021-37701",
- "id": "pyup.io-60746",
- "more_info_path": "/vulnerabilities/CVE-2021-37701/60746",
- "specs": [
- "<1.2.1"
- ],
- "v": "<1.2.1"
- },
{
"advisory": "Catboost 1.2.1 updates its NPM dependency 'tar' to version '6.1.15' to include a fix for an Arbitrary File Write vulnerability.\r\nhttps://github.com/catboost/catboost/commit/f54bd997762dede21c31022ae27b7fd5be36c925",
"cve": "CVE-2021-32804",
@@ -16172,14 +16542,14 @@
"v": "<5.6.0"
},
{
- "advisory": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.",
+ "advisory": "Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.",
"cve": "CVE-2024-26134",
"id": "pyup.io-66703",
"more_info_path": "/vulnerabilities/CVE-2024-26134/66703",
"specs": [
- ">=5.5.1,<5.6.2"
+ ">=5.6.0,<5.6.2"
],
- "v": ">=5.5.1,<5.6.2"
+ "v": ">=5.6.0,<5.6.2"
}
],
"ccf": [
@@ -16323,6 +16693,16 @@
}
],
"ceilometer": [
+ {
+ "advisory": "(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.",
+ "cve": "CVE-2013-6384",
+ "id": "pyup.io-70583",
+ "more_info_path": "/vulnerabilities/CVE-2013-6384/70583",
+ "specs": [
+ "<2013.2.1"
+ ],
+ "v": "<2013.2.1"
+ },
{
"advisory": "A vulnerability was found in ceilometer before version 12.0.0.0rc1. An Information Exposure in ceilometer-agent prints sensitive configuration data to log files without DEBUG logging being activated.",
"cve": "CVE-2019-3830",
@@ -16854,14 +17234,14 @@
],
"chafa.py": [
{
- "advisory": "Chafa.py serves as a Python wrapper for the Chafa library. The GitHub repository hpjansson/chafa, prior to version 1.12.0, contains a heap-based Buffer Overflow vulnerability. This issue has been addressed in the Chapa.py update, specifically version 1.1.0. https://github.com/GuardKenzie/chafa.py/commit/1bc1dc5daff250c0187c4a309dfc640b790ca310",
+ "advisory": "Chafa.py serves as a Python wrapper for the Chafa library. The GitHub repository hpjansson/chafa, prior to version 1.12.0, contains a heap-based Buffer Overflow vulnerability. This issue has been addressed in the Chapa.py update, specifically version 1.1.0.",
"cve": "CVE-2022-20610",
"id": "pyup.io-63001",
"more_info_path": "/vulnerabilities/CVE-2022-20610/63001",
"specs": [
- "<1.1.2"
+ "<1.1.0"
],
- "v": "<1.1.2"
+ "v": "<1.1.0"
}
],
"chainerrl-visualizer": [
@@ -16896,6 +17276,16 @@
"<0.4.1"
],
"v": "<0.4.1"
+ },
+ {
+ "advisory": "Chainlit 1.0.501 has updated its Starlette dependency to version \"^0.37.2\" from \"<0.33.0\" to address the security issue identified in CVE-2023-29159.",
+ "cve": "CVE-2023-29159",
+ "id": "pyup.io-67535",
+ "more_info_path": "/vulnerabilities/CVE-2023-29159/67535",
+ "specs": [
+ "<1.0.501"
+ ],
+ "v": "<1.0.501"
}
],
"changedetection-io": [
@@ -16911,6 +17301,16 @@
}
],
"changedetection.io": [
+ {
+ "advisory": "Changedetection.io version 0.45.21 includes a security update to fix a server-side template injection vulnerability in Jinja2 that could allow remote command execution, identified as CVE-2024-32651. Additionally, it implements the use of `ImmutableSandboxedEnvironment` for validation to enhance security.",
+ "cve": "CVE-2024-32651",
+ "id": "pyup.io-70483",
+ "more_info_path": "/vulnerabilities/CVE-2024-32651/70483",
+ "specs": [
+ "<0.45.21"
+ ],
+ "v": "<0.45.21"
+ },
{
"advisory": "Changedetection.io 0.45.6 updates its dependency 'flask' to include a security fix.",
"cve": "CVE-2023-30861",
@@ -19855,6 +20255,16 @@
],
"v": "<2.4.0"
},
+ {
+ "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.",
+ "cve": "CVE-2020-8284",
+ "id": "pyup.io-44212",
+ "more_info_path": "/vulnerabilities/CVE-2020-8284/44212",
+ "specs": [
+ "<2.4.0"
+ ],
+ "v": "<2.4.0"
+ },
{
"advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.",
"cve": "CVE-2021-37674",
@@ -19905,16 +20315,6 @@
],
"v": "<2.4.0"
},
- {
- "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.",
- "cve": "CVE-2020-8284",
- "id": "pyup.io-44212",
- "more_info_path": "/vulnerabilities/CVE-2020-8284/44212",
- "specs": [
- "<2.4.0"
- ],
- "v": "<2.4.0"
- },
{
"advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.",
"cve": "CVE-2021-22901",
@@ -20979,9 +21379,9 @@
},
{
"advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.",
- "cve": "CVE-2023-2033",
- "id": "pyup.io-63738",
- "more_info_path": "/vulnerabilities/CVE-2023-2033/63738",
+ "cve": "CVE-2023-2135",
+ "id": "pyup.io-64106",
+ "more_info_path": "/vulnerabilities/CVE-2023-2135/64106",
"specs": [
"<1.8.1rc4"
],
@@ -20999,9 +21399,9 @@
},
{
"advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.",
- "cve": "CVE-2023-2135",
- "id": "pyup.io-64106",
- "more_info_path": "/vulnerabilities/CVE-2023-2135/64106",
+ "cve": "CVE-2023-2134",
+ "id": "pyup.io-64105",
+ "more_info_path": "/vulnerabilities/CVE-2023-2134/64105",
"specs": [
"<1.8.1rc4"
],
@@ -21009,9 +21409,9 @@
},
{
"advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.",
- "cve": "CVE-2023-2134",
- "id": "pyup.io-64105",
- "more_info_path": "/vulnerabilities/CVE-2023-2134/64105",
+ "cve": "CVE-2023-2033",
+ "id": "pyup.io-63738",
+ "more_info_path": "/vulnerabilities/CVE-2023-2033/63738",
"specs": [
"<1.8.1rc4"
],
@@ -21210,6 +21610,16 @@
],
"v": "<7.0.2,>=8.0.0,<8.1.1"
},
+ {
+ "advisory": "OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.",
+ "cve": "CVE-2015-1851",
+ "id": "pyup.io-70457",
+ "more_info_path": "/vulnerabilities/CVE-2015-1851/70457",
+ "specs": [
+ ">2010,<2015.1.1"
+ ],
+ "v": ">2010,<2015.1.1"
+ },
{
"advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.",
"cve": "CVE-2013-1068",
@@ -21230,6 +21640,48 @@
],
"v": ">=2010,<2014.1.3"
},
+ {
+ "advisory": "The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors.",
+ "cve": "CVE-2013-4183",
+ "id": "pyup.io-68017",
+ "more_info_path": "/vulnerabilities/CVE-2013-4183/68017",
+ "specs": [
+ ">=2012,<2013.1.3"
+ ],
+ "v": ">=2012,<2013.1.3"
+ },
+ {
+ "advisory": "The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.",
+ "cve": "CVE-2013-4202",
+ "id": "pyup.io-68019",
+ "more_info_path": "/vulnerabilities/CVE-2013-4202/68019",
+ "specs": [
+ ">=2012,<=2013.1.3"
+ ],
+ "v": ">=2012,<=2013.1.3"
+ },
+ {
+ "advisory": "The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.",
+ "cve": "CVE-2014-7230",
+ "id": "pyup.io-70424",
+ "more_info_path": "/vulnerabilities/CVE-2014-7230/70424",
+ "specs": [
+ ">=2013.2,<2013.2.4",
+ ">=2014.1,<2014.1.3"
+ ],
+ "v": ">=2013.2,<2013.2.4,>=2014.1,<2014.1.3"
+ },
+ {
+ "advisory": "The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.",
+ "cve": "CVE-2014-7231",
+ "id": "pyup.io-70430",
+ "more_info_path": "/vulnerabilities/CVE-2014-7231/70430",
+ "specs": [
+ ">=2013.2,<2013.2.4",
+ ">=2014.1,<2014.1.3"
+ ],
+ "v": ">=2013.2,<2013.2.4,>=2014.1,<2014.1.3"
+ },
{
"advisory": "Cinder 22.1.0, 21.3.0 and 20.3.0 include a fix for CVE-2023-2088: A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.\r\nhttps://opendev.org/openstack/cinder/commit/68fdc323369943f494541a3510e71290b091359f\r\nhttps://bugs.launchpad.net/nova/+bug/2004555",
"cve": "CVE-2023-2088",
@@ -21870,9 +22322,9 @@
"cloudvision": [
{
"advisory": "Cloudvision 1.13.0 updates 'cryptography' minimum version to v41.0.3 to include security fixes in bundled OpenSSL.",
- "cve": "CVE-2023-3446",
- "id": "pyup.io-61131",
- "more_info_path": "/vulnerabilities/CVE-2023-3446/61131",
+ "cve": "CVE-2023-2975",
+ "id": "pyup.io-61130",
+ "more_info_path": "/vulnerabilities/CVE-2023-2975/61130",
"specs": [
"<1.13.0"
],
@@ -21880,9 +22332,9 @@
},
{
"advisory": "Cloudvision 1.13.0 updates 'cryptography' minimum version to v41.0.3 to include security fixes in bundled OpenSSL.",
- "cve": "CVE-2023-3817",
- "id": "pyup.io-61129",
- "more_info_path": "/vulnerabilities/CVE-2023-3817/61129",
+ "cve": "CVE-2023-3446",
+ "id": "pyup.io-61131",
+ "more_info_path": "/vulnerabilities/CVE-2023-3446/61131",
"specs": [
"<1.13.0"
],
@@ -21890,9 +22342,9 @@
},
{
"advisory": "Cloudvision 1.13.0 updates 'cryptography' minimum version to v41.0.3 to include security fixes in bundled OpenSSL.",
- "cve": "CVE-2023-2975",
- "id": "pyup.io-61130",
- "more_info_path": "/vulnerabilities/CVE-2023-2975/61130",
+ "cve": "CVE-2023-3817",
+ "id": "pyup.io-61129",
+ "more_info_path": "/vulnerabilities/CVE-2023-3817/61129",
"specs": [
"<1.13.0"
],
@@ -22113,6 +22565,16 @@
],
"v": "<2.6.0"
},
+ {
+ "advisory": "Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via \"network connectivity\". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api).",
+ "cve": "CVE-2018-1000225",
+ "id": "pyup.io-67945",
+ "more_info_path": "/vulnerabilities/CVE-2018-1000225/67945",
+ "specs": [
+ "<3.0.0"
+ ],
+ "v": "<3.0.0"
+ },
{
"advisory": "Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via \"network connectivity\". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.",
"cve": "CVE-2018-1000226",
@@ -22450,6 +22912,18 @@
"v": "<0.22.3"
}
],
+ "cognitojwt": [
+ {
+ "advisory": "Cognitojwt version 1.5.0 transitions from the outdated python-jose library, which relied on the ecdsa package containing unresolved vulnerabilities, to the more frequently updated joserfc library.",
+ "cve": "CVE-2024-23342",
+ "id": "pyup.io-68046",
+ "more_info_path": "/vulnerabilities/CVE-2024-23342/68046",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ }
+ ],
"cohen3": [
{
"advisory": "Cohen3 version 0.8.3 updates its dependency \"requests\" to include a security fix.",
@@ -22866,6 +23340,18 @@
"v": ">=0,<1.7.4"
}
],
+ "commonground-api-common": [
+ {
+ "advisory": "Versions of software utilizing the PyJWT library are susceptible to a theoretical privilege escalation due to a non-exploitable weakness in client-supplied JWT verification. Despite using an explicit allow-list of algorithms preventing the use of invalid ones, a hypothetical scenario was identified where, without such a mechanism, tampered client JWTs could lead to an attacker impersonating any client without detection. The JWT verification issue stems from the handling of the algorithm specified in the JWT header, specifically the use of a string for algorithm names rather than a strict list, potentially allowing any substring matching to pass verification checks. However, this vulnerability is considered non-exploitable since PyJWT does not support algorithm substrings that would exploit this issue.",
+ "cve": "PVE-2024-68497",
+ "id": "pyup.io-68497",
+ "more_info_path": "/vulnerabilities/PVE-2024-68497/68497",
+ "specs": [
+ "<=1.12.1"
+ ],
+ "v": "<=1.12.1"
+ }
+ ],
"compas": [
{
"advisory": "Compas 1.17.5 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.\r\nhttps://github.com/compas-dev/compas/commit/0d0f9bec24511fe5dbc77ef73ee617dc83b4420e",
@@ -23003,9 +23489,9 @@
},
{
"advisory": "Composer 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007",
- "cve": "CVE-2021-34552",
- "id": "pyup.io-53694",
- "more_info_path": "/vulnerabilities/CVE-2021-34552/53694",
+ "cve": "PVE-2022-44524",
+ "id": "pyup.io-53692",
+ "more_info_path": "/vulnerabilities/PVE-2022-44524/53692",
"specs": [
"<0.13.0"
],
@@ -23013,9 +23499,9 @@
},
{
"advisory": "Composer 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007",
- "cve": "PVE-2022-44524",
- "id": "pyup.io-53692",
- "more_info_path": "/vulnerabilities/PVE-2022-44524/53692",
+ "cve": "CVE-2021-34552",
+ "id": "pyup.io-53694",
+ "more_info_path": "/vulnerabilities/CVE-2021-34552/53694",
"specs": [
"<0.13.0"
],
@@ -23387,9 +23873,9 @@
"connect-sdk-python2": [
{
"advisory": "Connect-sdk-python2 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.",
- "cve": "CVE-2020-26137",
- "id": "pyup.io-51386",
- "more_info_path": "/vulnerabilities/CVE-2020-26137/51386",
+ "cve": "CVE-2021-33503",
+ "id": "pyup.io-51387",
+ "more_info_path": "/vulnerabilities/CVE-2021-33503/51387",
"specs": [
"<3.33.0"
],
@@ -23397,9 +23883,9 @@
},
{
"advisory": "Connect-sdk-python2 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.",
- "cve": "CVE-2019-11324",
- "id": "pyup.io-51385",
- "more_info_path": "/vulnerabilities/CVE-2019-11324/51385",
+ "cve": "CVE-2018-20060",
+ "id": "pyup.io-51359",
+ "more_info_path": "/vulnerabilities/CVE-2018-20060/51359",
"specs": [
"<3.33.0"
],
@@ -23407,9 +23893,9 @@
},
{
"advisory": "Connect-sdk-python2 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.",
- "cve": "CVE-2021-33503",
- "id": "pyup.io-51387",
- "more_info_path": "/vulnerabilities/CVE-2021-33503/51387",
+ "cve": "CVE-2019-11236",
+ "id": "pyup.io-51384",
+ "more_info_path": "/vulnerabilities/CVE-2019-11236/51384",
"specs": [
"<3.33.0"
],
@@ -23417,9 +23903,9 @@
},
{
"advisory": "Connect-sdk-python2 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.",
- "cve": "CVE-2019-11236",
- "id": "pyup.io-51384",
- "more_info_path": "/vulnerabilities/CVE-2019-11236/51384",
+ "cve": "CVE-2020-26137",
+ "id": "pyup.io-51386",
+ "more_info_path": "/vulnerabilities/CVE-2020-26137/51386",
"specs": [
"<3.33.0"
],
@@ -23427,9 +23913,9 @@
},
{
"advisory": "Connect-sdk-python2 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.",
- "cve": "CVE-2018-20060",
- "id": "pyup.io-51359",
- "more_info_path": "/vulnerabilities/CVE-2018-20060/51359",
+ "cve": "CVE-2019-11324",
+ "id": "pyup.io-51385",
+ "more_info_path": "/vulnerabilities/CVE-2019-11324/51385",
"specs": [
"<3.33.0"
],
@@ -23449,9 +23935,9 @@
},
{
"advisory": "Connect-sdk-python3 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.",
- "cve": "CVE-2020-26137",
- "id": "pyup.io-51380",
- "more_info_path": "/vulnerabilities/CVE-2020-26137/51380",
+ "cve": "CVE-2021-33503",
+ "id": "pyup.io-51360",
+ "more_info_path": "/vulnerabilities/CVE-2021-33503/51360",
"specs": [
"<3.33.0"
],
@@ -23459,9 +23945,9 @@
},
{
"advisory": "Connect-sdk-python3 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.",
- "cve": "CVE-2019-11236",
- "id": "pyup.io-51382",
- "more_info_path": "/vulnerabilities/CVE-2019-11236/51382",
+ "cve": "CVE-2018-20060",
+ "id": "pyup.io-51383",
+ "more_info_path": "/vulnerabilities/CVE-2018-20060/51383",
"specs": [
"<3.33.0"
],
@@ -23469,9 +23955,9 @@
},
{
"advisory": "Connect-sdk-python3 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.",
- "cve": "CVE-2018-20060",
- "id": "pyup.io-51383",
- "more_info_path": "/vulnerabilities/CVE-2018-20060/51383",
+ "cve": "CVE-2020-26137",
+ "id": "pyup.io-51380",
+ "more_info_path": "/vulnerabilities/CVE-2020-26137/51380",
"specs": [
"<3.33.0"
],
@@ -23479,9 +23965,9 @@
},
{
"advisory": "Connect-sdk-python3 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.",
- "cve": "CVE-2021-33503",
- "id": "pyup.io-51360",
- "more_info_path": "/vulnerabilities/CVE-2021-33503/51360",
+ "cve": "CVE-2019-11236",
+ "id": "pyup.io-51382",
+ "more_info_path": "/vulnerabilities/CVE-2019-11236/51382",
"specs": [
"<3.33.0"
],
@@ -23666,6 +24152,28 @@
"v": "<1.0.2"
}
],
+ "copy-spotter": [
+ {
+ "advisory": "Copy-spotter version 0.0.1 updates the Black library from version 23.11.0 to 24.3.0 to address the security vulnerabilities identified in CVE-2024-21503.",
+ "cve": "CVE-2024-21503",
+ "id": "pyup.io-68062",
+ "more_info_path": "/vulnerabilities/CVE-2024-21503/68062",
+ "specs": [
+ "<0.0.1"
+ ],
+ "v": "<0.0.1"
+ },
+ {
+ "advisory": "Copy-spotter version 0.0.1 has upgraded its nltk dependency from 3.6.3 to 3.6.6 to address the security issue identified in CVE-2021-3842.",
+ "cve": "CVE-2021-3842",
+ "id": "pyup.io-68082",
+ "more_info_path": "/vulnerabilities/CVE-2021-3842/68082",
+ "specs": [
+ "<0.0.1"
+ ],
+ "v": "<0.0.1"
+ }
+ ],
"copyparty": [
{
"advisory": "Copyparty 0.11.31 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/9001/copyparty/commit/a5120d4f6fe4afe91eb0e091063de6b9ba9e81e1",
@@ -23728,20 +24236,20 @@
"v": "<1.2.8"
},
{
- "advisory": "Copyparty 1.8.2 includes a fix for a Race Condition vulnerability. Impact is on availability.\r\nhttps://github.com/9001/copyparty/commit/77f1e5144455eb946db7368792ea11c934f0f6da\r\nhttps://github.com/9001/copyparty/commit/8f59afb1593a75b8ce8c91ceee304097a07aea6e",
- "cve": "PVE-2023-59475",
- "id": "pyup.io-59475",
- "more_info_path": "/vulnerabilities/PVE-2023-59475/59475",
+ "advisory": "Copyparty 1.8.2 includes a fix for a Path Traversal vulnerability: An attacker may use the /.cpr endpoint to have full access to the server filesystem.\r\nhttps://github.com/9001/copyparty/commit/043e3c7dd683113e2b1c15cacb9c8e68f76513ff\r\nhttps://github.com/9001/copyparty/security/advisories/GHSA-pxfv-7rr3-2qjg",
+ "cve": "CVE-2023-37474",
+ "id": "pyup.io-59466",
+ "more_info_path": "/vulnerabilities/CVE-2023-37474/59466",
"specs": [
"<1.8.2"
],
"v": "<1.8.2"
},
{
- "advisory": "Copyparty 1.8.2 includes a fix for a Path Traversal vulnerability: An attacker may use the /.cpr endpoint to have full access to the server filesystem.\r\nhttps://github.com/9001/copyparty/commit/043e3c7dd683113e2b1c15cacb9c8e68f76513ff\r\nhttps://github.com/9001/copyparty/security/advisories/GHSA-pxfv-7rr3-2qjg",
- "cve": "CVE-2023-37474",
- "id": "pyup.io-59466",
- "more_info_path": "/vulnerabilities/CVE-2023-37474/59466",
+ "advisory": "Copyparty 1.8.2 includes a fix for a Race Condition vulnerability. Impact is on availability.\r\nhttps://github.com/9001/copyparty/commit/77f1e5144455eb946db7368792ea11c934f0f6da\r\nhttps://github.com/9001/copyparty/commit/8f59afb1593a75b8ce8c91ceee304097a07aea6e",
+ "cve": "PVE-2023-59475",
+ "id": "pyup.io-59475",
+ "more_info_path": "/vulnerabilities/PVE-2023-59475/59475",
"specs": [
"<1.8.2"
],
@@ -23922,8 +24430,8 @@
{
"advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.",
"cve": "CVE-2012-6708",
- "id": "pyup.io-49056",
- "more_info_path": "/vulnerabilities/CVE-2012-6708/49056",
+ "id": "pyup.io-49057",
+ "more_info_path": "/vulnerabilities/CVE-2012-6708/49057",
"specs": [
"<0.13.0"
],
@@ -23931,9 +24439,9 @@
},
{
"advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.",
- "cve": "CVE-2011-4969",
- "id": "pyup.io-39529",
- "more_info_path": "/vulnerabilities/CVE-2011-4969/39529",
+ "cve": "CVE-2019-11358",
+ "id": "pyup.io-49061",
+ "more_info_path": "/vulnerabilities/CVE-2019-11358/49061",
"specs": [
"<0.13.0"
],
@@ -23941,9 +24449,9 @@
},
{
"advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.",
- "cve": "CVE-2016-10735",
- "id": "pyup.io-49068",
- "more_info_path": "/vulnerabilities/CVE-2016-10735/49068",
+ "cve": "CVE-2019-8331",
+ "id": "pyup.io-49063",
+ "more_info_path": "/vulnerabilities/CVE-2019-8331/49063",
"specs": [
"<0.13.0"
],
@@ -23952,8 +24460,8 @@
{
"advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.",
"cve": "CVE-2012-6708",
- "id": "pyup.io-49057",
- "more_info_path": "/vulnerabilities/CVE-2012-6708/49057",
+ "id": "pyup.io-49056",
+ "more_info_path": "/vulnerabilities/CVE-2012-6708/49056",
"specs": [
"<0.13.0"
],
@@ -23961,9 +24469,9 @@
},
{
"advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.",
- "cve": "CVE-2019-11358",
- "id": "pyup.io-49061",
- "more_info_path": "/vulnerabilities/CVE-2019-11358/49061",
+ "cve": "CVE-2015-9251",
+ "id": "pyup.io-49059",
+ "more_info_path": "/vulnerabilities/CVE-2015-9251/49059",
"specs": [
"<0.13.0"
],
@@ -23971,29 +24479,29 @@
},
{
"advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.",
- "cve": "CVE-2019-8331",
- "id": "pyup.io-49063",
- "more_info_path": "/vulnerabilities/CVE-2019-8331/49063",
+ "cve": "CVE-2018-14042",
+ "id": "pyup.io-49067",
+ "more_info_path": "/vulnerabilities/CVE-2018-14042/49067",
"specs": [
"<0.13.0"
],
"v": "<0.13.0"
},
{
- "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.",
- "cve": "CVE-2020-7656",
- "id": "pyup.io-49062",
- "more_info_path": "/vulnerabilities/CVE-2020-7656/49062",
+ "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.",
+ "cve": "CVE-2018-14040",
+ "id": "pyup.io-49066",
+ "more_info_path": "/vulnerabilities/CVE-2018-14040/49066",
"specs": [
"<0.13.0"
],
"v": "<0.13.0"
},
{
- "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.",
- "cve": "CVE-2018-14042",
- "id": "pyup.io-49067",
- "more_info_path": "/vulnerabilities/CVE-2018-14042/49067",
+ "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.",
+ "cve": "CVE-2019-11358",
+ "id": "pyup.io-49060",
+ "more_info_path": "/vulnerabilities/CVE-2019-11358/49060",
"specs": [
"<0.13.0"
],
@@ -24001,19 +24509,19 @@
},
{
"advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.",
- "cve": "CVE-2015-9251",
- "id": "pyup.io-49059",
- "more_info_path": "/vulnerabilities/CVE-2015-9251/49059",
+ "cve": "CVE-2020-7656",
+ "id": "pyup.io-49062",
+ "more_info_path": "/vulnerabilities/CVE-2020-7656/49062",
"specs": [
"<0.13.0"
],
"v": "<0.13.0"
},
{
- "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.",
- "cve": "CVE-2018-20676",
- "id": "pyup.io-49065",
- "more_info_path": "/vulnerabilities/CVE-2018-20676/49065",
+ "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.",
+ "cve": "CVE-2011-4969",
+ "id": "pyup.io-39529",
+ "more_info_path": "/vulnerabilities/CVE-2011-4969/39529",
"specs": [
"<0.13.0"
],
@@ -24021,19 +24529,19 @@
},
{
"advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.",
- "cve": "CVE-2018-14040",
- "id": "pyup.io-49066",
- "more_info_path": "/vulnerabilities/CVE-2018-14040/49066",
+ "cve": "CVE-2016-10735",
+ "id": "pyup.io-49068",
+ "more_info_path": "/vulnerabilities/CVE-2016-10735/49068",
"specs": [
"<0.13.0"
],
"v": "<0.13.0"
},
{
- "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.",
- "cve": "CVE-2015-9251",
- "id": "pyup.io-49058",
- "more_info_path": "/vulnerabilities/CVE-2015-9251/49058",
+ "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.",
+ "cve": "CVE-2018-20676",
+ "id": "pyup.io-49065",
+ "more_info_path": "/vulnerabilities/CVE-2018-20676/49065",
"specs": [
"<0.13.0"
],
@@ -24041,9 +24549,9 @@
},
{
"advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.",
- "cve": "CVE-2019-11358",
- "id": "pyup.io-49060",
- "more_info_path": "/vulnerabilities/CVE-2019-11358/49060",
+ "cve": "CVE-2015-9251",
+ "id": "pyup.io-49058",
+ "more_info_path": "/vulnerabilities/CVE-2015-9251/49058",
"specs": [
"<0.13.0"
],
@@ -24245,6 +24753,26 @@
"<1.7.2"
],
"v": "<1.7.2"
+ },
+ {
+ "advisory": "Cryptoadvance.specter version 2.0.2 has updated its Electron dependency from version 22.1.0 to 22.3.21 to address security concerns outlined in CVE-2023-39956.",
+ "cve": "CVE-2023-39956",
+ "id": "pyup.io-67912",
+ "more_info_path": "/vulnerabilities/CVE-2023-39956/67912",
+ "specs": [
+ "<2.0.2"
+ ],
+ "v": "<2.0.2"
+ },
+ {
+ "advisory": "Cryptoadvance.specter version 2.0.2 addresses a security issue where the \"next\" parameter during the login process on Specter desktop could be manipulated to redirect users to an unauthorized domain after login. This vulnerability posed a phishing risk, as attackers could easily direct users to malicious sites by altering the \"next\" parameter in the URL. The update rectifies this issue to prevent potential phishing attacks.",
+ "cve": "PVE-2024-67911",
+ "id": "pyup.io-67911",
+ "more_info_path": "/vulnerabilities/PVE-2024-67911/67911",
+ "specs": [
+ "<2.0.2"
+ ],
+ "v": "<2.0.2"
}
],
"cryptoasset-data-downloader": [
@@ -24806,7 +25334,7 @@
],
"curl-cffi": [
{
- "advisory": "Curl-cffi 0.5.10b4 and prior releases ship with a version of 'libcurl' that has a high-severity vulnerability.\r\nhttps://github.com/lwthiker/curl-impersonate/issues/194\r\nhttps://github.com/yifeikong/curl_cffi/blob/d0c6c9c08ecf4ab6a1a9e0bd7ea6ff80e562385b/Makefile#L4",
+ "advisory": "Curl-cffi 0.5.10b4 and prior releases ship with a version of 'libcurl' that has a high-severity vulnerability.",
"cve": "CVE-2023-38545",
"id": "pyup.io-61772",
"more_info_path": "/vulnerabilities/CVE-2023-38545/61772",
@@ -24886,6 +25414,28 @@
"v": "<0.14.0"
}
],
+ "cve-bin-tool": [
+ {
+ "advisory": "Cve-bin-tool version 3.3rc3 updates its Pillow dependency to version 10.0.1 from 9.5.0 to address the security vulnerability outlined in CVE-2023-44271.",
+ "cve": "CVE-2023-44271",
+ "id": "pyup.io-67593",
+ "more_info_path": "/vulnerabilities/CVE-2023-44271/67593",
+ "specs": [
+ "<3.3rc3"
+ ],
+ "v": "<3.3rc3"
+ },
+ {
+ "advisory": "Cve-bin-tool version 3.3rc3 updates its Pillow dependency to version 10.0.1 from 9.5.0 to address the security vulnerability outlined in CVE-2023-4863.",
+ "cve": "CVE-2023-4863",
+ "id": "pyup.io-67586",
+ "more_info_path": "/vulnerabilities/CVE-2023-4863/67586",
+ "specs": [
+ "<3.3rc3"
+ ],
+ "v": "<3.3rc3"
+ }
+ ],
"cve-py": [
{
"advisory": "Cve-py 1.2.1 includes a fix for a XXE vulnerability.\r\nhttps://github.com/Pavel-Sushko/cve-py/pull/13",
@@ -25653,9 +26203,9 @@
"dagster-cloud": [
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-1292",
- "id": "pyup.io-52154",
- "more_info_path": "/vulnerabilities/CVE-2022-1292/52154",
+ "cve": "CVE-2022-2068",
+ "id": "pyup.io-52155",
+ "more_info_path": "/vulnerabilities/CVE-2022-2068/52155",
"specs": [
"<1.1.4"
],
@@ -25663,9 +26213,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2021-4209",
- "id": "pyup.io-52168",
- "more_info_path": "/vulnerabilities/CVE-2021-4209/52168",
+ "cve": "CVE-2018-25032",
+ "id": "pyup.io-52166",
+ "more_info_path": "/vulnerabilities/CVE-2018-25032/52166",
"specs": [
"<1.1.4"
],
@@ -25673,9 +26223,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-37434",
- "id": "pyup.io-52156",
- "more_info_path": "/vulnerabilities/CVE-2022-37434/52156",
+ "cve": "CVE-2021-3999",
+ "id": "pyup.io-52160",
+ "more_info_path": "/vulnerabilities/CVE-2021-3999/52160",
"specs": [
"<1.1.4"
],
@@ -25683,9 +26233,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-2068",
- "id": "pyup.io-52155",
- "more_info_path": "/vulnerabilities/CVE-2022-2068/52155",
+ "cve": "CVE-2022-1292",
+ "id": "pyup.io-52154",
+ "more_info_path": "/vulnerabilities/CVE-2022-1292/52154",
"specs": [
"<1.1.4"
],
@@ -25693,9 +26243,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-34903",
- "id": "pyup.io-52167",
- "more_info_path": "/vulnerabilities/CVE-2022-34903/52167",
+ "cve": "CVE-2021-46828",
+ "id": "pyup.io-52164",
+ "more_info_path": "/vulnerabilities/CVE-2021-46828/52164",
"specs": [
"<1.1.4"
],
@@ -25703,9 +26253,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2021-4160",
- "id": "pyup.io-52169",
- "more_info_path": "/vulnerabilities/CVE-2021-4160/52169",
+ "cve": "CVE-2021-33574",
+ "id": "pyup.io-52153",
+ "more_info_path": "/vulnerabilities/CVE-2021-33574/52153",
"specs": [
"<1.1.4"
],
@@ -25713,9 +26263,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-1587",
- "id": "pyup.io-52157",
- "more_info_path": "/vulnerabilities/CVE-2022-1587/52157",
+ "cve": "CVE-2022-37434",
+ "id": "pyup.io-52156",
+ "more_info_path": "/vulnerabilities/CVE-2022-37434/52156",
"specs": [
"<1.1.4"
],
@@ -25723,9 +26273,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-1664",
- "id": "pyup.io-52146",
- "more_info_path": "/vulnerabilities/CVE-2022-1664/52146",
+ "cve": "CVE-2022-1586",
+ "id": "pyup.io-52158",
+ "more_info_path": "/vulnerabilities/CVE-2022-1586/52158",
"specs": [
"<1.1.4"
],
@@ -25733,9 +26283,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-0778",
- "id": "pyup.io-52165",
- "more_info_path": "/vulnerabilities/CVE-2022-0778/52165",
+ "cve": "CVE-2022-2509",
+ "id": "pyup.io-52163",
+ "more_info_path": "/vulnerabilities/CVE-2022-2509/52163",
"specs": [
"<1.1.4"
],
@@ -25743,9 +26293,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-2509",
- "id": "pyup.io-52163",
- "more_info_path": "/vulnerabilities/CVE-2022-2509/52163",
+ "cve": "CVE-2022-34903",
+ "id": "pyup.io-52167",
+ "more_info_path": "/vulnerabilities/CVE-2022-34903/52167",
"specs": [
"<1.1.4"
],
@@ -25753,9 +26303,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2021-3997",
- "id": "pyup.io-52170",
- "more_info_path": "/vulnerabilities/CVE-2021-3997/52170",
+ "cve": "CVE-2022-0778",
+ "id": "pyup.io-52165",
+ "more_info_path": "/vulnerabilities/CVE-2022-0778/52165",
"specs": [
"<1.1.4"
],
@@ -25763,9 +26313,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-23218",
- "id": "pyup.io-52152",
- "more_info_path": "/vulnerabilities/CVE-2022-23218/52152",
+ "cve": "CVE-2022-1664",
+ "id": "pyup.io-52146",
+ "more_info_path": "/vulnerabilities/CVE-2022-1664/52146",
"specs": [
"<1.1.4"
],
@@ -25773,9 +26323,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2021-3999",
- "id": "pyup.io-52160",
- "more_info_path": "/vulnerabilities/CVE-2021-3999/52160",
+ "cve": "CVE-2022-40674",
+ "id": "pyup.io-52150",
+ "more_info_path": "/vulnerabilities/CVE-2022-40674/52150",
"specs": [
"<1.1.4"
],
@@ -25783,9 +26333,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2021-33574",
- "id": "pyup.io-52153",
- "more_info_path": "/vulnerabilities/CVE-2021-33574/52153",
+ "cve": "CVE-2021-3997",
+ "id": "pyup.io-52170",
+ "more_info_path": "/vulnerabilities/CVE-2021-3997/52170",
"specs": [
"<1.1.4"
],
@@ -25793,9 +26343,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2021-46828",
- "id": "pyup.io-52164",
- "more_info_path": "/vulnerabilities/CVE-2021-46828/52164",
+ "cve": "CVE-2021-4209",
+ "id": "pyup.io-52168",
+ "more_info_path": "/vulnerabilities/CVE-2021-4209/52168",
"specs": [
"<1.1.4"
],
@@ -25803,9 +26353,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-40674",
- "id": "pyup.io-52150",
- "more_info_path": "/vulnerabilities/CVE-2022-40674/52150",
+ "cve": "CVE-2022-23219",
+ "id": "pyup.io-52151",
+ "more_info_path": "/vulnerabilities/CVE-2022-23219/52151",
"specs": [
"<1.1.4"
],
@@ -25813,9 +26363,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2018-25032",
- "id": "pyup.io-52166",
- "more_info_path": "/vulnerabilities/CVE-2018-25032/52166",
+ "cve": "CVE-2022-1587",
+ "id": "pyup.io-52157",
+ "more_info_path": "/vulnerabilities/CVE-2022-1587/52157",
"specs": [
"<1.1.4"
],
@@ -25823,9 +26373,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-1586",
- "id": "pyup.io-52158",
- "more_info_path": "/vulnerabilities/CVE-2022-1586/52158",
+ "cve": "CVE-2022-1271",
+ "id": "pyup.io-52159",
+ "more_info_path": "/vulnerabilities/CVE-2022-1271/52159",
"specs": [
"<1.1.4"
],
@@ -25833,9 +26383,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-1271",
- "id": "pyup.io-52159",
- "more_info_path": "/vulnerabilities/CVE-2022-1271/52159",
+ "cve": "CVE-2021-4160",
+ "id": "pyup.io-52169",
+ "more_info_path": "/vulnerabilities/CVE-2021-4160/52169",
"specs": [
"<1.1.4"
],
@@ -25843,9 +26393,9 @@
},
{
"advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.",
- "cve": "CVE-2022-23219",
- "id": "pyup.io-52151",
- "more_info_path": "/vulnerabilities/CVE-2022-23219/52151",
+ "cve": "CVE-2022-23218",
+ "id": "pyup.io-52152",
+ "more_info_path": "/vulnerabilities/CVE-2022-23218/52152",
"specs": [
"<1.1.4"
],
@@ -25868,9 +26418,9 @@
"daphne": [
{
"advisory": "Daphne 4.0.0 updates its dependency 'twisted' to versions '>=22.4' to include security fixes.",
- "cve": "CVE-2022-24801",
- "id": "pyup.io-51374",
- "more_info_path": "/vulnerabilities/CVE-2022-24801/51374",
+ "cve": "CVE-2020-10108",
+ "id": "pyup.io-51379",
+ "more_info_path": "/vulnerabilities/CVE-2020-10108/51379",
"specs": [
"<4.0.0"
],
@@ -25878,9 +26428,9 @@
},
{
"advisory": "Daphne 4.0.0 updates its dependency 'twisted' to versions '>=22.4' to include security fixes.",
- "cve": "CVE-2020-10108",
- "id": "pyup.io-51379",
- "more_info_path": "/vulnerabilities/CVE-2020-10108/51379",
+ "cve": "CVE-2022-21712",
+ "id": "pyup.io-51377",
+ "more_info_path": "/vulnerabilities/CVE-2022-21712/51377",
"specs": [
"<4.0.0"
],
@@ -25888,9 +26438,9 @@
},
{
"advisory": "Daphne 4.0.0 updates its dependency 'twisted' to versions '>=22.4' to include security fixes.",
- "cve": "CVE-2022-21712",
- "id": "pyup.io-51377",
- "more_info_path": "/vulnerabilities/CVE-2022-21712/51377",
+ "cve": "CVE-2022-24801",
+ "id": "pyup.io-51374",
+ "more_info_path": "/vulnerabilities/CVE-2022-24801/51374",
"specs": [
"<4.0.0"
],
@@ -25908,9 +26458,9 @@
},
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
- "cve": "CVE-2019-12387",
- "id": "pyup.io-50818",
- "more_info_path": "/vulnerabilities/CVE-2019-12387/50818",
+ "cve": "CVE-2020-10109",
+ "id": "pyup.io-50816",
+ "more_info_path": "/vulnerabilities/CVE-2020-10109/50816",
"specs": [
"<4.0.0b1"
],
@@ -25918,9 +26468,9 @@
},
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
- "cve": "CVE-2019-12855",
- "id": "pyup.io-50817",
- "more_info_path": "/vulnerabilities/CVE-2019-12855/50817",
+ "cve": "CVE-2020-10108",
+ "id": "pyup.io-50815",
+ "more_info_path": "/vulnerabilities/CVE-2020-10108/50815",
"specs": [
"<4.0.0b1"
],
@@ -25928,9 +26478,9 @@
},
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
- "cve": "CVE-2022-21712",
- "id": "pyup.io-50814",
- "more_info_path": "/vulnerabilities/CVE-2022-21712/50814",
+ "cve": "CVE-2019-12387",
+ "id": "pyup.io-50818",
+ "more_info_path": "/vulnerabilities/CVE-2019-12387/50818",
"specs": [
"<4.0.0b1"
],
@@ -25938,9 +26488,9 @@
},
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
- "cve": "CVE-2022-24801",
- "id": "pyup.io-50768",
- "more_info_path": "/vulnerabilities/CVE-2022-24801/50768",
+ "cve": "CVE-2019-12855",
+ "id": "pyup.io-50817",
+ "more_info_path": "/vulnerabilities/CVE-2019-12855/50817",
"specs": [
"<4.0.0b1"
],
@@ -25948,9 +26498,9 @@
},
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
- "cve": "CVE-2020-10109",
- "id": "pyup.io-50816",
- "more_info_path": "/vulnerabilities/CVE-2020-10109/50816",
+ "cve": "CVE-2022-21712",
+ "id": "pyup.io-50814",
+ "more_info_path": "/vulnerabilities/CVE-2022-21712/50814",
"specs": [
"<4.0.0b1"
],
@@ -25958,9 +26508,9 @@
},
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
- "cve": "CVE-2020-10108",
- "id": "pyup.io-50815",
- "more_info_path": "/vulnerabilities/CVE-2020-10108/50815",
+ "cve": "CVE-2022-24801",
+ "id": "pyup.io-50768",
+ "more_info_path": "/vulnerabilities/CVE-2022-24801/50768",
"specs": [
"<4.0.0b1"
],
@@ -25970,9 +26520,9 @@
"dapla-toolbelt-pseudo": [
{
"advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.",
- "cve": "CVE-2023-0401",
- "id": "pyup.io-53714",
- "more_info_path": "/vulnerabilities/CVE-2023-0401/53714",
+ "cve": "CVE-2022-4304",
+ "id": "pyup.io-53734",
+ "more_info_path": "/vulnerabilities/CVE-2022-4304/53734",
"specs": [
"<0.2.1"
],
@@ -25980,9 +26530,9 @@
},
{
"advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.",
- "cve": "CVE-2023-0217",
- "id": "pyup.io-53732",
- "more_info_path": "/vulnerabilities/CVE-2023-0217/53732",
+ "cve": "CVE-2023-0401",
+ "id": "pyup.io-53714",
+ "more_info_path": "/vulnerabilities/CVE-2023-0401/53714",
"specs": [
"<0.2.1"
],
@@ -25990,9 +26540,9 @@
},
{
"advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.",
- "cve": "CVE-2022-4304",
- "id": "pyup.io-53734",
- "more_info_path": "/vulnerabilities/CVE-2022-4304/53734",
+ "cve": "CVE-2022-4203",
+ "id": "pyup.io-53736",
+ "more_info_path": "/vulnerabilities/CVE-2022-4203/53736",
"specs": [
"<0.2.1"
],
@@ -26000,9 +26550,9 @@
},
{
"advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.",
- "cve": "CVE-2023-0286",
- "id": "pyup.io-53733",
- "more_info_path": "/vulnerabilities/CVE-2023-0286/53733",
+ "cve": "CVE-2023-0217",
+ "id": "pyup.io-53732",
+ "more_info_path": "/vulnerabilities/CVE-2023-0217/53732",
"specs": [
"<0.2.1"
],
@@ -26010,9 +26560,9 @@
},
{
"advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.",
- "cve": "CVE-2023-0215",
- "id": "pyup.io-53731",
- "more_info_path": "/vulnerabilities/CVE-2023-0215/53731",
+ "cve": "CVE-2023-0286",
+ "id": "pyup.io-53733",
+ "more_info_path": "/vulnerabilities/CVE-2023-0286/53733",
"specs": [
"<0.2.1"
],
@@ -26020,9 +26570,9 @@
},
{
"advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.",
- "cve": "CVE-2022-4203",
- "id": "pyup.io-53736",
- "more_info_path": "/vulnerabilities/CVE-2022-4203/53736",
+ "cve": "CVE-2022-4450",
+ "id": "pyup.io-53735",
+ "more_info_path": "/vulnerabilities/CVE-2022-4450/53735",
"specs": [
"<0.2.1"
],
@@ -26030,9 +26580,9 @@
},
{
"advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.",
- "cve": "CVE-2022-4450",
- "id": "pyup.io-53735",
- "more_info_path": "/vulnerabilities/CVE-2022-4450/53735",
+ "cve": "CVE-2023-0215",
+ "id": "pyup.io-53731",
+ "more_info_path": "/vulnerabilities/CVE-2023-0215/53731",
"specs": [
"<0.2.1"
],
@@ -26120,20 +26670,20 @@
],
"dash-extensions": [
{
- "advisory": "Dash-extensions 0.1.1 updates its dependency 'jsbeautifier' to v1.14.3 to include a fix for a ReDoS vulnerability.",
- "cve": "PVE-2022-48568",
- "id": "pyup.io-48568",
- "more_info_path": "/vulnerabilities/PVE-2022-48568/48568",
+ "advisory": "Dash-extensions 0.1.1 updates its NPM dependency 'mermaid' to v9.0.1 to include a security fix.",
+ "cve": "CVE-2021-43861",
+ "id": "pyup.io-48567",
+ "more_info_path": "/vulnerabilities/CVE-2021-43861/48567",
"specs": [
"<0.1.1"
],
"v": "<0.1.1"
},
{
- "advisory": "Dash-extensions 0.1.1 updates its NPM dependency 'mermaid' to v9.0.1 to include a security fix.",
- "cve": "CVE-2021-43861",
- "id": "pyup.io-48567",
- "more_info_path": "/vulnerabilities/CVE-2021-43861/48567",
+ "advisory": "Dash-extensions 0.1.1 updates its dependency 'jsbeautifier' to v1.14.3 to include a fix for a ReDoS vulnerability.",
+ "cve": "PVE-2022-48568",
+ "id": "pyup.io-48568",
+ "more_info_path": "/vulnerabilities/PVE-2022-48568/48568",
"specs": [
"<0.1.1"
],
@@ -26150,30 +26700,30 @@
"v": "<0.1.1"
},
{
- "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'minimatch' to v3.1.2 to include a security fix.",
- "cve": "CVE-2022-3517",
- "id": "pyup.io-52303",
- "more_info_path": "/vulnerabilities/CVE-2022-3517/52303",
+ "advisory": "Dash-extensions 0.1.8 updates its dependency 'cryptography' to v 38.0.3 to include security fixes.",
+ "cve": "CVE-2022-3602",
+ "id": "pyup.io-52356",
+ "more_info_path": "/vulnerabilities/CVE-2022-3602/52356",
"specs": [
"<0.1.8"
],
"v": "<0.1.8"
},
{
- "advisory": "Dash-extensions 0.1.8 updates its dependency 'cryptography' to v 38.0.3 to include security fixes.",
- "cve": "CVE-2022-3602",
- "id": "pyup.io-52356",
- "more_info_path": "/vulnerabilities/CVE-2022-3602/52356",
+ "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'loader-utils' to v3.2.1 to include security fixes.",
+ "cve": "CVE-2022-37603",
+ "id": "pyup.io-52353",
+ "more_info_path": "/vulnerabilities/CVE-2022-37603/52353",
"specs": [
"<0.1.8"
],
"v": "<0.1.8"
},
{
- "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'loader-utils' to v3.2.1 to include security fixes.",
- "cve": "CVE-2022-37601",
- "id": "pyup.io-52351",
- "more_info_path": "/vulnerabilities/CVE-2022-37601/52351",
+ "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'minimatch' to v3.1.2 to include a security fix.",
+ "cve": "CVE-2022-3517",
+ "id": "pyup.io-52303",
+ "more_info_path": "/vulnerabilities/CVE-2022-3517/52303",
"specs": [
"<0.1.8"
],
@@ -26181,9 +26731,9 @@
},
{
"advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'loader-utils' to v3.2.1 to include security fixes.",
- "cve": "CVE-2022-37603",
- "id": "pyup.io-52353",
- "more_info_path": "/vulnerabilities/CVE-2022-37603/52353",
+ "cve": "CVE-2022-37601",
+ "id": "pyup.io-52351",
+ "more_info_path": "/vulnerabilities/CVE-2022-37601/52351",
"specs": [
"<0.1.8"
],
@@ -26220,20 +26770,20 @@
"v": "<0.1.8"
},
{
- "advisory": "Dash-extensions 0.1.9 updates its NPM dependency 'loader-utils' requirement to '>=3.2.1' to include security fixes.",
- "cve": "CVE-2022-37599",
- "id": "pyup.io-52653",
- "more_info_path": "/vulnerabilities/CVE-2022-37599/52653",
+ "advisory": "Dash-extensions 0.1.9 updates its dependency 'certifi' to v2022.12.7 to include a security fix.",
+ "cve": "CVE-2022-23491",
+ "id": "pyup.io-52654",
+ "more_info_path": "/vulnerabilities/CVE-2022-23491/52654",
"specs": [
"<0.1.9"
],
"v": "<0.1.9"
},
{
- "advisory": "Dash-extensions 0.1.9 updates its dependency 'certifi' to v2022.12.7 to include a security fix.",
- "cve": "CVE-2022-23491",
- "id": "pyup.io-52654",
- "more_info_path": "/vulnerabilities/CVE-2022-23491/52654",
+ "advisory": "Dash-extensions 0.1.9 updates its NPM dependency 'loader-utils' requirement to '>=3.2.1' to include security fixes.",
+ "cve": "CVE-2022-37599",
+ "id": "pyup.io-52653",
+ "more_info_path": "/vulnerabilities/CVE-2022-37599/52653",
"specs": [
"<0.1.9"
],
@@ -26397,6 +26947,16 @@
],
"v": "<1.8.37"
},
+ {
+ "advisory": "Datacube-ows version 1.8.40 has updated its Pillow dependency to version 10.2.0 to address security concerns outlined in CVE-2023-4863.",
+ "cve": "CVE-2023-4863",
+ "id": "pyup.io-70566",
+ "more_info_path": "/vulnerabilities/CVE-2023-4863/70566",
+ "specs": [
+ "<1.8.40"
+ ],
+ "v": "<1.8.40"
+ },
{
"advisory": "Datacube-ows 1.8.8 removes the CodeCov token from ows to fix a security breach.\r\nhttps://github.com/opendatacube/datacube-ows/pull/585",
"cve": "PVE-2021-42558",
@@ -26822,19 +27382,9 @@
"datum": [
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23589",
- "id": "pyup.io-50395",
- "more_info_path": "/vulnerabilities/CVE-2022-23589/50395",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-21727",
- "id": "pyup.io-50347",
- "more_info_path": "/vulnerabilities/CVE-2022-21727/50347",
+ "cve": "CVE-2022-23587",
+ "id": "pyup.io-50393",
+ "more_info_path": "/vulnerabilities/CVE-2022-23587/50393",
"specs": [
"<1.5.0"
],
@@ -26842,9 +27392,9 @@
},
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23587",
- "id": "pyup.io-50393",
- "more_info_path": "/vulnerabilities/CVE-2022-23587/50393",
+ "cve": "CVE-2022-23589",
+ "id": "pyup.io-50395",
+ "more_info_path": "/vulnerabilities/CVE-2022-23589/50395",
"specs": [
"<1.5.0"
],
@@ -26852,9 +27402,9 @@
},
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23561",
- "id": "pyup.io-50367",
- "more_info_path": "/vulnerabilities/CVE-2022-23561/50367",
+ "cve": "CVE-2022-21727",
+ "id": "pyup.io-50347",
+ "more_info_path": "/vulnerabilities/CVE-2022-21727/50347",
"specs": [
"<1.5.0"
],
@@ -26910,26 +27460,6 @@
],
"v": "<1.5.0"
},
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23595",
- "id": "pyup.io-50399",
- "more_info_path": "/vulnerabilities/CVE-2022-23595/50399",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-27779",
- "id": "pyup.io-50404",
- "more_info_path": "/vulnerabilities/CVE-2022-27779/50404",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
"cve": "CVE-2022-23594",
@@ -26942,9 +27472,9 @@
},
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-29192",
- "id": "pyup.io-50409",
- "more_info_path": "/vulnerabilities/CVE-2022-29192/50409",
+ "cve": "CVE-2022-23595",
+ "id": "pyup.io-50399",
+ "more_info_path": "/vulnerabilities/CVE-2022-23595/50399",
"specs": [
"<1.5.0"
],
@@ -27042,9 +27572,9 @@
},
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23580",
- "id": "pyup.io-50386",
- "more_info_path": "/vulnerabilities/CVE-2022-23580/50386",
+ "cve": "CVE-2022-23561",
+ "id": "pyup.io-50367",
+ "more_info_path": "/vulnerabilities/CVE-2022-23561/50367",
"specs": [
"<1.5.0"
],
@@ -27052,9 +27582,29 @@
},
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-29197",
- "id": "pyup.io-50414",
- "more_info_path": "/vulnerabilities/CVE-2022-29197/50414",
+ "cve": "CVE-2022-27779",
+ "id": "pyup.io-50404",
+ "more_info_path": "/vulnerabilities/CVE-2022-27779/50404",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-29192",
+ "id": "pyup.io-50409",
+ "more_info_path": "/vulnerabilities/CVE-2022-29192/50409",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-23580",
+ "id": "pyup.io-50386",
+ "more_info_path": "/vulnerabilities/CVE-2022-23580/50386",
"specs": [
"<1.5.0"
],
@@ -27070,6 +27620,236 @@
],
"v": "<1.5.0"
},
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-23571",
+ "id": "pyup.io-50377",
+ "more_info_path": "/vulnerabilities/CVE-2022-23571/50377",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-23573",
+ "id": "pyup.io-50379",
+ "more_info_path": "/vulnerabilities/CVE-2022-23573/50379",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-21726",
+ "id": "pyup.io-50346",
+ "more_info_path": "/vulnerabilities/CVE-2022-21726/50346",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-21728",
+ "id": "pyup.io-50348",
+ "more_info_path": "/vulnerabilities/CVE-2022-21728/50348",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-23568",
+ "id": "pyup.io-50374",
+ "more_info_path": "/vulnerabilities/CVE-2022-23568/50374",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-27774",
+ "id": "pyup.io-50400",
+ "more_info_path": "/vulnerabilities/CVE-2022-27774/50400",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-29212",
+ "id": "pyup.io-50428",
+ "more_info_path": "/vulnerabilities/CVE-2022-29212/50428",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-29213",
+ "id": "pyup.io-50429",
+ "more_info_path": "/vulnerabilities/CVE-2022-29213/50429",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-21738",
+ "id": "pyup.io-50358",
+ "more_info_path": "/vulnerabilities/CVE-2022-21738/50358",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-29201",
+ "id": "pyup.io-50418",
+ "more_info_path": "/vulnerabilities/CVE-2022-29201/50418",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-21729",
+ "id": "pyup.io-50349",
+ "more_info_path": "/vulnerabilities/CVE-2022-21729/50349",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-21735",
+ "id": "pyup.io-50355",
+ "more_info_path": "/vulnerabilities/CVE-2022-21735/50355",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-21736",
+ "id": "pyup.io-50356",
+ "more_info_path": "/vulnerabilities/CVE-2022-21736/50356",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-21739",
+ "id": "pyup.io-50359",
+ "more_info_path": "/vulnerabilities/CVE-2022-21739/50359",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-23559",
+ "id": "pyup.io-50365",
+ "more_info_path": "/vulnerabilities/CVE-2022-23559/50365",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-23564",
+ "id": "pyup.io-50370",
+ "more_info_path": "/vulnerabilities/CVE-2022-23564/50370",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-23578",
+ "id": "pyup.io-50384",
+ "more_info_path": "/vulnerabilities/CVE-2022-23578/50384",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-23583",
+ "id": "pyup.io-50389",
+ "more_info_path": "/vulnerabilities/CVE-2022-23583/50389",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-29196",
+ "id": "pyup.io-50413",
+ "more_info_path": "/vulnerabilities/CVE-2022-29196/50413",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-29198",
+ "id": "pyup.io-50415",
+ "more_info_path": "/vulnerabilities/CVE-2022-29198/50415",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2020-10531",
+ "id": "pyup.io-50344",
+ "more_info_path": "/vulnerabilities/CVE-2020-10531/50344",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-27782",
+ "id": "pyup.io-50407",
+ "more_info_path": "/vulnerabilities/CVE-2022-27782/50407",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
+ {
+ "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
+ "cve": "CVE-2022-29197",
+ "id": "pyup.io-50414",
+ "more_info_path": "/vulnerabilities/CVE-2022-29197/50414",
+ "specs": [
+ "<1.5.0"
+ ],
+ "v": "<1.5.0"
+ },
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
"cve": "CVE-2022-21730",
@@ -27092,9 +27872,9 @@
},
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-21732",
- "id": "pyup.io-50352",
- "more_info_path": "/vulnerabilities/CVE-2022-21732/50352",
+ "cve": "CVE-2022-21733",
+ "id": "pyup.io-50353",
+ "more_info_path": "/vulnerabilities/CVE-2022-21733/50353",
"specs": [
"<1.5.0"
],
@@ -27102,9 +27882,9 @@
},
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-21733",
- "id": "pyup.io-50353",
- "more_info_path": "/vulnerabilities/CVE-2022-21733/50353",
+ "cve": "CVE-2022-21732",
+ "id": "pyup.io-50352",
+ "more_info_path": "/vulnerabilities/CVE-2022-21732/50352",
"specs": [
"<1.5.0"
],
@@ -27170,16 +27950,6 @@
],
"v": "<1.5.0"
},
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23571",
- "id": "pyup.io-50377",
- "more_info_path": "/vulnerabilities/CVE-2022-23571/50377",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
"cve": "CVE-2022-23582",
@@ -27190,16 +27960,6 @@
],
"v": "<1.5.0"
},
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23573",
- "id": "pyup.io-50379",
- "more_info_path": "/vulnerabilities/CVE-2022-23573/50379",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
"cve": "CVE-2022-23576",
@@ -27370,36 +28130,6 @@
],
"v": "<1.5.0"
},
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-21726",
- "id": "pyup.io-50346",
- "more_info_path": "/vulnerabilities/CVE-2022-21726/50346",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-21728",
- "id": "pyup.io-50348",
- "more_info_path": "/vulnerabilities/CVE-2022-21728/50348",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23568",
- "id": "pyup.io-50374",
- "more_info_path": "/vulnerabilities/CVE-2022-23568/50374",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
"cve": "CVE-2022-27778",
@@ -27430,16 +28160,6 @@
],
"v": "<1.5.0"
},
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-27774",
- "id": "pyup.io-50400",
- "more_info_path": "/vulnerabilities/CVE-2022-27774/50400",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
"cve": "CVE-2022-29200",
@@ -27460,46 +28180,6 @@
],
"v": "<1.5.0"
},
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-29212",
- "id": "pyup.io-50428",
- "more_info_path": "/vulnerabilities/CVE-2022-29212/50428",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-29213",
- "id": "pyup.io-50429",
- "more_info_path": "/vulnerabilities/CVE-2022-29213/50429",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-21738",
- "id": "pyup.io-50358",
- "more_info_path": "/vulnerabilities/CVE-2022-21738/50358",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-29201",
- "id": "pyup.io-50418",
- "more_info_path": "/vulnerabilities/CVE-2022-29201/50418",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
"cve": "CVE-2022-29204",
@@ -27510,16 +28190,6 @@
],
"v": "<1.5.0"
},
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-21725",
- "id": "pyup.io-50345",
- "more_info_path": "/vulnerabilities/CVE-2022-21725/50345",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
"cve": "CVE-2022-29207",
@@ -27552,39 +28222,9 @@
},
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-21729",
- "id": "pyup.io-50349",
- "more_info_path": "/vulnerabilities/CVE-2022-21729/50349",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-21735",
- "id": "pyup.io-50355",
- "more_info_path": "/vulnerabilities/CVE-2022-21735/50355",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-21736",
- "id": "pyup.io-50356",
- "more_info_path": "/vulnerabilities/CVE-2022-21736/50356",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-21739",
- "id": "pyup.io-50359",
- "more_info_path": "/vulnerabilities/CVE-2022-21739/50359",
+ "cve": "CVE-2022-21725",
+ "id": "pyup.io-50345",
+ "more_info_path": "/vulnerabilities/CVE-2022-21725/50345",
"specs": [
"<1.5.0"
],
@@ -27610,76 +28250,6 @@
],
"v": "<1.5.0"
},
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23559",
- "id": "pyup.io-50365",
- "more_info_path": "/vulnerabilities/CVE-2022-23559/50365",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23564",
- "id": "pyup.io-50370",
- "more_info_path": "/vulnerabilities/CVE-2022-23564/50370",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23578",
- "id": "pyup.io-50384",
- "more_info_path": "/vulnerabilities/CVE-2022-23578/50384",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-23583",
- "id": "pyup.io-50389",
- "more_info_path": "/vulnerabilities/CVE-2022-23583/50389",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-29196",
- "id": "pyup.io-50413",
- "more_info_path": "/vulnerabilities/CVE-2022-29196/50413",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-29198",
- "id": "pyup.io-50415",
- "more_info_path": "/vulnerabilities/CVE-2022-29198/50415",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2020-10531",
- "id": "pyup.io-50344",
- "more_info_path": "/vulnerabilities/CVE-2020-10531/50344",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
"cve": "CVE-2018-25032",
@@ -27690,16 +28260,6 @@
],
"v": "<1.5.0"
},
- {
- "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
- "cve": "CVE-2022-27782",
- "id": "pyup.io-50407",
- "more_info_path": "/vulnerabilities/CVE-2022-27782/50407",
- "specs": [
- "<1.5.0"
- ],
- "v": "<1.5.0"
- },
{
"advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.",
"cve": "CVE-2022-27776",
@@ -27826,6 +28386,16 @@
],
"v": "<0.20.0rc1"
},
+ {
+ "advisory": "Dbt-core version 1.8.0b3 has upgraded sqlparse to versions between \">=0.5.0\" and \"<0.6.0\" to mitigate vulnerabilities identified in GHSA-2m57-hf25-phgg.",
+ "cve": "PVE-2024-67887",
+ "id": "pyup.io-68018",
+ "more_info_path": "/vulnerabilities/PVE-2024-67887/68018",
+ "specs": [
+ "<1.8.0b3"
+ ],
+ "v": "<1.8.0b3"
+ },
{
"advisory": "Affected versions of dbt-core are vulnerable to the clear text storage of sensitive information. The vulnerability arises when the software is used to pull source code from a private repository with a Personal Access Token (PAT), resulting in the PAT being written in plain text to the package-lock.yml file. This issue threatens the security of selected versions of dbt-core, specifically when interacting with private repositories.\r\nhttps://github.com/dbt-labs/dbt-core/commit/09f5bb3dcffeda7a60ad2b22c2891f237628ecd1",
"cve": "PVE-2024-99810",
@@ -27837,6 +28407,18 @@
"v": ">=1.7.0,<1.7.3"
}
],
+ "dbt-coverage": [
+ {
+ "advisory": "Dbt-coverage version 0.3.7 has updated its certifi dependency from version 2023.7.22 to 2024.2.2 to address the security vulnerability identified in CVE-2023-37920.",
+ "cve": "CVE-2023-37920",
+ "id": "pyup.io-68469",
+ "more_info_path": "/vulnerabilities/CVE-2023-37920/68469",
+ "specs": [
+ "<0.3.7"
+ ],
+ "v": "<0.3.7"
+ }
+ ],
"dbt-databricks": [
{
"advisory": "Dbt-databricks 1.5.6 updates its dependency 'databricks-sdk' to v0.9.0 to include a secure version of 'requests'.\r\nhttps://github.com/databricks/dbt-databricks/pull/460",
@@ -27881,6 +28463,18 @@
"v": "<1.5.2"
}
],
+ "dbt-redshift": [
+ {
+ "advisory": "Dbt-redshift version 1.8.0b3 has updated its sqlparse dependency to versions between \">=0.5.0\" and \"<0.6.0\". This change is made to address vulnerabilities specified in GHSA-2m57-hf25-phgg and is aligned with updates in dbt-core.",
+ "cve": "PVE-2024-68037",
+ "id": "pyup.io-68037",
+ "more_info_path": "/vulnerabilities/PVE-2024-68037/68037",
+ "specs": [
+ "<1.8.0b3"
+ ],
+ "v": "<1.8.0b3"
+ }
+ ],
"dbt-snowflake": [
{
"advisory": "Dbt-snowflake version 1.8.0b1 has upgraded its cryptography dependency to approximately version 41.0.7. This update addresses a security issue present in version 41.0.5, detailed in CVE-2023-5363.\r\nhttps://github.com/dbt-labs/dbt-snowflake/pull/852/commits/43ac4ddfcffe5e596b12892cafa419c0f178f987",
@@ -27891,6 +28485,16 @@
"<1.8.0b1"
],
"v": "<1.8.0b1"
+ },
+ {
+ "advisory": "Dbt-snowflake 1.8.0b2 updates its cryptography requirement to version 42.0.4 or newer, addressing security concerns highlighted by CVE-2024-26130.",
+ "cve": "CVE-2024-26130",
+ "id": "pyup.io-67468",
+ "more_info_path": "/vulnerabilities/CVE-2024-26130/67468",
+ "specs": [
+ "<1.8.0b2"
+ ],
+ "v": "<1.8.0b2"
}
],
"dbt-sqlserver": [
@@ -28050,9 +28654,9 @@
},
{
"advisory": "Dds-cli 2.2.2 updates its dependency 'cryptography to v38.0.3 to include security fixes.",
- "cve": "CVE-2022-3786",
- "id": "pyup.io-61432",
- "more_info_path": "/vulnerabilities/CVE-2022-3786/61432",
+ "cve": "CVE-2022-3602",
+ "id": "pyup.io-61417",
+ "more_info_path": "/vulnerabilities/CVE-2022-3602/61417",
"specs": [
"<2.2.2"
],
@@ -28060,9 +28664,9 @@
},
{
"advisory": "Dds-cli 2.2.2 updates its dependency 'cryptography to v38.0.3 to include security fixes.",
- "cve": "CVE-2022-3602",
- "id": "pyup.io-61417",
- "more_info_path": "/vulnerabilities/CVE-2022-3602/61417",
+ "cve": "CVE-2022-3786",
+ "id": "pyup.io-61432",
+ "more_info_path": "/vulnerabilities/CVE-2022-3786/61432",
"specs": [
"<2.2.2"
],
@@ -28314,22 +28918,12 @@
"id": "pyup.io-55209",
"more_info_path": "/vulnerabilities/PVE-2023-55209/55209",
"specs": [
- "==1.8.5"
+ "<=1.8.5"
],
- "v": "==1.8.5"
+ "v": "<=1.8.5"
}
],
"deepcell": [
- {
- "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.",
- "cve": "CVE-2020-8284",
- "id": "pyup.io-48729",
- "more_info_path": "/vulnerabilities/CVE-2020-8284/48729",
- "specs": [
- "<0.10.0rc1"
- ],
- "v": "<0.10.0rc1"
- },
{
"advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.",
"cve": "CVE-2021-37684",
@@ -30050,6 +30644,16 @@
],
"v": "<0.10.0rc1"
},
+ {
+ "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.",
+ "cve": "CVE-2020-8284",
+ "id": "pyup.io-48729",
+ "more_info_path": "/vulnerabilities/CVE-2020-8284/48729",
+ "specs": [
+ "<0.10.0rc1"
+ ],
+ "v": "<0.10.0rc1"
+ },
{
"advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.",
"cve": "CVE-2021-22876",
@@ -31585,14 +32189,14 @@
],
"deepdataspace": [
{
- "advisory": "Deepdataspace 0.5.0 updates its dependency 'django' to version '4.1.10' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/IDEA-Research/deepdataspace/commit/d1bedf2d3657bfd3ecf1bc42b6bcd6d94047a59d",
- "cve": "CVE-2023-36053",
- "id": "pyup.io-60633",
- "more_info_path": "/vulnerabilities/CVE-2023-36053/60633",
+ "advisory": "Deepdataspace version 0.11.0 upgrades its cryptography library from version 42.0.2 to 42.0.5 to address the security issue detailed in CVE-2024-26130.",
+ "cve": "CVE-2024-26130",
+ "id": "pyup.io-67007",
+ "more_info_path": "/vulnerabilities/CVE-2024-26130/67007",
"specs": [
- "<0.5.0"
+ "<0.11.0"
],
- "v": "<0.5.0"
+ "v": "<0.11.0"
},
{
"advisory": "Deepdataspace 0.5.0 updates its dependency 'cryptography' to version '41.0.2' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/IDEA-Research/deepdataspace/commit/4ddc986c8d12be1f2d805bc1085b336c40f4a5c1",
@@ -31604,6 +32208,16 @@
],
"v": "<0.5.0"
},
+ {
+ "advisory": "Deepdataspace 0.5.0 updates its dependency 'django' to version '4.1.10' to include a fix for a ReDoS vulnerability.",
+ "cve": "CVE-2023-36053",
+ "id": "pyup.io-60633",
+ "more_info_path": "/vulnerabilities/CVE-2023-36053/60633",
+ "specs": [
+ "<0.5.0"
+ ],
+ "v": "<0.5.0"
+ },
{
"advisory": "Deepdataspace 0.5.0 updates its dependency 'cryptography' to version '41.0.2' to include a fix for an Improper Certificate Validation vulnerability.\r\nhttps://github.com/IDEA-Research/deepdataspace/commit/4ddc986c8d12be1f2d805bc1085b336c40f4a5c1",
"cve": "CVE-2023-38325",
@@ -31916,6 +32530,16 @@
}
],
"deluge": [
+ {
+ "advisory": "CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin.",
+ "cve": "CVE-2017-7178",
+ "id": "pyup.io-67432",
+ "more_info_path": "/vulnerabilities/CVE-2017-7178/67432",
+ "specs": [
+ "<1.3.14"
+ ],
+ "v": "<1.3.14"
+ },
{
"advisory": "Deluge 2.0.0 updates SSL/TLS Protocol parameters for better security.",
"cve": "PVE-2021-37155",
@@ -31926,6 +32550,16 @@
],
"v": "<2.0.0"
},
+ {
+ "advisory": "The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file.",
+ "cve": "CVE-2017-9031",
+ "id": "pyup.io-67433",
+ "more_info_path": "/vulnerabilities/CVE-2017-9031/67433",
+ "specs": [
+ "<=1.3.14"
+ ],
+ "v": "<=1.3.14"
+ },
{
"advisory": "The Deluge Web-UI is vulnerable to XSS through a crafted torrent file. The the data from torrent files is not properly sanitised as it's interpreted directly as HTML. Someone who supplies the user with a malicious torrent file can execute arbitrary Javascript code in the context of the user's browser session.",
"cve": "CVE-2021-3427",
@@ -31949,6 +32583,18 @@
"v": "<0.4.2"
}
],
+ "denyhosts": [
+ {
+ "advisory": "denyhosts 2.6 uses an incorrect regular expression when analyzing authentication logs, which allows remote attackers to cause a denial of service (incorrect block of IP addresses) via crafted login names.",
+ "cve": "CVE-2013-6890",
+ "id": "pyup.io-67959",
+ "more_info_path": "/vulnerabilities/CVE-2013-6890/67959",
+ "specs": [
+ "<2.7"
+ ],
+ "v": "<2.7"
+ }
+ ],
"dequests": [
{
"advisory": "Dequests is a malicious package, typosquatting the popular Python 'requests' library. It embeds source code that retrieves a Golang-based ransomware binary from a remote server.\r\nhttps://thehackernews.com/2022/12/malware-strains-targeting-python-and.html",
@@ -32025,6 +32671,28 @@
"v": "<0.3.0"
}
],
+ "designate": [
+ {
+ "advisory": "Designate does not enforce the DNS protocol limit concerning record set sizes",
+ "cve": "CVE-2015-5694",
+ "id": "pyup.io-70474",
+ "more_info_path": "/vulnerabilities/CVE-2015-5694/70474",
+ "specs": [
+ "<1.0.0"
+ ],
+ "v": "<1.0.0"
+ },
+ {
+ "advisory": "Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo does not enforce RecordSets per domain, and Records per RecordSet quotas when processing an internal zone file transfer, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted resource record set.",
+ "cve": "CVE-2015-5695",
+ "id": "pyup.io-70475",
+ "more_info_path": "/vulnerabilities/CVE-2015-5695/70475",
+ "specs": [
+ "<=1.0.0.0b1"
+ ],
+ "v": "<=1.0.0.0b1"
+ }
+ ],
"destringcare": [
{
"advisory": "Destringcare 0.0.4 removes its dependency 'pycrypto' to fix security vulnerabilities.",
@@ -32100,9 +32768,9 @@
},
{
"advisory": "Determined 0.17.0rc0 switches from debian:10.3-slim to ubuntu:20.04 and unattended-upgrades, to fix security issues.\r\nhttps://github.com/determined-ai/determined/pull/2914",
- "cve": "CVE-2019-17543",
- "id": "pyup.io-45577",
- "more_info_path": "/vulnerabilities/CVE-2019-17543/45577",
+ "cve": "CVE-2018-12886",
+ "id": "pyup.io-42148",
+ "more_info_path": "/vulnerabilities/CVE-2018-12886/42148",
"specs": [
"<0.17.0rc0"
],
@@ -32110,9 +32778,9 @@
},
{
"advisory": "Determined 0.17.0rc0 switches from debian:10.3-slim to ubuntu:20.04 and unattended-upgrades, to fix security issues.\r\nhttps://github.com/determined-ai/determined/pull/2914",
- "cve": "CVE-2018-12886",
- "id": "pyup.io-42148",
- "more_info_path": "/vulnerabilities/CVE-2018-12886/42148",
+ "cve": "CVE-2019-17543",
+ "id": "pyup.io-45577",
+ "more_info_path": "/vulnerabilities/CVE-2019-17543/45577",
"specs": [
"<0.17.0rc0"
],
@@ -32120,9 +32788,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41218",
- "id": "pyup.io-43331",
- "more_info_path": "/vulnerabilities/CVE-2021-41218/43331",
+ "cve": "CVE-2021-41203",
+ "id": "pyup.io-43316",
+ "more_info_path": "/vulnerabilities/CVE-2021-41203/43316",
"specs": [
"<0.17.4rc0"
],
@@ -32130,9 +32798,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41200",
- "id": "pyup.io-43317",
- "more_info_path": "/vulnerabilities/CVE-2021-41200/43317",
+ "cve": "CVE-2021-41207",
+ "id": "pyup.io-43339",
+ "more_info_path": "/vulnerabilities/CVE-2021-41207/43339",
"specs": [
"<0.17.4rc0"
],
@@ -32140,9 +32808,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41204",
- "id": "pyup.io-43327",
- "more_info_path": "/vulnerabilities/CVE-2021-41204/43327",
+ "cve": "CVE-2021-41226",
+ "id": "pyup.io-43322",
+ "more_info_path": "/vulnerabilities/CVE-2021-41226/43322",
"specs": [
"<0.17.4rc0"
],
@@ -32150,9 +32818,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41227",
- "id": "pyup.io-43323",
- "more_info_path": "/vulnerabilities/CVE-2021-41227/43323",
+ "cve": "CVE-2021-41215",
+ "id": "pyup.io-43333",
+ "more_info_path": "/vulnerabilities/CVE-2021-41215/43333",
"specs": [
"<0.17.4rc0"
],
@@ -32160,9 +32828,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41198",
- "id": "pyup.io-43344",
- "more_info_path": "/vulnerabilities/CVE-2021-41198/43344",
+ "cve": "CVE-2021-41212",
+ "id": "pyup.io-43337",
+ "more_info_path": "/vulnerabilities/CVE-2021-41212/43337",
"specs": [
"<0.17.4rc0"
],
@@ -32170,9 +32838,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41209",
- "id": "pyup.io-43325",
- "more_info_path": "/vulnerabilities/CVE-2021-41209/43325",
+ "cve": "CVE-2021-41217",
+ "id": "pyup.io-43318",
+ "more_info_path": "/vulnerabilities/CVE-2021-41217/43318",
"specs": [
"<0.17.4rc0"
],
@@ -32180,9 +32848,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41213",
- "id": "pyup.io-43326",
- "more_info_path": "/vulnerabilities/CVE-2021-41213/43326",
+ "cve": "CVE-2021-41202",
+ "id": "pyup.io-43340",
+ "more_info_path": "/vulnerabilities/CVE-2021-41202/43340",
"specs": [
"<0.17.4rc0"
],
@@ -32190,9 +32858,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41216",
- "id": "pyup.io-43332",
- "more_info_path": "/vulnerabilities/CVE-2021-41216/43332",
+ "cve": "CVE-2021-41221",
+ "id": "pyup.io-43324",
+ "more_info_path": "/vulnerabilities/CVE-2021-41221/43324",
"specs": [
"<0.17.4rc0"
],
@@ -32200,9 +32868,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41226",
- "id": "pyup.io-43322",
- "more_info_path": "/vulnerabilities/CVE-2021-41226/43322",
+ "cve": "CVE-2021-41200",
+ "id": "pyup.io-43317",
+ "more_info_path": "/vulnerabilities/CVE-2021-41200/43317",
"specs": [
"<0.17.4rc0"
],
@@ -32210,9 +32878,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41197",
- "id": "pyup.io-43342",
- "more_info_path": "/vulnerabilities/CVE-2021-41197/43342",
+ "cve": "CVE-2021-41199",
+ "id": "pyup.io-42944",
+ "more_info_path": "/vulnerabilities/CVE-2021-41199/42944",
"specs": [
"<0.17.4rc0"
],
@@ -32220,9 +32888,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41221",
- "id": "pyup.io-43324",
- "more_info_path": "/vulnerabilities/CVE-2021-41221/43324",
+ "cve": "CVE-2021-41206",
+ "id": "pyup.io-43335",
+ "more_info_path": "/vulnerabilities/CVE-2021-41206/43335",
"specs": [
"<0.17.4rc0"
],
@@ -32230,9 +32898,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41208",
- "id": "pyup.io-43334",
- "more_info_path": "/vulnerabilities/CVE-2021-41208/43334",
+ "cve": "CVE-2021-41228",
+ "id": "pyup.io-43328",
+ "more_info_path": "/vulnerabilities/CVE-2021-41228/43328",
"specs": [
"<0.17.4rc0"
],
@@ -32240,9 +32908,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41195",
- "id": "pyup.io-43343",
- "more_info_path": "/vulnerabilities/CVE-2021-41195/43343",
+ "cve": "CVE-2021-41198",
+ "id": "pyup.io-43344",
+ "more_info_path": "/vulnerabilities/CVE-2021-41198/43344",
"specs": [
"<0.17.4rc0"
],
@@ -32250,9 +32918,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41214",
- "id": "pyup.io-43319",
- "more_info_path": "/vulnerabilities/CVE-2021-41214/43319",
+ "cve": "CVE-2021-41210",
+ "id": "pyup.io-43338",
+ "more_info_path": "/vulnerabilities/CVE-2021-41210/43338",
"specs": [
"<0.17.4rc0"
],
@@ -32260,9 +32928,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41224",
- "id": "pyup.io-43330",
- "more_info_path": "/vulnerabilities/CVE-2021-41224/43330",
+ "cve": "CVE-2021-41218",
+ "id": "pyup.io-43331",
+ "more_info_path": "/vulnerabilities/CVE-2021-41218/43331",
"specs": [
"<0.17.4rc0"
],
@@ -32270,9 +32938,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41215",
- "id": "pyup.io-43333",
- "more_info_path": "/vulnerabilities/CVE-2021-41215/43333",
+ "cve": "CVE-2021-41214",
+ "id": "pyup.io-43319",
+ "more_info_path": "/vulnerabilities/CVE-2021-41214/43319",
"specs": [
"<0.17.4rc0"
],
@@ -32280,9 +32948,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41203",
- "id": "pyup.io-43316",
- "more_info_path": "/vulnerabilities/CVE-2021-41203/43316",
+ "cve": "CVE-2021-41195",
+ "id": "pyup.io-43343",
+ "more_info_path": "/vulnerabilities/CVE-2021-41195/43343",
"specs": [
"<0.17.4rc0"
],
@@ -32290,9 +32958,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41207",
- "id": "pyup.io-43339",
- "more_info_path": "/vulnerabilities/CVE-2021-41207/43339",
+ "cve": "CVE-2021-41196",
+ "id": "pyup.io-43315",
+ "more_info_path": "/vulnerabilities/CVE-2021-41196/43315",
"specs": [
"<0.17.4rc0"
],
@@ -32300,9 +32968,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41225",
- "id": "pyup.io-43321",
- "more_info_path": "/vulnerabilities/CVE-2021-41225/43321",
+ "cve": "CVE-2021-41209",
+ "id": "pyup.io-43325",
+ "more_info_path": "/vulnerabilities/CVE-2021-41209/43325",
"specs": [
"<0.17.4rc0"
],
@@ -32310,9 +32978,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41219",
- "id": "pyup.io-43320",
- "more_info_path": "/vulnerabilities/CVE-2021-41219/43320",
+ "cve": "CVE-2021-41216",
+ "id": "pyup.io-43332",
+ "more_info_path": "/vulnerabilities/CVE-2021-41216/43332",
"specs": [
"<0.17.4rc0"
],
@@ -32320,9 +32988,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41202",
- "id": "pyup.io-43340",
- "more_info_path": "/vulnerabilities/CVE-2021-41202/43340",
+ "cve": "CVE-2021-41208",
+ "id": "pyup.io-43334",
+ "more_info_path": "/vulnerabilities/CVE-2021-41208/43334",
"specs": [
"<0.17.4rc0"
],
@@ -32330,9 +32998,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41212",
- "id": "pyup.io-43337",
- "more_info_path": "/vulnerabilities/CVE-2021-41212/43337",
+ "cve": "CVE-2021-41225",
+ "id": "pyup.io-43321",
+ "more_info_path": "/vulnerabilities/CVE-2021-41225/43321",
"specs": [
"<0.17.4rc0"
],
@@ -32340,9 +33008,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41199",
- "id": "pyup.io-42944",
- "more_info_path": "/vulnerabilities/CVE-2021-41199/42944",
+ "cve": "CVE-2021-41204",
+ "id": "pyup.io-43327",
+ "more_info_path": "/vulnerabilities/CVE-2021-41204/43327",
"specs": [
"<0.17.4rc0"
],
@@ -32350,9 +33018,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41206",
- "id": "pyup.io-43335",
- "more_info_path": "/vulnerabilities/CVE-2021-41206/43335",
+ "cve": "CVE-2021-41219",
+ "id": "pyup.io-43320",
+ "more_info_path": "/vulnerabilities/CVE-2021-41219/43320",
"specs": [
"<0.17.4rc0"
],
@@ -32360,9 +33028,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41196",
- "id": "pyup.io-43315",
- "more_info_path": "/vulnerabilities/CVE-2021-41196/43315",
+ "cve": "CVE-2021-41224",
+ "id": "pyup.io-43330",
+ "more_info_path": "/vulnerabilities/CVE-2021-41224/43330",
"specs": [
"<0.17.4rc0"
],
@@ -32370,9 +33038,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41210",
- "id": "pyup.io-43338",
- "more_info_path": "/vulnerabilities/CVE-2021-41210/43338",
+ "cve": "CVE-2021-41201",
+ "id": "pyup.io-43341",
+ "more_info_path": "/vulnerabilities/CVE-2021-41201/43341",
"specs": [
"<0.17.4rc0"
],
@@ -32380,9 +33048,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41228",
- "id": "pyup.io-43328",
- "more_info_path": "/vulnerabilities/CVE-2021-41228/43328",
+ "cve": "CVE-2021-41205",
+ "id": "pyup.io-43336",
+ "more_info_path": "/vulnerabilities/CVE-2021-41205/43336",
"specs": [
"<0.17.4rc0"
],
@@ -32390,9 +33058,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41201",
- "id": "pyup.io-43341",
- "more_info_path": "/vulnerabilities/CVE-2021-41201/43341",
+ "cve": "CVE-2021-41222",
+ "id": "pyup.io-43329",
+ "more_info_path": "/vulnerabilities/CVE-2021-41222/43329",
"specs": [
"<0.17.4rc0"
],
@@ -32400,9 +33068,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41217",
- "id": "pyup.io-43318",
- "more_info_path": "/vulnerabilities/CVE-2021-41217/43318",
+ "cve": "CVE-2021-41227",
+ "id": "pyup.io-43323",
+ "more_info_path": "/vulnerabilities/CVE-2021-41227/43323",
"specs": [
"<0.17.4rc0"
],
@@ -32410,9 +33078,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41222",
- "id": "pyup.io-43329",
- "more_info_path": "/vulnerabilities/CVE-2021-41222/43329",
+ "cve": "CVE-2021-41213",
+ "id": "pyup.io-43326",
+ "more_info_path": "/vulnerabilities/CVE-2021-41213/43326",
"specs": [
"<0.17.4rc0"
],
@@ -32420,9 +33088,9 @@
},
{
"advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.",
- "cve": "CVE-2021-41205",
- "id": "pyup.io-43336",
- "more_info_path": "/vulnerabilities/CVE-2021-41205/43336",
+ "cve": "CVE-2021-41197",
+ "id": "pyup.io-43342",
+ "more_info_path": "/vulnerabilities/CVE-2021-41197/43342",
"specs": [
"<0.17.4rc0"
],
@@ -32448,6 +33116,16 @@
],
"v": "<0.17.6"
},
+ {
+ "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d",
+ "cve": "CVE-2019-9512",
+ "id": "pyup.io-54969",
+ "more_info_path": "/vulnerabilities/CVE-2019-9512/54969",
+ "specs": [
+ "<0.17.6"
+ ],
+ "v": "<0.17.6"
+ },
{
"advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d",
"cve": "CVE-2019-19844",
@@ -32480,29 +33158,29 @@
},
{
"advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d",
- "cve": "CVE-2019-9512",
- "id": "pyup.io-54969",
- "more_info_path": "/vulnerabilities/CVE-2019-9512/54969",
+ "cve": "CVE-2020-10108",
+ "id": "pyup.io-44642",
+ "more_info_path": "/vulnerabilities/CVE-2020-10108/44642",
"specs": [
"<0.17.6"
],
"v": "<0.17.6"
},
{
- "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d",
- "cve": "CVE-2020-10108",
- "id": "pyup.io-44642",
- "more_info_path": "/vulnerabilities/CVE-2020-10108/44642",
+ "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
+ "cve": "CVE-2022-27778",
+ "id": "pyup.io-49534",
+ "more_info_path": "/vulnerabilities/CVE-2022-27778/49534",
"specs": [
- "<0.17.6"
+ "<0.18.2"
],
- "v": "<0.17.6"
+ "v": "<0.18.2"
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-27775",
- "id": "pyup.io-49531",
- "more_info_path": "/vulnerabilities/CVE-2022-27775/49531",
+ "cve": "CVE-2022-29211",
+ "id": "pyup.io-49557",
+ "more_info_path": "/vulnerabilities/CVE-2022-29211/49557",
"specs": [
"<0.18.2"
],
@@ -32510,9 +33188,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29209",
- "id": "pyup.io-49556",
- "more_info_path": "/vulnerabilities/CVE-2022-29209/49556",
+ "cve": "CVE-2018-25032",
+ "id": "pyup.io-49422",
+ "more_info_path": "/vulnerabilities/CVE-2018-25032/49422",
"specs": [
"<0.18.2"
],
@@ -32520,9 +33198,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29205",
- "id": "pyup.io-49552",
- "more_info_path": "/vulnerabilities/CVE-2022-29205/49552",
+ "cve": "CVE-2022-29208",
+ "id": "pyup.io-49555",
+ "more_info_path": "/vulnerabilities/CVE-2022-29208/49555",
"specs": [
"<0.18.2"
],
@@ -32530,9 +33208,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-27781",
- "id": "pyup.io-49537",
- "more_info_path": "/vulnerabilities/CVE-2022-27781/49537",
+ "cve": "CVE-2022-29213",
+ "id": "pyup.io-49559",
+ "more_info_path": "/vulnerabilities/CVE-2022-29213/49559",
"specs": [
"<0.18.2"
],
@@ -32540,9 +33218,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-27776",
- "id": "pyup.io-49532",
- "more_info_path": "/vulnerabilities/CVE-2022-27776/49532",
+ "cve": "CVE-2022-27775",
+ "id": "pyup.io-49531",
+ "more_info_path": "/vulnerabilities/CVE-2022-27775/49531",
"specs": [
"<0.18.2"
],
@@ -32550,9 +33228,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-22576",
- "id": "pyup.io-49529",
- "more_info_path": "/vulnerabilities/CVE-2022-22576/49529",
+ "cve": "CVE-2022-29200",
+ "id": "pyup.io-49547",
+ "more_info_path": "/vulnerabilities/CVE-2022-29200/49547",
"specs": [
"<0.18.2"
],
@@ -32560,9 +33238,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-27779",
- "id": "pyup.io-49535",
- "more_info_path": "/vulnerabilities/CVE-2022-27779/49535",
+ "cve": "CVE-2022-29207",
+ "id": "pyup.io-49554",
+ "more_info_path": "/vulnerabilities/CVE-2022-29207/49554",
"specs": [
"<0.18.2"
],
@@ -32570,9 +33248,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29202",
- "id": "pyup.io-49549",
- "more_info_path": "/vulnerabilities/CVE-2022-29202/49549",
+ "cve": "CVE-2022-30115",
+ "id": "pyup.io-49561",
+ "more_info_path": "/vulnerabilities/CVE-2022-30115/49561",
"specs": [
"<0.18.2"
],
@@ -32580,9 +33258,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29207",
- "id": "pyup.io-49554",
- "more_info_path": "/vulnerabilities/CVE-2022-29207/49554",
+ "cve": "CVE-2022-22576",
+ "id": "pyup.io-49529",
+ "more_info_path": "/vulnerabilities/CVE-2022-22576/49529",
"specs": [
"<0.18.2"
],
@@ -32590,9 +33268,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29198",
- "id": "pyup.io-49545",
- "more_info_path": "/vulnerabilities/CVE-2022-29198/49545",
+ "cve": "CVE-2022-29199",
+ "id": "pyup.io-49546",
+ "more_info_path": "/vulnerabilities/CVE-2022-29199/49546",
"specs": [
"<0.18.2"
],
@@ -32600,9 +33278,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-30115",
- "id": "pyup.io-49561",
- "more_info_path": "/vulnerabilities/CVE-2022-30115/49561",
+ "cve": "CVE-2022-29212",
+ "id": "pyup.io-49558",
+ "more_info_path": "/vulnerabilities/CVE-2022-29212/49558",
"specs": [
"<0.18.2"
],
@@ -32610,9 +33288,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-27780",
- "id": "pyup.io-49536",
- "more_info_path": "/vulnerabilities/CVE-2022-27780/49536",
+ "cve": "CVE-2022-29209",
+ "id": "pyup.io-49556",
+ "more_info_path": "/vulnerabilities/CVE-2022-29209/49556",
"specs": [
"<0.18.2"
],
@@ -32620,9 +33298,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-27778",
- "id": "pyup.io-49534",
- "more_info_path": "/vulnerabilities/CVE-2022-27778/49534",
+ "cve": "CVE-2022-29193",
+ "id": "pyup.io-49540",
+ "more_info_path": "/vulnerabilities/CVE-2022-29193/49540",
"specs": [
"<0.18.2"
],
@@ -32630,9 +33308,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-27774",
- "id": "pyup.io-49530",
- "more_info_path": "/vulnerabilities/CVE-2022-27774/49530",
+ "cve": "CVE-2022-27780",
+ "id": "pyup.io-49536",
+ "more_info_path": "/vulnerabilities/CVE-2022-27780/49536",
"specs": [
"<0.18.2"
],
@@ -32640,9 +33318,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29206",
- "id": "pyup.io-49553",
- "more_info_path": "/vulnerabilities/CVE-2022-29206/49553",
+ "cve": "CVE-2022-29204",
+ "id": "pyup.io-49551",
+ "more_info_path": "/vulnerabilities/CVE-2022-29204/49551",
"specs": [
"<0.18.2"
],
@@ -32650,9 +33328,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29193",
- "id": "pyup.io-49540",
- "more_info_path": "/vulnerabilities/CVE-2022-29193/49540",
+ "cve": "CVE-2022-29195",
+ "id": "pyup.io-49542",
+ "more_info_path": "/vulnerabilities/CVE-2022-29195/49542",
"specs": [
"<0.18.2"
],
@@ -32660,9 +33338,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29197",
- "id": "pyup.io-49544",
- "more_info_path": "/vulnerabilities/CVE-2022-29197/49544",
+ "cve": "CVE-2022-29205",
+ "id": "pyup.io-49552",
+ "more_info_path": "/vulnerabilities/CVE-2022-29205/49552",
"specs": [
"<0.18.2"
],
@@ -32680,9 +33358,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2018-25032",
- "id": "pyup.io-49422",
- "more_info_path": "/vulnerabilities/CVE-2018-25032/49422",
+ "cve": "CVE-2022-27781",
+ "id": "pyup.io-49537",
+ "more_info_path": "/vulnerabilities/CVE-2022-27781/49537",
"specs": [
"<0.18.2"
],
@@ -32690,9 +33368,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29208",
- "id": "pyup.io-49555",
- "more_info_path": "/vulnerabilities/CVE-2022-29208/49555",
+ "cve": "CVE-2022-27776",
+ "id": "pyup.io-49532",
+ "more_info_path": "/vulnerabilities/CVE-2022-27776/49532",
"specs": [
"<0.18.2"
],
@@ -32700,9 +33378,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29200",
- "id": "pyup.io-49547",
- "more_info_path": "/vulnerabilities/CVE-2022-29200/49547",
+ "cve": "CVE-2022-29206",
+ "id": "pyup.io-49553",
+ "more_info_path": "/vulnerabilities/CVE-2022-29206/49553",
"specs": [
"<0.18.2"
],
@@ -32710,9 +33388,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29203",
- "id": "pyup.io-49550",
- "more_info_path": "/vulnerabilities/CVE-2022-29203/49550",
+ "cve": "CVE-2022-27774",
+ "id": "pyup.io-49530",
+ "more_info_path": "/vulnerabilities/CVE-2022-27774/49530",
"specs": [
"<0.18.2"
],
@@ -32720,9 +33398,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29212",
- "id": "pyup.io-49558",
- "more_info_path": "/vulnerabilities/CVE-2022-29212/49558",
+ "cve": "CVE-2022-29202",
+ "id": "pyup.io-49549",
+ "more_info_path": "/vulnerabilities/CVE-2022-29202/49549",
"specs": [
"<0.18.2"
],
@@ -32730,9 +33408,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29201",
- "id": "pyup.io-49548",
- "more_info_path": "/vulnerabilities/CVE-2022-29201/49548",
+ "cve": "CVE-2022-29191",
+ "id": "pyup.io-49538",
+ "more_info_path": "/vulnerabilities/CVE-2022-29191/49538",
"specs": [
"<0.18.2"
],
@@ -32740,9 +33418,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29191",
- "id": "pyup.io-49538",
- "more_info_path": "/vulnerabilities/CVE-2022-29191/49538",
+ "cve": "CVE-2022-29201",
+ "id": "pyup.io-49548",
+ "more_info_path": "/vulnerabilities/CVE-2022-29201/49548",
"specs": [
"<0.18.2"
],
@@ -32750,9 +33428,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29199",
- "id": "pyup.io-49546",
- "more_info_path": "/vulnerabilities/CVE-2022-29199/49546",
+ "cve": "CVE-2022-27779",
+ "id": "pyup.io-49535",
+ "more_info_path": "/vulnerabilities/CVE-2022-27779/49535",
"specs": [
"<0.18.2"
],
@@ -32760,9 +33438,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29211",
- "id": "pyup.io-49557",
- "more_info_path": "/vulnerabilities/CVE-2022-29211/49557",
+ "cve": "CVE-2022-27777",
+ "id": "pyup.io-49533",
+ "more_info_path": "/vulnerabilities/CVE-2022-27777/49533",
"specs": [
"<0.18.2"
],
@@ -32770,9 +33448,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29213",
- "id": "pyup.io-49559",
- "more_info_path": "/vulnerabilities/CVE-2022-29213/49559",
+ "cve": "CVE-2022-29198",
+ "id": "pyup.io-49545",
+ "more_info_path": "/vulnerabilities/CVE-2022-29198/49545",
"specs": [
"<0.18.2"
],
@@ -32790,9 +33468,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29204",
- "id": "pyup.io-49551",
- "more_info_path": "/vulnerabilities/CVE-2022-29204/49551",
+ "cve": "CVE-2022-29196",
+ "id": "pyup.io-49543",
+ "more_info_path": "/vulnerabilities/CVE-2022-29196/49543",
"specs": [
"<0.18.2"
],
@@ -32800,9 +33478,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-27777",
- "id": "pyup.io-49533",
- "more_info_path": "/vulnerabilities/CVE-2022-27777/49533",
+ "cve": "CVE-2022-29197",
+ "id": "pyup.io-49544",
+ "more_info_path": "/vulnerabilities/CVE-2022-29197/49544",
"specs": [
"<0.18.2"
],
@@ -32810,9 +33488,9 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29196",
- "id": "pyup.io-49543",
- "more_info_path": "/vulnerabilities/CVE-2022-29196/49543",
+ "cve": "CVE-2022-29194",
+ "id": "pyup.io-49541",
+ "more_info_path": "/vulnerabilities/CVE-2022-29194/49541",
"specs": [
"<0.18.2"
],
@@ -32820,39 +33498,39 @@
},
{
"advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29195",
- "id": "pyup.io-49542",
- "more_info_path": "/vulnerabilities/CVE-2022-29195/49542",
+ "cve": "CVE-2022-29203",
+ "id": "pyup.io-49550",
+ "more_info_path": "/vulnerabilities/CVE-2022-29203/49550",
"specs": [
"<0.18.2"
],
"v": "<0.18.2"
},
{
- "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.",
- "cve": "CVE-2022-29194",
- "id": "pyup.io-49541",
- "more_info_path": "/vulnerabilities/CVE-2022-29194/49541",
+ "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.",
+ "cve": "CVE-2022-0512",
+ "id": "pyup.io-50982",
+ "more_info_path": "/vulnerabilities/CVE-2022-0512/50982",
"specs": [
- "<0.18.2"
+ "<0.19.3"
],
- "v": "<0.18.2"
+ "v": "<0.19.3"
},
{
- "advisory": "Determined 0.19.3 stops using the NPM package 'trim-newlines', preventing a security issue.",
- "cve": "CVE-2021-33623",
- "id": "pyup.io-50978",
- "more_info_path": "/vulnerabilities/CVE-2021-33623/50978",
+ "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.",
+ "cve": "CVE-2022-0686",
+ "id": "pyup.io-50980",
+ "more_info_path": "/vulnerabilities/CVE-2022-0686/50980",
"specs": [
"<0.19.3"
],
"v": "<0.19.3"
},
{
- "advisory": "Determined 0.19.3 updates its NPM dependency 'ansi-regex' to v3.0.1 to include a security fix.",
- "cve": "CVE-2021-3807",
- "id": "pyup.io-50971",
- "more_info_path": "/vulnerabilities/CVE-2021-3807/50971",
+ "advisory": "Determined 0.19.3 updates its NPM dependency 'terser' to v4.8.1 to include a security fix.",
+ "cve": "CVE-2022-25858",
+ "id": "pyup.io-50977",
+ "more_info_path": "/vulnerabilities/CVE-2022-25858/50977",
"specs": [
"<0.19.3"
],
@@ -32869,50 +33547,50 @@
"v": "<0.19.3"
},
{
- "advisory": "Determined 0.19.3 updates its NPM dependency 'follow-redirects' to v1.15.1 to include security fixes.",
- "cve": "CVE-2022-0155",
- "id": "pyup.io-50975",
- "more_info_path": "/vulnerabilities/CVE-2022-0155/50975",
+ "advisory": "Determined 0.19.3 stops using the NPM package 'trim-newlines', preventing a security issue.",
+ "cve": "CVE-2021-33623",
+ "id": "pyup.io-50978",
+ "more_info_path": "/vulnerabilities/CVE-2021-33623/50978",
"specs": [
"<0.19.3"
],
"v": "<0.19.3"
},
{
- "advisory": "Determined 0.19.3 updates its NPM dependency 'terser' to v4.8.1 to include a security fix.",
- "cve": "CVE-2022-25858",
- "id": "pyup.io-50977",
- "more_info_path": "/vulnerabilities/CVE-2022-25858/50977",
+ "advisory": "Determined 0.19.3 updates its NPM dependency 'follow-redirects' to v1.15.1 to include security fixes.",
+ "cve": "CVE-2022-0155",
+ "id": "pyup.io-50975",
+ "more_info_path": "/vulnerabilities/CVE-2022-0155/50975",
"specs": [
"<0.19.3"
],
"v": "<0.19.3"
},
{
- "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.",
- "cve": "CVE-2022-0639",
- "id": "pyup.io-50979",
- "more_info_path": "/vulnerabilities/CVE-2022-0639/50979",
+ "advisory": "Determined 0.19.3 updates its NPM dependency 'eventsource' to v1.1.2 to include a security fix.",
+ "cve": "CVE-2022-1650",
+ "id": "pyup.io-50973",
+ "more_info_path": "/vulnerabilities/CVE-2022-1650/50973",
"specs": [
"<0.19.3"
],
"v": "<0.19.3"
},
{
- "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.",
- "cve": "CVE-2022-0686",
- "id": "pyup.io-50980",
- "more_info_path": "/vulnerabilities/CVE-2022-0686/50980",
+ "advisory": "Determined 0.19.3 updates its NPM dependency 'ansi-regex' to v3.0.1 to include a security fix.",
+ "cve": "CVE-2021-3807",
+ "id": "pyup.io-50971",
+ "more_info_path": "/vulnerabilities/CVE-2021-3807/50971",
"specs": [
"<0.19.3"
],
"v": "<0.19.3"
},
{
- "advisory": "Determined 0.19.3 updates its NPM dependency 'eventsource' to v1.1.2 to include a security fix.",
- "cve": "CVE-2022-1650",
- "id": "pyup.io-50973",
- "more_info_path": "/vulnerabilities/CVE-2022-1650/50973",
+ "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.",
+ "cve": "CVE-2022-0639",
+ "id": "pyup.io-50979",
+ "more_info_path": "/vulnerabilities/CVE-2022-0639/50979",
"specs": [
"<0.19.3"
],
@@ -32928,16 +33606,6 @@
],
"v": "<0.19.3"
},
- {
- "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.",
- "cve": "CVE-2022-0691",
- "id": "pyup.io-50981",
- "more_info_path": "/vulnerabilities/CVE-2022-0691/50981",
- "specs": [
- "<0.19.3"
- ],
- "v": "<0.19.3"
- },
{
"advisory": "Determined 0.19.3 updates its NPM dependency 'moment' to v2.29.4 to include a security fix.",
"cve": "CVE-2022-31129",
@@ -32950,9 +33618,9 @@
},
{
"advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.",
- "cve": "CVE-2022-0512",
- "id": "pyup.io-50982",
- "more_info_path": "/vulnerabilities/CVE-2022-0512/50982",
+ "cve": "CVE-2022-0691",
+ "id": "pyup.io-50981",
+ "more_info_path": "/vulnerabilities/CVE-2022-0691/50981",
"specs": [
"<0.19.3"
],
@@ -33098,6 +33766,18 @@
"v": "<1.4.0"
}
],
+ "digger": [
+ {
+ "advisory": "National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.",
+ "cve": "CVE-2021-44556",
+ "id": "pyup.io-70579",
+ "more_info_path": "/vulnerabilities/CVE-2021-44556/70579",
+ "specs": [
+ "<6697d1269d981e35e11f240725b16401b5ce3db5"
+ ],
+ "v": "<6697d1269d981e35e11f240725b16401b5ce3db5"
+ }
+ ],
"digitalmarketplace-utils": [
{
"advisory": "Digitalmarketplace-utils versions before v22.0.0 included vulnerabilities where untrusted input might result in susceptibility to a cross-site scripting (XSS) exploit.\r\nhttps://github.com/Crown-Commercial-Service/digitalmarketplace-utils/pull/286",
@@ -33810,17 +34490,6 @@
],
"v": "<1.2.2"
},
- {
- "advisory": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.",
- "cve": "CVE-2011-4136",
- "id": "pyup.io-33063",
- "more_info_path": "/vulnerabilities/CVE-2011-4136/33063",
- "specs": [
- "<1.2.7",
- ">=1.3a1,<1.3.1"
- ],
- "v": "<1.2.7,>=1.3a1,<1.3.1"
- },
{
"advisory": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.",
"cve": "CVE-2011-4140",
@@ -33865,6 +34534,17 @@
],
"v": "<1.2.7,>=1.3a1,<1.3.1"
},
+ {
+ "advisory": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.",
+ "cve": "CVE-2011-4136",
+ "id": "pyup.io-33063",
+ "more_info_path": "/vulnerabilities/CVE-2011-4136/33063",
+ "specs": [
+ "<1.2.7",
+ ">=1.3a1,<1.3.1"
+ ],
+ "v": "<1.2.7,>=1.3a1,<1.3.1"
+ },
{
"advisory": "The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.",
"cve": "CVE-2012-3442",
@@ -33962,10 +34642,10 @@
"v": "<1.4.14,>=1.5a1,<1.5.9,>=1.6a1,<1.6.6,>=1.7a1,<1.7rc3"
},
{
- "advisory": "Django 1.4.14, 1.5.9, 1.6.6 and 1.7rc3 include a fix for CVE-2014-0481: The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name.",
- "cve": "CVE-2014-0481",
- "id": "pyup.io-35514",
- "more_info_path": "/vulnerabilities/CVE-2014-0481/35514",
+ "advisory": "The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. See: CVE-2014-0483.",
+ "cve": "CVE-2014-0483",
+ "id": "pyup.io-35516",
+ "more_info_path": "/vulnerabilities/CVE-2014-0483/35516",
"specs": [
"<1.4.14",
">=1.5a1,<1.5.9",
@@ -33975,10 +34655,10 @@
"v": "<1.4.14,>=1.5a1,<1.5.9,>=1.6a1,<1.6.6,>=1.7a1,<1.7rc3"
},
{
- "advisory": "The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. See: CVE-2014-0483.",
- "cve": "CVE-2014-0483",
- "id": "pyup.io-35516",
- "more_info_path": "/vulnerabilities/CVE-2014-0483/35516",
+ "advisory": "Django 1.4.14, 1.5.9, 1.6.6 and 1.7rc3 include a fix for CVE-2014-0482: The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.",
+ "cve": "CVE-2014-0482",
+ "id": "pyup.io-35515",
+ "more_info_path": "/vulnerabilities/CVE-2014-0482/35515",
"specs": [
"<1.4.14",
">=1.5a1,<1.5.9",
@@ -33988,10 +34668,10 @@
"v": "<1.4.14,>=1.5a1,<1.5.9,>=1.6a1,<1.6.6,>=1.7a1,<1.7rc3"
},
{
- "advisory": "Django 1.4.14, 1.5.9, 1.6.6 and 1.7rc3 include a fix for CVE-2014-0482: The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.",
- "cve": "CVE-2014-0482",
- "id": "pyup.io-35515",
- "more_info_path": "/vulnerabilities/CVE-2014-0482/35515",
+ "advisory": "Django 1.4.14, 1.5.9, 1.6.6 and 1.7rc3 include a fix for CVE-2014-0481: The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name.",
+ "cve": "CVE-2014-0481",
+ "id": "pyup.io-35514",
+ "more_info_path": "/vulnerabilities/CVE-2014-0481/35514",
"specs": [
"<1.4.14",
">=1.5a1,<1.5.9",
@@ -34249,10 +34929,10 @@
"v": "<2.2.26,>=3.0a1,<3.2.11,>=4.0a1,<4.0.1"
},
{
- "advisory": "Django 2.2.27, 3.2.12 and 4.0.2 include a fix for CVE-2022-23833: Denial-of-service possibility in file uploads.\r\nhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases",
- "cve": "CVE-2022-23833",
- "id": "pyup.io-44741",
- "more_info_path": "/vulnerabilities/CVE-2022-23833/44741",
+ "advisory": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.",
+ "cve": "CVE-2022-22818",
+ "id": "pyup.io-44742",
+ "more_info_path": "/vulnerabilities/CVE-2022-22818/44742",
"specs": [
"<2.2.27",
">=3.0a1,<3.2.12",
@@ -34261,10 +34941,10 @@
"v": "<2.2.27,>=3.0a1,<3.2.12,>=4.0a1,<4.0.2"
},
{
- "advisory": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.",
- "cve": "CVE-2022-22818",
- "id": "pyup.io-44742",
- "more_info_path": "/vulnerabilities/CVE-2022-22818/44742",
+ "advisory": "Django 2.2.27, 3.2.12 and 4.0.2 include a fix for CVE-2022-23833: Denial-of-service possibility in file uploads.\r\nhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases",
+ "cve": "CVE-2022-23833",
+ "id": "pyup.io-44741",
+ "more_info_path": "/vulnerabilities/CVE-2022-23833/44741",
"specs": [
"<2.2.27",
">=3.0a1,<3.2.12",
@@ -34367,7 +35047,7 @@
"v": "<3.2.19,>=4.0a1,<4.1.9,>=4.2a1,<4.2.1"
},
{
- "advisory": "Django 3.2.21, 4.1.11 and 4.2.5 include a fix for CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri().\r\nhttps://www.djangoproject.com/weblog/2023/sep/04/security-releases",
+ "advisory": "Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri().",
"cve": "CVE-2023-41164",
"id": "pyup.io-60956",
"more_info_path": "/vulnerabilities/CVE-2023-41164/60956",
@@ -34379,7 +35059,7 @@
"v": "<3.2.21,>=4.0a1,<4.1.11,>=4.2a1,<4.2.5"
},
{
- "advisory": "Django 4.2.6, 4.1.12 and 3.2.22 include a fix for CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.\r\nhttps://www.djangoproject.com/weblog/2023/oct/04/security-releases",
+ "advisory": "Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.",
"cve": "CVE-2023-43665",
"id": "pyup.io-61586",
"more_info_path": "/vulnerabilities/CVE-2023-43665/61586",
@@ -34415,7 +35095,7 @@
"v": "<3.2.24,>=4.0a1,<4.2.10,>=5.0a1,<5.0.2"
},
{
- "advisory": "Affected versions of Django are vulnerable to potential regular expression denial-of-service. django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665).",
+ "advisory": "Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665).",
"cve": "CVE-2024-27351",
"id": "pyup.io-65771",
"more_info_path": "/vulnerabilities/CVE-2024-27351/65771",
@@ -34427,20 +35107,20 @@
"v": "<3.2.25,>=4.0a1,<4.2.11,>=5.0a1,<5.0.3"
},
{
- "advisory": "bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.",
- "cve": "CVE-2007-0404",
- "id": "pyup.io-61151",
- "more_info_path": "/vulnerabilities/CVE-2007-0404/61151",
+ "advisory": "The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.",
+ "cve": "CVE-2007-0405",
+ "id": "pyup.io-61152",
+ "more_info_path": "/vulnerabilities/CVE-2007-0405/61152",
"specs": [
"<=0.95"
],
"v": "<=0.95"
},
{
- "advisory": "The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.",
- "cve": "CVE-2007-0405",
- "id": "pyup.io-61152",
- "more_info_path": "/vulnerabilities/CVE-2007-0405/61152",
+ "advisory": "bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.",
+ "cve": "CVE-2007-0404",
+ "id": "pyup.io-61151",
+ "more_info_path": "/vulnerabilities/CVE-2007-0404/61151",
"specs": [
"<=0.95"
],
@@ -35014,7 +35694,7 @@
"v": ">=3.2a1,<3.2.1,<2.2.21,>=3.0a1,<3.1.9"
},
{
- "advisory": "Django 3.2.20, 4.1.10 and 4.2.3 include a fix for CVE-2023-36053: EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.\r\nhttps://www.djangoproject.com/weblog/2023/jul/03/security-releases",
+ "advisory": "Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs.",
"cve": "CVE-2023-36053",
"id": "pyup.io-59293",
"more_info_path": "/vulnerabilities/CVE-2023-36053/59293",
@@ -35230,7 +35910,7 @@
],
"django-ajax-utilities": [
{
- "advisory": "Django-ajax-utilities 1.2.9 includes a fix for CVE-2017-20182: This issue affects the function Pagination of the file django_ajax/static/ajax-utilities/js/pagination.js of the component Backslash Handler. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. \r\n#NOTE: The data we include in this advisory differs from the publicly available on nvd.nist.gov. The patch commit was issued for version 1.2.9.\r\nhttps://github.com/vikingco/django-ajax-utilities/pull/29/commits/329eb1dd1580ca1f9d4f95bc69939833226515c9",
+ "advisory": "Django-ajax-utilities 1.2.9 includes a fix for CVE-2017-20182: This issue affects the function Pagination of the file django_ajax/static/ajax-utilities/js/pagination.js of the component Backslash Handler. The manipulation of the argument URL leads to cross-site scripting. The attack may be initiated remotely. \r\n#NOTE: The data we include in this advisory differs from the publicly available on nvd.nist.gov. The patch commit was issued for version 1.2.9.\r\nhttps://github.com/vikingco/django-ajax-utilities/pull/29/commits/329eb1dd1580ca1f9d4f95bc69939833226515c9",
"cve": "CVE-2017-20182",
"id": "pyup.io-53607",
"more_info_path": "/vulnerabilities/CVE-2017-20182/53607",
@@ -35896,9 +36576,9 @@
"django-dsfr": [
{
"advisory": "Django-dsfr 0.6.2 updates its dependency 'Django' to v3.2.12 to include security fixes.",
- "cve": "CVE-2022-23833",
- "id": "pyup.io-45309",
- "more_info_path": "/vulnerabilities/CVE-2022-23833/45309",
+ "cve": "CVE-2021-45116",
+ "id": "pyup.io-45311",
+ "more_info_path": "/vulnerabilities/CVE-2021-45116/45311",
"specs": [
"<0.6.2"
],
@@ -35906,9 +36586,9 @@
},
{
"advisory": "Django-dsfr 0.6.2 updates its dependency 'Django' to v3.2.12 to include security fixes.",
- "cve": "CVE-2021-45452",
- "id": "pyup.io-45310",
- "more_info_path": "/vulnerabilities/CVE-2021-45452/45310",
+ "cve": "CVE-2022-23833",
+ "id": "pyup.io-45309",
+ "more_info_path": "/vulnerabilities/CVE-2022-23833/45309",
"specs": [
"<0.6.2"
],
@@ -35916,9 +36596,9 @@
},
{
"advisory": "Django-dsfr 0.6.2 updates its dependency 'Django' to v3.2.12 to include security fixes.",
- "cve": "CVE-2021-45116",
- "id": "pyup.io-45311",
- "more_info_path": "/vulnerabilities/CVE-2021-45116/45311",
+ "cve": "CVE-2021-45452",
+ "id": "pyup.io-45310",
+ "more_info_path": "/vulnerabilities/CVE-2021-45452/45310",
"specs": [
"<0.6.2"
],
@@ -36193,6 +36873,26 @@
"<2.15.2"
],
"v": "<2.15.2"
+ },
+ {
+ "advisory": "Django-grappelli version 3.0.4 updates its grunt dependency to version 1.5.3 to address a path traversal vulnerability identified in CVE-2022-0436, which affects versions prior to 1.5.2.",
+ "cve": "CVE-2022-0436",
+ "id": "pyup.io-70378",
+ "more_info_path": "/vulnerabilities/CVE-2022-0436/70378",
+ "specs": [
+ "<3.0.4"
+ ],
+ "v": "<3.0.4"
+ },
+ {
+ "advisory": "Django-grappelli version 3.0.4 has updated its grunt dependency to version 1.5.3. This update addresses a race condition vulnerability identified in CVE-2022-1537, which impacts versions prior to 1.5.2.",
+ "cve": "CVE-2022-1537",
+ "id": "pyup.io-70380",
+ "more_info_path": "/vulnerabilities/CVE-2022-1537/70380",
+ "specs": [
+ "<3.0.4"
+ ],
+ "v": "<3.0.4"
}
],
"django-guts": [
@@ -36287,20 +36987,20 @@
],
"django-helpdesk": [
{
- "advisory": "Django-helpdesk 0.3.1 includes a fix for CVE-2021-3945: Django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').\r\nhttps://github.com/django-helpdesk/django-helpdesk/commit/2c7065e0c4296e0c692fb4a7ee19c7357583af30\r\nhttps://huntr.dev/bounties/745f483c-70ed-441f-ab2e-7ac1305439a4",
- "cve": "CVE-2021-3945",
- "id": "pyup.io-42683",
- "more_info_path": "/vulnerabilities/CVE-2021-3945/42683",
+ "advisory": "Django-helpdesk 0.3.1 includes a fix for CVE-2021-3950: Django-helpdesk is vulnerable to improper neutralization of input during web page generation ('Cross-site Scripting').\r\nhttps://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e\r\nhttps://github.com/django-helpdesk/django-helpdesk/commit/04483bdac3b5196737516398b5ce0383875a5c60",
+ "cve": "CVE-2021-3950",
+ "id": "pyup.io-42743",
+ "more_info_path": "/vulnerabilities/CVE-2021-3950/42743",
"specs": [
"<0.3.1"
],
"v": "<0.3.1"
},
{
- "advisory": "Django-helpdesk 0.3.1 includes a fix for CVE-2021-3950: Django-helpdesk is vulnerable to improper neutralization of input during web page generation ('Cross-site Scripting').\r\nhttps://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e\r\nhttps://github.com/django-helpdesk/django-helpdesk/commit/04483bdac3b5196737516398b5ce0383875a5c60",
- "cve": "CVE-2021-3950",
- "id": "pyup.io-42743",
- "more_info_path": "/vulnerabilities/CVE-2021-3950/42743",
+ "advisory": "Django-helpdesk 0.3.1 includes a fix for CVE-2021-3945: Django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').\r\nhttps://github.com/django-helpdesk/django-helpdesk/commit/2c7065e0c4296e0c692fb4a7ee19c7357583af30\r\nhttps://huntr.dev/bounties/745f483c-70ed-441f-ab2e-7ac1305439a4",
+ "cve": "CVE-2021-3945",
+ "id": "pyup.io-42683",
+ "more_info_path": "/vulnerabilities/CVE-2021-3945/42683",
"specs": [
"<0.3.1"
],
@@ -38284,6 +38984,16 @@
"<1.1.0"
],
"v": "<1.1.0"
+ },
+ {
+ "advisory": "Django-sql-explorer version 4.2.0b1 addresses a regex-injection vulnerability, enhancing security measures within the application.",
+ "cve": "PVE-2024-70482",
+ "id": "pyup.io-70482",
+ "more_info_path": "/vulnerabilities/PVE-2024-70482/70482",
+ "specs": [
+ "<4.2.0"
+ ],
+ "v": "<4.2.0"
}
],
"django-sticky-uploads": [
@@ -39661,20 +40371,20 @@
"v": "<1.0.12,>=1.1.0,<1.1.113,>=1.2.0,<1.2.65"
},
{
- "advisory": "Docassemble version 1.4.97 addresses a critical security flaw, impacting versions from 1.4.53 to 1.4.96, where file contents within the filesystem could potentially be exposed. Given the high severity of this issue, users are strongly advised to update to the latest version immediately to secure their systems.",
- "cve": "PVE-2024-65732",
- "id": "pyup.io-65732",
- "more_info_path": "/vulnerabilities/PVE-2024-65732/65732",
+ "advisory": "Docassemble version 1.4.97 rectifies a security vulnerability present in versions up to 1.4.96. This flaw allowed for the creation of open redirect URLs.\r\nhttps://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa",
+ "cve": "PVE-2024-65739",
+ "id": "pyup.io-65739",
+ "more_info_path": "/vulnerabilities/PVE-2024-65739/65739",
"specs": [
"<1.4.97"
],
"v": "<1.4.97"
},
{
- "advisory": "Docassemble version 1.4.97 rectifies a security vulnerability present in versions up to 1.4.96. This flaw allowed for the creation of open redirect URLs.\r\nhttps://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa",
- "cve": "PVE-2024-65739",
- "id": "pyup.io-65739",
- "more_info_path": "/vulnerabilities/PVE-2024-65739/65739",
+ "advisory": "Docassemble version 1.4.97 addresses a critical security flaw, impacting versions from 1.4.53 to 1.4.96, where file contents within the filesystem could potentially be exposed. Given the high severity of this issue, users are strongly advised to update to the latest version immediately to secure their systems.",
+ "cve": "PVE-2024-65732",
+ "id": "pyup.io-65732",
+ "more_info_path": "/vulnerabilities/PVE-2024-65732/65732",
"specs": [
"<1.4.97"
],
@@ -39691,6 +40401,50 @@
"v": "<1.4.97"
}
],
+ "docassemble-base": [
+ {
+ "advisory": "Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.",
+ "cve": "CVE-2023-46046",
+ "id": "pyup.io-68481",
+ "more_info_path": "/vulnerabilities/CVE-2023-46046/68481",
+ "specs": [
+ ">=1.4.53,<1.4.97"
+ ],
+ "v": ">=1.4.53,<1.4.97"
+ }
+ ],
+ "docassemble-webapp": [
+ {
+ "advisory": "Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the master branch.",
+ "cve": "CVE-2023-45925",
+ "id": "pyup.io-68485",
+ "more_info_path": "/vulnerabilities/CVE-2023-45925/68485",
+ "specs": [
+ ">=0,<1.4.97"
+ ],
+ "v": ">=0,<1.4.97"
+ },
+ {
+ "advisory": "Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, it is possible to create a URL that acts as an open redirect. The vulnerability has been patched in version 1.4.97 of the master branch.",
+ "cve": "CVE-2023-46049",
+ "id": "pyup.io-68483",
+ "more_info_path": "/vulnerabilities/CVE-2023-46049/68483",
+ "specs": [
+ ">=0,<1.4.97"
+ ],
+ "v": ">=0,<1.4.97"
+ },
+ {
+ "advisory": "Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.",
+ "cve": "CVE-2023-46046",
+ "id": "pyup.io-68482",
+ "more_info_path": "/vulnerabilities/CVE-2023-46046/68482",
+ "specs": [
+ ">=1.4.53,<1.4.97"
+ ],
+ "v": ">=1.4.53,<1.4.97"
+ }
+ ],
"doccano": [
{
"advisory": "Doccano 1.0.1 adds X-Frame-Options header to prevent clickjacking.",
@@ -39811,6 +40565,16 @@
"<1.1.34"
],
"v": "<1.1.34"
+ },
+ {
+ "advisory": "Docker-tidy version 2.1.7 has upgraded its idna dependency to version 3.7 in response to CVE-2024-3651.",
+ "cve": "CVE-2024-3651",
+ "id": "pyup.io-67893",
+ "more_info_path": "/vulnerabilities/CVE-2024-3651/67893",
+ "specs": [
+ "<2.1.7"
+ ],
+ "v": "<2.1.7"
}
],
"dockerspawner": [
@@ -39850,6 +40614,16 @@
}
],
"dogtag-pki": [
+ {
+ "advisory": "It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 10.6.4. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates.",
+ "cve": "CVE-2017-7537",
+ "id": "pyup.io-67544",
+ "more_info_path": "/vulnerabilities/CVE-2017-7537/67544",
+ "specs": [
+ "<10.6.4"
+ ],
+ "v": "<10.6.4"
+ },
{
"advisory": "Dogtag-pki 10.9.0-b1 includes a fix for CVE-2020-15720: The pki.client.PKIConnection class did not enable python-requests certificate validation. Since the verify parameter was hard-coded in all request functions, it was not possible to override the setting. As a result, tools making use of this class, such as the pki-server command, may have been vulnerable to Person-in-the-Middle attacks in certain non-localhost use cases.\r\nhttps://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72",
"cve": "CVE-2020-15720",
@@ -39879,6 +40653,36 @@
"<=10.9.0"
],
"v": "<=10.9.0"
+ },
+ {
+ "advisory": "A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser.",
+ "cve": "CVE-2019-10146",
+ "id": "pyup.io-70508",
+ "more_info_path": "/vulnerabilities/CVE-2019-10146/70508",
+ "specs": [
+ ">=10.0,<=10.7.3"
+ ],
+ "v": ">=10.0,<=10.7.3"
+ },
+ {
+ "advisory": "A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.",
+ "cve": "CVE-2019-10180",
+ "id": "pyup.io-70509",
+ "more_info_path": "/vulnerabilities/CVE-2019-10180/70509",
+ "specs": [
+ ">=10.0,<=10.8.3"
+ ],
+ "v": ">=10.0,<=10.8.3"
+ },
+ {
+ "advisory": "A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser.",
+ "cve": "CVE-2019-10221",
+ "id": "pyup.io-70510",
+ "more_info_path": "/vulnerabilities/CVE-2019-10221/70510",
+ "specs": [
+ ">=10.0,<=10.8.3"
+ ],
+ "v": ">=10.0,<=10.8.3"
}
],
"domonic": [
@@ -40277,6 +41081,16 @@
"<0.6.0"
],
"v": "<0.6.0"
+ },
+ {
+ "advisory": "DuckDB <=0.9.2 and DuckDB extension-template <=0.9.2 are vulnerable to malicious extension injection via the custom extension feature.",
+ "cve": "CVE-2024-22682",
+ "id": "pyup.io-70404",
+ "more_info_path": "/vulnerabilities/CVE-2024-22682/70404",
+ "specs": [
+ "<0.9.3.dev6"
+ ],
+ "v": "<0.9.3.dev6"
}
],
"dulwich": [
@@ -40311,6 +41125,18 @@
"v": ">=0,<0.9.9"
}
],
+ "duplicity": [
+ {
+ "advisory": "The FTP backend for Duplicity before 0.4.9 sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments.",
+ "cve": "CVE-2007-5201",
+ "id": "pyup.io-67545",
+ "more_info_path": "/vulnerabilities/CVE-2007-5201/67545",
+ "specs": [
+ "<0.4.9"
+ ],
+ "v": "<0.4.9"
+ }
+ ],
"duty-board": [
{
"advisory": "Duty-board 0.0.1a2 updates its NPM dependency 'json5' to v1.0.2 to include a security fix.",
@@ -40519,20 +41345,20 @@
],
"ecdsa": [
{
- "advisory": "An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service. See CVE-2019-14853.",
- "cve": "CVE-2019-14853",
- "id": "pyup.io-37762",
- "more_info_path": "/vulnerabilities/CVE-2019-14853/37762",
+ "advisory": "A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions. See: CVE-2019-14859.",
+ "cve": "CVE-2019-14859",
+ "id": "pyup.io-37763",
+ "more_info_path": "/vulnerabilities/CVE-2019-14859/37763",
"specs": [
"<0.13.3"
],
"v": "<0.13.3"
},
{
- "advisory": "A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions. See: CVE-2019-14859.",
- "cve": "CVE-2019-14859",
- "id": "pyup.io-37763",
- "more_info_path": "/vulnerabilities/CVE-2019-14859/37763",
+ "advisory": "An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service. See CVE-2019-14853.",
+ "cve": "CVE-2019-14853",
+ "id": "pyup.io-37762",
+ "more_info_path": "/vulnerabilities/CVE-2019-14853/37762",
"specs": [
"<0.13.3"
],
@@ -40617,6 +41443,18 @@
"v": "<1.0.5"
}
],
+ "edumfa": [
+ {
+ "advisory": "Edumfa version 2.0.2 has updated its dependency on the idna library to version 3.7 in response to the security vulnerability detailed in CVE-2024-3651.",
+ "cve": "CVE-2024-3651",
+ "id": "pyup.io-70489",
+ "more_info_path": "/vulnerabilities/CVE-2024-3651/70489",
+ "specs": [
+ "<2.0.2"
+ ],
+ "v": "<2.0.2"
+ }
+ ],
"edx-celeryutils": [
{
"advisory": "Edx-celeryutils updates its Jinja2 dependency from version 2.9.6 to 2.10.1 to address the security vulnerability CVE-2019-10906.\r\nhttps://github.com/openedx/edx-celeryutils/commit/d38e5f5866917346a8a503b42ad1129f55ee3b4d",
@@ -40724,6 +41562,42 @@
"v": ">=1.10.0,<=1.26.0"
}
],
+ "electrum": [
+ {
+ "advisory": "The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not understand and (2) code pasted by a physically proximate attacker at an unattended workstation, which makes it easier for attackers to steal Bitcoin via hook code that runs at a later time when the wallet password has been entered, a different vulnerability than CVE-2018-1000022.",
+ "cve": "CVE-2018-6353",
+ "id": "pyup.io-67601",
+ "more_info_path": "/vulnerabilities/CVE-2018-6353/67601",
+ "specs": [
+ "<2.9.4",
+ ">=3.0,<3.0.5"
+ ],
+ "v": "<2.9.4,>=3.0,<3.0.5"
+ },
+ {
+ "advisory": "paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename.",
+ "cve": "CVE-2022-31246",
+ "id": "pyup.io-70610",
+ "more_info_path": "/vulnerabilities/CVE-2022-31246/70610",
+ "specs": [
+ "<4.2.2"
+ ],
+ "v": "<4.2.2"
+ }
+ ],
+ "electrum-python": [
+ {
+ "advisory": "The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not understand and (2) code pasted by a physically proximate attacker at an unattended workstation, which makes it easier for attackers to steal Bitcoin via hook code that runs at a later time when the wallet password has been entered, a different vulnerability than CVE-2018-1000022.",
+ "cve": "CVE-2018-6353",
+ "id": "pyup.io-67602",
+ "more_info_path": "/vulnerabilities/CVE-2018-6353/67602",
+ "specs": [
+ "<2.9.4",
+ ">=3.0,<3.0.5"
+ ],
+ "v": "<2.9.4,>=3.0,<3.0.5"
+ }
+ ],
"electrumsv-secp256k1": [
{
"advisory": "Electrumsv-secp256k1 version 8.0.0 makes build system support new GitHub & PyPI security requirements.",
@@ -41092,20 +41966,20 @@
],
"embedchain": [
{
- "advisory": "The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py.",
- "cve": "CVE-2024-23732",
- "id": "pyup.io-66692",
- "more_info_path": "/vulnerabilities/CVE-2024-23732/66692",
+ "advisory": "The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.",
+ "cve": "CVE-2024-23731",
+ "id": "pyup.io-66691",
+ "more_info_path": "/vulnerabilities/CVE-2024-23731/66691",
"specs": [
"<0.1.57"
],
"v": "<0.1.57"
},
{
- "advisory": "The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.",
- "cve": "CVE-2024-23731",
- "id": "pyup.io-66691",
- "more_info_path": "/vulnerabilities/CVE-2024-23731/66691",
+ "advisory": "The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py.",
+ "cve": "CVE-2024-23732",
+ "id": "pyup.io-66692",
+ "more_info_path": "/vulnerabilities/CVE-2024-23732/66692",
"specs": [
"<0.1.57"
],
@@ -41113,16 +41987,6 @@
}
],
"embedded-topic-model": [
- {
- "advisory": "Embedded-topic-model 1.2.0 updates its dependency 'scipy' to versions '>=1.11.*' to include security fixes.\r\nhttps://github.com/lffloyd/embedded-topic-model/commit/331fc0",
- "cve": "CVE-2023-29824",
- "id": "pyup.io-61024",
- "more_info_path": "/vulnerabilities/CVE-2023-29824/61024",
- "specs": [
- "<1.2.0"
- ],
- "v": "<1.2.0"
- },
{
"advisory": "Embedded-topic-model 1.2.0 updates its dependency 'skicit-learn' to versions '>=1.3.*' to include a security fix.\r\nhttps://github.com/lffloyd/embedded-topic-model/commit/331fc0",
"cve": "PVE-2022-52255",
@@ -41142,6 +42006,16 @@
"<1.2.0"
],
"v": "<1.2.0"
+ },
+ {
+ "advisory": "Embedded-topic-model 1.2.0 updates its dependency 'scipy' to versions '>=1.11.*' to include security fixes.\r\nhttps://github.com/lffloyd/embedded-topic-model/commit/331fc0",
+ "cve": "CVE-2023-29824",
+ "id": "pyup.io-61024",
+ "more_info_path": "/vulnerabilities/CVE-2023-29824/61024",
+ "specs": [
+ "<1.2.0"
+ ],
+ "v": "<1.2.0"
}
],
"embody-codec": [
@@ -41182,20 +42056,20 @@
],
"encapsia-api": [
{
- "advisory": "Encapsia-api 0.2.9 updates its dependency 'py' to v1.10.0 to include a security fix.",
- "cve": "CVE-2020-29651",
- "id": "pyup.io-44972",
- "more_info_path": "/vulnerabilities/CVE-2020-29651/44972",
+ "advisory": "Encapsia-api 0.2.9 updates its dependency 'cryptography' to v3.4.6 to include a security fix.",
+ "cve": "CVE-2020-36242",
+ "id": "pyup.io-39689",
+ "more_info_path": "/vulnerabilities/CVE-2020-36242/39689",
"specs": [
"<0.2.9"
],
"v": "<0.2.9"
},
{
- "advisory": "Encapsia-api 0.2.9 updates its dependency 'cryptography' to v3.4.6 to include a security fix.",
- "cve": "CVE-2020-36242",
- "id": "pyup.io-39689",
- "more_info_path": "/vulnerabilities/CVE-2020-36242/39689",
+ "advisory": "Encapsia-api 0.2.9 updates its dependency 'py' to v1.10.0 to include a security fix.",
+ "cve": "CVE-2020-29651",
+ "id": "pyup.io-44972",
+ "more_info_path": "/vulnerabilities/CVE-2020-29651/44972",
"specs": [
"<0.2.9"
],
@@ -41204,20 +42078,20 @@
],
"encapsia-cli": [
{
- "advisory": "Encapsia-cli 0.5.2 updates its dependency 'httpie' requirement to ^3.1.0 to include security fixes.",
- "cve": "CVE-2022-24737",
- "id": "pyup.io-52522",
- "more_info_path": "/vulnerabilities/CVE-2022-24737/52522",
+ "advisory": "Encapsia-cli 0.5.2 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.",
+ "cve": "CVE-2007-4559",
+ "id": "pyup.io-52524",
+ "more_info_path": "/vulnerabilities/CVE-2007-4559/52524",
"specs": [
"<0.5.2"
],
"v": "<0.5.2"
},
{
- "advisory": "Encapsia-cli 0.5.2 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.",
- "cve": "CVE-2007-4559",
- "id": "pyup.io-52524",
- "more_info_path": "/vulnerabilities/CVE-2007-4559/52524",
+ "advisory": "Encapsia-cli 0.5.2 updates its dependency 'certifi' to v2022.12.7 to include a security fix.",
+ "cve": "CVE-2022-23491",
+ "id": "pyup.io-52430",
+ "more_info_path": "/vulnerabilities/CVE-2022-23491/52430",
"specs": [
"<0.5.2"
],
@@ -41234,10 +42108,10 @@
"v": "<0.5.2"
},
{
- "advisory": "Encapsia-cli 0.5.2 updates its dependency 'certifi' to v2022.12.7 to include a security fix.",
- "cve": "CVE-2022-23491",
- "id": "pyup.io-52430",
- "more_info_path": "/vulnerabilities/CVE-2022-23491/52430",
+ "advisory": "Encapsia-cli 0.5.2 updates its dependency 'httpie' requirement to ^3.1.0 to include security fixes.",
+ "cve": "CVE-2022-24737",
+ "id": "pyup.io-52522",
+ "more_info_path": "/vulnerabilities/CVE-2022-24737/52522",
"specs": [
"<0.5.2"
],
@@ -41292,6 +42166,18 @@
"v": "<0.11.0"
}
],
+ "entropy-pooling": [
+ {
+ "advisory": "Entropy-pooling version 1.0.4 updates its Pillow dependency from version 10.2.0 to 10.3.0 in response to the security concerns identified in CVE-2024-28219.",
+ "cve": "CVE-2024-28219",
+ "id": "pyup.io-70377",
+ "more_info_path": "/vulnerabilities/CVE-2024-28219/70377",
+ "specs": [
+ "<1.0.4"
+ ],
+ "v": "<1.0.4"
+ }
+ ],
"envd": [
{
"advisory": "Envd 0.3.45 updates its Go dependency 'go-git' to v5.11.0 to include a security fix.",
@@ -41478,6 +42364,16 @@
"<=2021.9.1"
],
"v": "<=2021.9.1"
+ },
+ {
+ "advisory": "ESPHome is a system to control your ESP8266/ESP32. A security misconfiguration in the edit configuration file API in the dashboard component of ESPHome version 2023.12.9 (command line installation) allows authenticated remote attackers to read and write arbitrary files under the configuration directory rendering remote code execution possible. This vulnerability is patched in 2024.2.1.",
+ "cve": "CVE-2023-39306",
+ "id": "pyup.io-68488",
+ "more_info_path": "/vulnerabilities/CVE-2023-39306/68488",
+ "specs": [
+ ">=2023.12.9,<2024.2.1"
+ ],
+ "v": ">=2023.12.9,<2024.2.1"
}
],
"esptool": [
@@ -41514,6 +42410,16 @@
">=0,<4.2.0"
],
"v": ">=0,<4.2.0"
+ },
+ {
+ "advisory": "Ethereum ABI (Application Binary Interface) library versions before 5.0.1 are susceptible to a vulnerability due to a recursive pointer issue. This flaw can trigger an OverflowError when decoding specially crafted payloads. The vulnerability specifically arises when attempting to decode deep nested arrays encoded in hex, as demonstrated by inputs causing Python integers to exceed the size that can be converted to C ssize_t. This issue underscores the importance of carefully handling array decoding to prevent potential overflows, emphasizing the need for appropriate validation and error handling mechanisms in applications processing such data.",
+ "cve": "PVE-2024-68474",
+ "id": "pyup.io-68474",
+ "more_info_path": "/vulnerabilities/PVE-2024-68474/68474",
+ "specs": [
+ ">=0,<5.0.1"
+ ],
+ "v": ">=0,<5.0.1"
}
],
"eth-account": [
@@ -41620,20 +42526,20 @@
"v": "<2.22.1"
},
{
- "advisory": "Ethyca-fides 2.22.1 addresses the moderate severity vulnerability CVE-2023-46126. This issue affected versions of Fides before 2.22.1, where the privacy policy URL field in consent and privacy notices was not properly validated. Malicious users with contributor access or higher could exploit this to execute arbitrary JavaScript on integrated websites. The patch now properly sanitizes input, preventing such attacks. https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83",
- "cve": "CVE-2023-46126",
- "id": "pyup.io-63526",
- "more_info_path": "/vulnerabilities/CVE-2023-46126/63526",
+ "advisory": "Ethyca-fides 2.22.1 fixes a vulnerability identified as CVE-2023-46125. The issue was found with the GET api/v1/config endpoint. It allowed Admin UI users with roles lower than the owner role, such as the viewer role, to retrieve the configuration information using the API. Even though the configuration data was filtered to suppress most sensitive information, it still contained details about the internals and backend infrastructure like server addresses, ports, and database usernames. \r\nhttps://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89",
+ "cve": "CVE-2023-46125",
+ "id": "pyup.io-63521",
+ "more_info_path": "/vulnerabilities/CVE-2023-46125/63521",
"specs": [
"<2.22.1"
],
"v": "<2.22.1"
},
{
- "advisory": "Ethyca-fides 2.22.1 fixes a vulnerability identified as CVE-2023-46125. The issue was found with the GET api/v1/config endpoint. It allowed Admin UI users with roles lower than the owner role, such as the viewer role, to retrieve the configuration information using the API. Even though the configuration data was filtered to suppress most sensitive information, it still contained details about the internals and backend infrastructure like server addresses, ports, and database usernames. \r\nhttps://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89",
- "cve": "CVE-2023-46125",
- "id": "pyup.io-63521",
- "more_info_path": "/vulnerabilities/CVE-2023-46125/63521",
+ "advisory": "Ethyca-fides 2.22.1 addresses the moderate severity vulnerability CVE-2023-46126. This issue affected versions of Fides before 2.22.1, where the privacy policy URL field in consent and privacy notices was not properly validated. Malicious users with contributor access or higher could exploit this to execute arbitrary JavaScript on integrated websites. The patch now properly sanitizes input, preventing such attacks. https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83",
+ "cve": "CVE-2023-46126",
+ "id": "pyup.io-63526",
+ "more_info_path": "/vulnerabilities/CVE-2023-46126/63526",
"specs": [
"<2.22.1"
],
@@ -41660,20 +42566,20 @@
"v": "<2.24.0"
},
{
- "advisory": "The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.",
- "cve": "CVE-2023-37480",
- "id": "pyup.io-65025",
- "more_info_path": "/vulnerabilities/CVE-2023-37480/65025",
+ "advisory": "Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading.",
+ "cve": "CVE-2023-37481",
+ "id": "pyup.io-65027",
+ "more_info_path": "/vulnerabilities/CVE-2023-37481/65027",
"specs": [
">=2.11.0,<2.16.0"
],
"v": ">=2.11.0,<2.16.0"
},
{
- "advisory": "Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading.",
- "cve": "CVE-2023-37481",
- "id": "pyup.io-65027",
- "more_info_path": "/vulnerabilities/CVE-2023-37481/65027",
+ "advisory": "The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.",
+ "cve": "CVE-2023-37480",
+ "id": "pyup.io-65025",
+ "more_info_path": "/vulnerabilities/CVE-2023-37480/65025",
"specs": [
">=2.11.0,<2.16.0"
],
@@ -41968,20 +42874,20 @@
"v": "<0.8"
},
{
- "advisory": "Evennia 0.8 updates its dependency 'Twisted' minimum requirement to v18.0.0 to include a security fix.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0",
- "cve": "CVE-2016-1000111",
- "id": "pyup.io-51937",
- "more_info_path": "/vulnerabilities/CVE-2016-1000111/51937",
+ "advisory": "Evennia 0.8 updates its dependency 'pillow' to v5.2.0 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0",
+ "cve": "CVE-2016-9190",
+ "id": "pyup.io-52039",
+ "more_info_path": "/vulnerabilities/CVE-2016-9190/52039",
"specs": [
"<0.8"
],
"v": "<0.8"
},
{
- "advisory": "Evennia 0.8 updates its dependency 'pillow' to v5.2.0 to include security fixes.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0",
- "cve": "CVE-2016-9190",
- "id": "pyup.io-52039",
- "more_info_path": "/vulnerabilities/CVE-2016-9190/52039",
+ "advisory": "Evennia 0.8 updates its dependency 'Twisted' minimum requirement to v18.0.0 to include a security fix.\r\nhttps://github.com/evennia/evennia/commit/6b7766d2956ae7be19f2cf7be0d43056c0accbb0",
+ "cve": "CVE-2016-1000111",
+ "id": "pyup.io-51937",
+ "more_info_path": "/vulnerabilities/CVE-2016-1000111/51937",
"specs": [
"<0.8"
],
@@ -42089,9 +42995,9 @@
},
{
"advisory": "Evennia 4.0.0 enhances security on the website character page by implementing URL validation for redirects. \r\nhttps://github.com/evennia/evennia/commit/23b9d06db5e6e8b0e48198dd46b85ce57fd0f10d",
- "cve": null,
+ "cve": "PVE-2024-66790",
"id": "pyup.io-66790",
- "more_info_path": "/vulnerabilities/None/66790",
+ "more_info_path": "/vulnerabilities/PVE-2024-66790/66790",
"specs": [
"<4.0.0"
],
@@ -42144,7 +43050,7 @@
"v": "<0.34.3"
},
{
- "advisory": "Eventlet 0.35.2 Copied the complete fix for (CVE-2023-29483) and handling of truncated exceptions in greendns.py after Dnspython 2.6.0rc1 dns.query.udp() API change heads-up.\r\nhttps://github.com/eventlet/eventlet/pull/916",
+ "advisory": "Eventlet 0.35.2 copied the complete fix for (CVE-2023-29483) and handling of truncated exceptions in greendns.py after Dnspython 2.6.0rc1 dns.query.udp() API change heads-up.\r\nhttps://github.com/eventlet/eventlet/pull/916",
"cve": "CVE-2023-29483",
"id": "pyup.io-66927",
"more_info_path": "/vulnerabilities/CVE-2023-29483/66927",
@@ -42214,10 +43120,10 @@
],
"exchanges-wrapper": [
{
- "advisory": "Exchanges-wrapper 1.3.4 updates its dependency 'grpcio' to version '1.56.0' to include a fix for a Connection Confusion vulnerability.\r\nhttps://github.com/DogsTailFarmer/exchanges-wrapper/commit/f679262b648bdf08d4fa4e4f071a12562c25a54a\r\nhttps://github.com/advisories/GHSA-cfgp-2977-2fmm",
- "cve": "CVE-2023-32731",
- "id": "pyup.io-59871",
- "more_info_path": "/vulnerabilities/CVE-2023-32731/59871",
+ "advisory": "Exchanges-wrapper 1.3.4 updates its dependency 'grpcio' to version '1.56.0' to include a fix for a Reachable Assertion vulnerability.\r\nhttps://github.com/DogsTailFarmer/exchanges-wrapper/commit/f679262b648bdf08d4fa4e4f071a12562c25a54a\r\nhttps://github.com/advisories/GHSA-6628-q6j9-w8vg",
+ "cve": "CVE-2023-1428",
+ "id": "pyup.io-59519",
+ "more_info_path": "/vulnerabilities/CVE-2023-1428/59519",
"specs": [
"<1.3.4"
],
@@ -42234,16 +43140,28 @@
"v": "<1.3.4"
},
{
- "advisory": "Exchanges-wrapper 1.3.4 updates its dependency 'grpcio' to version '1.56.0' to include a fix for a Reachable Assertion vulnerability.\r\nhttps://github.com/DogsTailFarmer/exchanges-wrapper/commit/f679262b648bdf08d4fa4e4f071a12562c25a54a\r\nhttps://github.com/advisories/GHSA-6628-q6j9-w8vg",
- "cve": "CVE-2023-1428",
- "id": "pyup.io-59519",
- "more_info_path": "/vulnerabilities/CVE-2023-1428/59519",
+ "advisory": "Exchanges-wrapper 1.3.4 updates its dependency 'grpcio' to version '1.56.0' to include a fix for a Connection Confusion vulnerability.\r\nhttps://github.com/DogsTailFarmer/exchanges-wrapper/commit/f679262b648bdf08d4fa4e4f071a12562c25a54a\r\nhttps://github.com/advisories/GHSA-cfgp-2977-2fmm",
+ "cve": "CVE-2023-32731",
+ "id": "pyup.io-59871",
+ "more_info_path": "/vulnerabilities/CVE-2023-32731/59871",
"specs": [
"<1.3.4"
],
"v": "<1.3.4"
}
],
+ "execnet": [
+ {
+ "advisory": "Execnet 1.0.6 resolves a race condition that occurred when multiple threads simultaneously transmitted data over channels, which previously led to crashes in the serializer and process. This fix enhances stability and concurrency handling.",
+ "cve": "PVE-2024-67501",
+ "id": "pyup.io-67501",
+ "more_info_path": "/vulnerabilities/PVE-2024-67501/67501",
+ "specs": [
+ "<1.0.6"
+ ],
+ "v": "<1.0.6"
+ }
+ ],
"exgrex-py": [
{
"advisory": "Exgrex-py 0.3a2 updates its dependency 'bleach' to v3.3.0 to include a security fix.",
@@ -42560,6 +43478,18 @@
"v": ">=0,<0.0.2"
}
],
+ "f-ask": [
+ {
+ "advisory": "Certain versions of Flask, part of the Pallets Project, are susceptible to an Improper Input Validation vulnerability. This issue could lead to excessive memory usage, potentially causing a denial of service if attackers supply JSON data in an incorrect encoding.",
+ "cve": null,
+ "id": "pyup.io-69621",
+ "more_info_path": "/vulnerabilities/None/69621",
+ "specs": [
+ ">=0,<0.12.3"
+ ],
+ "v": ">=0,<0.12.3"
+ }
+ ],
"faapi": [
{
"advisory": "Faapi 3.1.0 updates its dependency 'lxml' to v4.7.1 to include a security fix.",
@@ -43045,9 +43975,9 @@
},
{
"advisory": "Fastapi 0.75.2 updates its NPM dependency 'swagger-ui' to include security fixes.",
- "cve": "CVE-2021-46708",
- "id": "pyup.io-48161",
- "more_info_path": "/vulnerabilities/CVE-2021-46708/48161",
+ "cve": "CVE-2018-25031",
+ "id": "pyup.io-48160",
+ "more_info_path": "/vulnerabilities/CVE-2018-25031/48160",
"specs": [
"<0.75.2"
],
@@ -43055,9 +43985,9 @@
},
{
"advisory": "Fastapi 0.75.2 updates its NPM dependency 'swagger-ui' to include security fixes.",
- "cve": "CVE-2018-25031",
- "id": "pyup.io-48160",
- "more_info_path": "/vulnerabilities/CVE-2018-25031/48160",
+ "cve": "CVE-2021-46708",
+ "id": "pyup.io-48161",
+ "more_info_path": "/vulnerabilities/CVE-2021-46708/48161",
"specs": [
"<0.75.2"
],
@@ -43714,6 +44644,18 @@
"v": ">0"
}
],
+ "fflogsapi": [
+ {
+ "advisory": "Fflogsapi version 2.1.0 upgrades its cryptography library to version 42.0.5 from 39.0.1 to address the security issue CVE-2024-26130.",
+ "cve": "CVE-2024-26130",
+ "id": "pyup.io-67467",
+ "more_info_path": "/vulnerabilities/CVE-2024-26130/67467",
+ "specs": [
+ "<2.1.0"
+ ],
+ "v": "<2.1.0"
+ }
+ ],
"ffmpeg-normalize": [
{
"advisory": "Ffmpeg-normalize 1.24.0 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/slhck/ffmpeg-normalize/commit/daf1bf15dde81e5916b8fb4c7853c833e89328f9",
@@ -43761,9 +44703,9 @@
},
{
"advisory": "Fhir-pyrate 0.2.0b1 updates its dependency \"numpy\" to v1.23.1 to include security fixes.",
- "cve": "CVE-2021-41496",
- "id": "pyup.io-50794",
- "more_info_path": "/vulnerabilities/CVE-2021-41496/50794",
+ "cve": "CVE-2021-34141",
+ "id": "pyup.io-50784",
+ "more_info_path": "/vulnerabilities/CVE-2021-34141/50784",
"specs": [
"<0.2.0b1"
],
@@ -43771,9 +44713,9 @@
},
{
"advisory": "Fhir-pyrate 0.2.0b1 updates its dependency \"numpy\" to v1.23.1 to include security fixes.",
- "cve": "CVE-2021-41495",
- "id": "pyup.io-50793",
- "more_info_path": "/vulnerabilities/CVE-2021-41495/50793",
+ "cve": "CVE-2021-41496",
+ "id": "pyup.io-50794",
+ "more_info_path": "/vulnerabilities/CVE-2021-41496/50794",
"specs": [
"<0.2.0b1"
],
@@ -43781,9 +44723,9 @@
},
{
"advisory": "Fhir-pyrate 0.2.0b1 updates its dependency \"numpy\" to v1.23.1 to include security fixes.",
- "cve": "CVE-2021-34141",
- "id": "pyup.io-50784",
- "more_info_path": "/vulnerabilities/CVE-2021-34141/50784",
+ "cve": "CVE-2021-41495",
+ "id": "pyup.io-50793",
+ "more_info_path": "/vulnerabilities/CVE-2021-41495/50793",
"specs": [
"<0.2.0b1"
],
@@ -43936,6 +44878,18 @@
"v": "<0.25.3"
}
],
+ "fin-maestro-kin": [
+ {
+ "advisory": "Fin-maestro-kin 0.2.2 updates its dependency 'pillow' to version 10.3.0 to include a fix for a Buffer Overflow vulnerability.",
+ "cve": "CVE-2024-28219",
+ "id": "pyup.io-67525",
+ "more_info_path": "/vulnerabilities/CVE-2024-28219/67525",
+ "specs": [
+ "<0.2.2"
+ ],
+ "v": "<0.2.2"
+ }
+ ],
"fincity-django-allauth": [
{
"advisory": "Fincity-django-allauth 0.18.0 requires the 'AUDIENCE' parameter to be explicitly configured, as required by the Persona specification for security reasons.\r\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1051025",
@@ -44000,7 +44954,7 @@
],
"fiona": [
{
- "advisory": "Fiona 1.9.4.post1 and prior releases ship with a version of 'libcurl' that has a high-severity vulnerability.\r\nhttps://github.com/sgillies/fiona-wheels/issues/39",
+ "advisory": "Fiona 1.9.4.post1 and prior releases ship with a version of 'libcurl' that has a high-severity vulnerability.",
"cve": "CVE-2023-38545",
"id": "pyup.io-61771",
"more_info_path": "/vulnerabilities/CVE-2023-38545/61771",
@@ -44102,20 +45056,20 @@
],
"fittrackee": [
{
- "advisory": "Fittrackee 0.5.7 sanitizes input when serving images, map titles and in username.\r\nhttps://github.com/SamR1/FitTrackee/pull/151",
- "cve": "PVE-2022-45387",
- "id": "pyup.io-45387",
- "more_info_path": "/vulnerabilities/PVE-2022-45387/45387",
+ "advisory": "Fittrackee 0.5.7 sets autoescape on jinja templates.\r\nhttps://github.com/SamR1/FitTrackee/pull/152",
+ "cve": "PVE-2022-44973",
+ "id": "pyup.io-44973",
+ "more_info_path": "/vulnerabilities/PVE-2022-44973/44973",
"specs": [
"<0.5.7"
],
"v": "<0.5.7"
},
{
- "advisory": "Fittrackee 0.5.7 sets autoescape on jinja templates.\r\nhttps://github.com/SamR1/FitTrackee/pull/152",
- "cve": "PVE-2022-44973",
- "id": "pyup.io-44973",
- "more_info_path": "/vulnerabilities/PVE-2022-44973/44973",
+ "advisory": "Fittrackee 0.5.7 sanitizes input when serving images, map titles and in username.\r\nhttps://github.com/SamR1/FitTrackee/pull/151",
+ "cve": "PVE-2022-45387",
+ "id": "pyup.io-45387",
+ "more_info_path": "/vulnerabilities/PVE-2022-45387/45387",
"specs": [
"<0.5.7"
],
@@ -44307,7 +45261,7 @@
"v": "<=1.5.2"
},
{
- "advisory": "Affected versions of Flask-Admin are vulnerable to cross-site scripting (XSS) attacks, which occur when attackers trick a web-based application into accepting a request from what it perceives to be a trusted source. This can lead to the execution of malicious scripts in the user's browser, potentially resulting in session hijacking, exposure of sensitive information, unauthorized access to privileged functions, and malware delivery. XSS exploits are mainly achieved by injecting malicious code into web applications, highlighting the importance of escaping special characters in user input to prevent such manipulations. The advisory outlines that XSS attacks can manifest in various forms, including stored, reflected, DOM-based, and mutated, each with specific characteristics regarding the origin and method of execution of the malicious code. It further advises on prevention methods such as sanitizing data input, converting special characters to their HTML or URL encoded equivalents, providing options to disable client-side scripts, redirecting invalid requests, detecting and invalidating simultaneous logins from different IPs, enforcing a Content Security Policy, and understanding the security features of used libraries. These practices are designed to mitigate the risk and impact of XSS vulnerabilities in web servers, application servers, and web application environments.\r\nhttps://github.com/flask-admin/flask-admin/commit/0dc5a48fd0a4fdd28172e0bc508373ddb58fc50b",
+ "advisory": "Affected versions of Flask-Admin are vulnerable to cross-site scripting (XSS) via scheme.\r\nhttps://github.com/flask-admin/flask-admin/commit/0dc5a48fd0a4fdd28172e0bc508373ddb58fc50b",
"cve": "PVE-2024-99786",
"id": "pyup.io-66043",
"more_info_path": "/vulnerabilities/PVE-2024-99786/66043",
@@ -44470,6 +45424,16 @@
],
"v": "<4.3.0"
},
+ {
+ "advisory": "Flask-AppBuilder is an application development framework, built on top of Flask. When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, it allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the OpenID 2.0 authorization protocol. Upgrade to Flask-AppBuilder 4.3.11 to fix the vulnerability.",
+ "cve": "CVE-2023-46047",
+ "id": "pyup.io-68493",
+ "more_info_path": "/vulnerabilities/CVE-2023-46047/68493",
+ "specs": [
+ "<4.3.11"
+ ],
+ "v": "<4.3.11"
+ },
{
"advisory": "Flask-AppBuilder 4.3.2 includes a fix for an Information Disclosure vulnerability.\r\nhttps://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3",
"cve": "CVE-2023-34110",
@@ -45160,6 +46124,26 @@
],
"v": "<1.2.0"
},
+ {
+ "advisory": "** DISPUTED ** Flower 0.9.3 has XSS via the name parameter in an @app.task call. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren\u2019t user facing configuration options. They are internal backend config options and person having rights to change them already has full access.",
+ "cve": "CVE-2019-16925",
+ "id": "pyup.io-70511",
+ "more_info_path": "/vulnerabilities/CVE-2019-16925/70511",
+ "specs": [
+ "<=0.9.3"
+ ],
+ "v": "<=0.9.3"
+ },
+ {
+ "advisory": "** DISPUTED ** Flower 0.9.3 has XSS via a crafted worker name. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren\u2019t user facing configuration options. They are internal backend config options and person having rights to change them already has full access.",
+ "cve": "CVE-2019-16926",
+ "id": "pyup.io-70512",
+ "more_info_path": "/vulnerabilities/CVE-2019-16926/70512",
+ "specs": [
+ "<=0.9.3"
+ ],
+ "v": "<=0.9.3"
+ },
{
"advisory": "Flower before 0.9.2 has a XSS on tasks page because data is not properly escaped.",
"cve": "PVE-2023-55193",
@@ -45182,6 +46166,16 @@
}
],
"flytekit": [
+ {
+ "advisory": "Flytekit 0.30.0 stops using unauthenticated git.\r\nhttps://github.com/flyteorg/flytekit/pull/810",
+ "cve": "PVE-2022-44776",
+ "id": "pyup.io-44776",
+ "more_info_path": "/vulnerabilities/PVE-2022-44776/44776",
+ "specs": [
+ "<0.30.0"
+ ],
+ "v": "<0.30.0"
+ },
{
"advisory": "Flytekit 0.30.0 updates its dependency 'ipython' to v7.31.1 to include a security fix.",
"cve": "CVE-2022-21699",
@@ -45193,14 +46187,14 @@
"v": "<0.30.0"
},
{
- "advisory": "Flytekit 0.30.0 stops using unauthenticated git.\r\nhttps://github.com/flyteorg/flytekit/pull/810",
- "cve": "PVE-2022-44776",
- "id": "pyup.io-44776",
- "more_info_path": "/vulnerabilities/PVE-2022-44776/44776",
+ "advisory": "Flytekit 1.1.0 updates its dependency 'cookiecutter' to v2.1.1 to include a security fix.",
+ "cve": "CVE-2022-24065",
+ "id": "pyup.io-49722",
+ "more_info_path": "/vulnerabilities/CVE-2022-24065/49722",
"specs": [
- "<0.30.0"
+ "<1.1.0"
],
- "v": "<0.30.0"
+ "v": "<1.1.0"
},
{
"advisory": "Flytekit 1.1.0 updates its dependency 'pillow' to v9.1.1 to include a security fix.",
@@ -45213,14 +46207,14 @@
"v": "<1.1.0"
},
{
- "advisory": "Flytekit 1.1.0 updates its dependency 'cookiecutter' to v2.1.1 to include a security fix.",
+ "advisory": "Flytekit 1.2.0 updates its dependency 'cookiecutter' to v2.1.1 to include a security fix.",
"cve": "CVE-2022-24065",
- "id": "pyup.io-49722",
- "more_info_path": "/vulnerabilities/CVE-2022-24065/49722",
+ "id": "pyup.io-51331",
+ "more_info_path": "/vulnerabilities/CVE-2022-24065/51331",
"specs": [
- "<1.1.0"
+ "<1.2.0"
],
- "v": "<1.1.0"
+ "v": "<1.2.0"
},
{
"advisory": "Flytekit 1.2.0 updates its dependency 'oauthlib' to v3.2.1 to include a security fix.",
@@ -45243,50 +46237,40 @@
"v": "<1.2.0"
},
{
- "advisory": "Flytekit 1.2.0 updates its dependency 'lxml' to v4.9.1 to include a security fix.",
- "cve": "CVE-2022-2309",
- "id": "pyup.io-51327",
- "more_info_path": "/vulnerabilities/CVE-2022-2309/51327",
- "specs": [
- "<1.2.0"
- ],
- "v": "<1.2.0"
- },
- {
- "advisory": "Flytekit 1.2.0 updates its dependency 'mistune' to v2.0.3 to include a security fix.",
- "cve": "CVE-2022-34749",
- "id": "pyup.io-51329",
- "more_info_path": "/vulnerabilities/CVE-2022-34749/51329",
+ "advisory": "Flytekit 1.2.0 updates its dependency 'protobuf' to v3.20.2 to include a security fix.",
+ "cve": "CVE-2022-1941",
+ "id": "pyup.io-51334",
+ "more_info_path": "/vulnerabilities/CVE-2022-1941/51334",
"specs": [
"<1.2.0"
],
"v": "<1.2.0"
},
{
- "advisory": "Flytekit 1.2.0 updates its dependency 'cookiecutter' to v2.1.1 to include a security fix.",
- "cve": "CVE-2022-24065",
- "id": "pyup.io-51331",
- "more_info_path": "/vulnerabilities/CVE-2022-24065/51331",
+ "advisory": "Flytekit 1.2.0 updates its dependency 'lxml' to v4.9.1 to include a security fix.",
+ "cve": "CVE-2022-2309",
+ "id": "pyup.io-51327",
+ "more_info_path": "/vulnerabilities/CVE-2022-2309/51327",
"specs": [
"<1.2.0"
],
"v": "<1.2.0"
},
{
- "advisory": "Flytekit 1.2.0 updates its dependency 'protobuf' to v3.20.2 to include a security fix.",
- "cve": "CVE-2022-1941",
- "id": "pyup.io-51334",
- "more_info_path": "/vulnerabilities/CVE-2022-1941/51334",
+ "advisory": "Flytekit 1.2.0 updates its dependency 'notebook' to v6.4.12 to include a security fix.",
+ "cve": "CVE-2022-29238",
+ "id": "pyup.io-51330",
+ "more_info_path": "/vulnerabilities/CVE-2022-29238/51330",
"specs": [
"<1.2.0"
],
"v": "<1.2.0"
},
{
- "advisory": "Flytekit 1.2.0 updates its dependency 'notebook' to v6.4.12 to include a security fix.",
- "cve": "CVE-2022-29238",
- "id": "pyup.io-51330",
- "more_info_path": "/vulnerabilities/CVE-2022-29238/51330",
+ "advisory": "Flytekit 1.2.0 updates its dependency 'mistune' to v2.0.3 to include a security fix.",
+ "cve": "CVE-2022-34749",
+ "id": "pyup.io-51329",
+ "more_info_path": "/vulnerabilities/CVE-2022-34749/51329",
"specs": [
"<1.2.0"
],
@@ -45411,6 +46395,18 @@
"v": "<1.0"
}
],
+ "fortitudo-tech": [
+ {
+ "advisory": "Fortitudo-tech version 1.0.6 updates its idna library from version 3.6 to 3.7 to address the vulnerability described in CVE-2024-3651.",
+ "cve": "CVE-2024-3651",
+ "id": "pyup.io-70379",
+ "more_info_path": "/vulnerabilities/CVE-2024-3651/70379",
+ "specs": [
+ "<1.0.6"
+ ],
+ "v": "<1.0.6"
+ }
+ ],
"fosslight-android": [
{
"advisory": "A vulnerability patch has been integrated into Fosslight-android version 4.1.15. Earlier versions may have hard-coded sensitive credentials and lacked measures to counter potential SQL injection vulnerabilities.",
@@ -45509,20 +46505,30 @@
],
"fractal-server": [
{
- "advisory": "Fractal-server 1.3.0a3 updates its dependency 'starlette' to version '0.27.0' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/723",
- "cve": "CVE-2023-29159",
- "id": "pyup.io-59001",
- "more_info_path": "/vulnerabilities/CVE-2023-29159/59001",
+ "advisory": "Fractal-server 1.3.0a3 updates its dependency 'requests' to version '2.31.0' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/723",
+ "cve": "CVE-2023-32681",
+ "id": "pyup.io-59000",
+ "more_info_path": "/vulnerabilities/CVE-2023-32681/59000",
"specs": [
"<1.3.0a3"
],
"v": "<1.3.0a3"
},
{
- "advisory": "Fractal-server 1.3.0a3 updates its dependency 'requests' to version '2.31.0' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/723",
- "cve": "CVE-2023-32681",
- "id": "pyup.io-59000",
- "more_info_path": "/vulnerabilities/CVE-2023-32681/59000",
+ "advisory": "Fractal-server 1.3.0a3 updates its dependency 'cryptography' to version '41.0.1' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/739/commits/ec5bbd57acabf5a1fc357cfb96c21e059c619475",
+ "cve": "CVE-2023-2650",
+ "id": "pyup.io-59002",
+ "more_info_path": "/vulnerabilities/CVE-2023-2650/59002",
+ "specs": [
+ "<1.3.0a3"
+ ],
+ "v": "<1.3.0a3"
+ },
+ {
+ "advisory": "Fractal-server 1.3.0a3 updates its dependency 'starlette' to version '0.27.0' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/723",
+ "cve": "CVE-2023-29159",
+ "id": "pyup.io-59001",
+ "more_info_path": "/vulnerabilities/CVE-2023-29159/59001",
"specs": [
"<1.3.0a3"
],
@@ -45537,19 +46543,71 @@
"<1.3.0a3"
],
"v": "<1.3.0a3"
+ }
+ ],
+ "frapp": [
+ {
+ "advisory": "public/js/frappe/form/footer/timeline.js in Frappe Framework 12 through 12.0.8 does not escape HTML in the timeline and thus is affected by crafted \"changed value of\" text.",
+ "cve": "CVE-2019-15700",
+ "id": "pyup.io-70505",
+ "more_info_path": "/vulnerabilities/CVE-2019-15700/70505",
+ "specs": [
+ "<12.0.9"
+ ],
+ "v": "<12.0.9"
},
{
- "advisory": "Fractal-server 1.3.0a3 updates its dependency 'cryptography' to version '41.0.1' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/739/commits/ec5bbd57acabf5a1fc357cfb96c21e059c619475",
- "cve": "CVE-2023-2650",
- "id": "pyup.io-59002",
- "more_info_path": "/vulnerabilities/CVE-2023-2650/59002",
+ "advisory": "In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.",
+ "cve": "CVE-2022-23055",
+ "id": "pyup.io-70599",
+ "more_info_path": "/vulnerabilities/CVE-2022-23055/70599",
"specs": [
- "<1.3.0a3"
+ "<13.1.0"
],
- "v": "<1.3.0a3"
+ "v": "<13.1.0"
}
],
"frappe": [
+ {
+ "advisory": "An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability.",
+ "cve": "CVE-2019-14967",
+ "id": "pyup.io-70503",
+ "more_info_path": "/vulnerabilities/CVE-2019-14967/70503",
+ "specs": [
+ "<11.1.46"
+ ],
+ "v": "<11.1.46"
+ },
+ {
+ "advisory": "An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection.",
+ "cve": "CVE-2019-14966",
+ "id": "pyup.io-70502",
+ "more_info_path": "/vulnerabilities/CVE-2019-14966/70502",
+ "specs": [
+ "<12.0.4"
+ ],
+ "v": "<12.0.4"
+ },
+ {
+ "advisory": "An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.",
+ "cve": "CVE-2019-14965",
+ "id": "pyup.io-70501",
+ "more_info_path": "/vulnerabilities/CVE-2019-14965/70501",
+ "specs": [
+ "<12.0.4"
+ ],
+ "v": "<12.0.4"
+ },
+ {
+ "advisory": "In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security.",
+ "cve": "CVE-2020-27508",
+ "id": "pyup.io-70577",
+ "more_info_path": "/vulnerabilities/CVE-2020-27508/70577",
+ "specs": [
+ "<12.10.0"
+ ],
+ "v": "<12.10.0"
+ },
{
"advisory": "Frappe 14.49.0 includes a fix for CVE-2023-46127: A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection.\r\nhttps://github.com/frappe/frappe/security/advisories/GHSA-j2w9-8xrr-7g98",
"cve": "CVE-2023-46127",
@@ -45590,6 +46648,17 @@
],
"v": "<=14.14.3"
},
+ {
+ "advisory": "Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There's no workaround to fix this without upgrading.",
+ "cve": "CVE-2023-41328",
+ "id": "pyup.io-70411",
+ "more_info_path": "/vulnerabilities/CVE-2023-41328/70411",
+ "specs": [
+ ">13.0.0,<13.46.1",
+ ">14.0.0,<14.20.0"
+ ],
+ "v": ">13.0.0,<13.46.1,>14.0.0,<14.20.0"
+ },
{
"advisory": "In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files.",
"cve": "CVE-2019-20529",
@@ -45613,6 +46682,56 @@
],
"v": "<1.1.1"
},
+ {
+ "advisory": "Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.",
+ "cve": "CVE-2014-7850",
+ "id": "pyup.io-70470",
+ "more_info_path": "/vulnerabilities/CVE-2014-7850/70470",
+ "specs": [
+ "<4.1.2"
+ ],
+ "v": "<4.1.2"
+ },
+ {
+ "advisory": "ipa-kra-install in FreeIPA before 4.2.2 puts the CA agent certificate and private key in /etc/httpd/alias/kra-agent.pem, which is world readable.",
+ "cve": "CVE-2015-5284",
+ "id": "pyup.io-70466",
+ "more_info_path": "/vulnerabilities/CVE-2015-5284/70466",
+ "specs": [
+ "<4.2.2"
+ ],
+ "v": "<4.2.2"
+ },
+ {
+ "advisory": "The cert_revoke command in FreeIPA does not check for the \"revoke certificate\" permission, which allows remote authenticated users to revoke arbitrary certificates by leveraging the \"retrieve certificate\" permission.",
+ "cve": "CVE-2016-5404",
+ "id": "pyup.io-70533",
+ "more_info_path": "/vulnerabilities/CVE-2016-5404/70533",
+ "specs": [
+ "<4.3.3"
+ ],
+ "v": "<4.3.3"
+ },
+ {
+ "advisory": "A vulnerability was found in ipa before 4.4. IdM's ca-del, ca-disable, and ca-enable commands did not properly check the user's permissions while modifying CAs in Dogtag. An authenticated, unauthorized attacker could use this flaw to delete, disable, or enable CAs causing various denial of service problems with certificate issuance, OCSP signing, and deletion of secret keys.",
+ "cve": "CVE-2017-2590",
+ "id": "pyup.io-67438",
+ "more_info_path": "/vulnerabilities/CVE-2017-2590/67438",
+ "specs": [
+ "<4.4.0"
+ ],
+ "v": "<4.4.0"
+ },
+ {
+ "advisory": "Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary naming or key usage information and subsequently use such certificates for other attacks.",
+ "cve": "CVE-2016-9575",
+ "id": "pyup.io-70517",
+ "more_info_path": "/vulnerabilities/CVE-2016-9575/70517",
+ "specs": [
+ "<4.4.3"
+ ],
+ "v": "<4.4.3"
+ },
{
"advisory": "Freeipa 4.6.7, 4.7.4 and 4.8.3 include a fix for CVE-2019-14867: A flaw was found in IPA in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14867",
"cve": "CVE-2019-14867",
@@ -45625,6 +46744,46 @@
],
"v": "<4.6.7,>=4.7.0rc1,<4.7.4,>=4.8.0rc1,<4.8.3"
},
+ {
+ "advisory": "ipa 3.0 does not properly check server identity before sending credential containing cookies",
+ "cve": "CVE-2012-5631",
+ "id": "pyup.io-67961",
+ "more_info_path": "/vulnerabilities/CVE-2012-5631/67961",
+ "specs": [
+ "<=3.0.0"
+ ],
+ "v": "<=3.0.0"
+ },
+ {
+ "advisory": "FreeIPA 4.4.0 allows remote attackers to request an arbitrary SAN name for services.",
+ "cve": "CVE-2016-5414",
+ "id": "pyup.io-70513",
+ "more_info_path": "/vulnerabilities/CVE-2016-5414/70513",
+ "specs": [
+ "<=4.4.0"
+ ],
+ "v": "<=4.4.0"
+ },
+ {
+ "advisory": "FreeIPA might display user data improperly via vectors involving non-printable characters.",
+ "cve": "CVE-2015-5179",
+ "id": "pyup.io-70468",
+ "more_info_path": "/vulnerabilities/CVE-2015-5179/70468",
+ "specs": [
+ "<=4.5.0"
+ ],
+ "v": "<=4.5.0"
+ },
+ {
+ "advisory": "FreeIPA uses a default password policy that locks an account after 5 unsuccessful authentication attempts, which allows remote attackers to cause a denial of service by locking out the account in which system services run on.",
+ "cve": "CVE-2016-7030",
+ "id": "pyup.io-70515",
+ "more_info_path": "/vulnerabilities/CVE-2016-7030/70515",
+ "specs": [
+ "<=4.6.0"
+ ],
+ "v": "<=4.6.0"
+ },
{
"advisory": "FreeIPA versions 1.3.0b0 to 4.8.0rc1, which employ Samba to integrate with Microsoft's Active Directory, were discovered to be susceptible to a Denial of Service (DoS) attack known as SMBLoris. This vulnerability was detected in August 2017.",
"cve": "PVE-2023-99971",
@@ -45645,6 +46804,47 @@
],
"v": ">=1.9.0a,<=2.1.90rc1"
},
+ {
+ "advisory": "FreeIPA 4.0.x before 4.0.5 and 4.1.x before 4.1.1, when 2FA is enabled, allows remote attackers to bypass the password requirement of the two-factor authentication leveraging an enabled OTP token, which triggers an anonymous bind.",
+ "cve": "CVE-2014-7828",
+ "id": "pyup.io-70472",
+ "more_info_path": "/vulnerabilities/CVE-2014-7828/70472",
+ "specs": [
+ ">=4.0,<4.0.5",
+ ">4.1,<4.1.1"
+ ],
+ "v": ">=4.0,<4.0.5,>4.1,<4.1.1"
+ },
+ {
+ "advisory": "A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability.",
+ "cve": "CVE-2020-1722",
+ "id": "pyup.io-70580",
+ "more_info_path": "/vulnerabilities/CVE-2020-1722/70580",
+ "specs": [
+ ">=4.0.0,<=4.8.0"
+ ],
+ "v": ">=4.0.0,<=4.8.0"
+ },
+ {
+ "advisory": "It was found that FreeIPA 4.2.0 and later could disclose password hashes to users having the 'System: Read Stage Users' permission. A remote, authenticated attacker could potentially use this flaw to disclose the password hashes belonging to Stage Users. This security issue does not result in disclosure of password hashes belonging to active standard users. NOTE: some developers feel that this report is a suggestion for a design change to Stage User activation, not a statement of a vulnerability.",
+ "cve": "CVE-2017-12169",
+ "id": "pyup.io-67437",
+ "more_info_path": "/vulnerabilities/CVE-2017-12169/67437",
+ "specs": [
+ ">=4.2.0"
+ ],
+ "v": ">=4.2.0"
+ },
+ {
+ "advisory": "A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.",
+ "cve": "CVE-2019-14826",
+ "id": "pyup.io-70519",
+ "more_info_path": "/vulnerabilities/CVE-2019-14826/70519",
+ "specs": [
+ ">=4.5.0"
+ ],
+ "v": ">=4.5.0"
+ },
{
"advisory": "A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed.",
"cve": "CVE-2019-10195",
@@ -46448,6 +47648,16 @@
}
],
"geonode": [
+ {
+ "advisory": "Geonode 2.10 updates 'urllib3' to v1.24.2 to include security fixes.",
+ "cve": "CVE-2018-20060",
+ "id": "pyup.io-42969",
+ "more_info_path": "/vulnerabilities/CVE-2018-20060/42969",
+ "specs": [
+ "<2.10"
+ ],
+ "v": "<2.10"
+ },
{
"advisory": "Geonode 2.10 updates 'urllib3' to v1.24.2 to include security fixes.",
"cve": "CVE-2019-11324",
@@ -46478,16 +47688,6 @@
],
"v": "<2.10"
},
- {
- "advisory": "Geonode 2.10 updates 'urllib3' to v1.24.2 to include security fixes.",
- "cve": "CVE-2018-20060",
- "id": "pyup.io-42969",
- "more_info_path": "/vulnerabilities/CVE-2018-20060/42969",
- "specs": [
- "<2.10"
- ],
- "v": "<2.10"
- },
{
"advisory": "Geonode 2.10 updates 'django' to v1.11.22 to include a security fix.",
"cve": "CVE-2019-12781",
@@ -46585,6 +47785,18 @@
"v": "<=1.7.11"
}
],
+ "geosss": [
+ {
+ "advisory": "Geosss 0.1.9 secures its codebase by updating the version constraint for Black to \">=24.3.0, < 25.0.0\" to mitigate the risk associated with CVE-2024-21503.",
+ "cve": "CVE-2024-21503",
+ "id": "pyup.io-67417",
+ "more_info_path": "/vulnerabilities/CVE-2024-21503/67417",
+ "specs": [
+ "<0.1.9"
+ ],
+ "v": "<0.1.9"
+ }
+ ],
"geotribu": [
{
"advisory": "Geotribu 0.31.1 updates its Pillow dependency to version 10.2 to address the CVE-2022-22817.\r\nhttps://github.com/geotribu/cli/pull/165/commits/ee7ff27877b789df2d385e1dcdbd912bb08ea003",
@@ -46665,20 +47877,20 @@
"v": "<1.0.0"
},
{
- "advisory": "Geti-sdk 1.0.1 sanitizes project download target path.\r\nhttps://github.com/openvinotoolkit/geti-sdk/pull/87",
- "cve": "PVE-2023-54989",
- "id": "pyup.io-54989",
- "more_info_path": "/vulnerabilities/PVE-2023-54989/54989",
+ "advisory": "Geti-sdk 1.0.1 reduce permissions upon directory creation.\r\nhttps://github.com/openvinotoolkit/geti-sdk/pull/90",
+ "cve": "PVE-2023-54993",
+ "id": "pyup.io-54993",
+ "more_info_path": "/vulnerabilities/PVE-2023-54993/54993",
"specs": [
"<1.0.1"
],
"v": "<1.0.1"
},
{
- "advisory": "Geti-sdk 1.0.1 reduce permissions upon directory creation.\r\nhttps://github.com/openvinotoolkit/geti-sdk/pull/90",
- "cve": "PVE-2023-54993",
- "id": "pyup.io-54993",
- "more_info_path": "/vulnerabilities/PVE-2023-54993/54993",
+ "advisory": "Geti-sdk 1.0.1 sanitizes project download target path.\r\nhttps://github.com/openvinotoolkit/geti-sdk/pull/87",
+ "cve": "PVE-2023-54989",
+ "id": "pyup.io-54989",
+ "more_info_path": "/vulnerabilities/PVE-2023-54989/54989",
"specs": [
"<1.0.1"
],
@@ -46743,6 +47955,16 @@
}
],
"ggshield": [
+ {
+ "advisory": "Ggshield 1.18.0 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/GitGuardian/ggshield/commit/3c67771a4d66accede14fa23dfce9ea51571e082",
+ "cve": "CVE-2023-3817",
+ "id": "pyup.io-60443",
+ "more_info_path": "/vulnerabilities/CVE-2023-3817/60443",
+ "specs": [
+ "<1.18.0"
+ ],
+ "v": "<1.18.0"
+ },
{
"advisory": "Ggshield 1.18.0 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/GitGuardian/ggshield/commit/3c67771a4d66accede14fa23dfce9ea51571e082",
"cve": "CVE-2023-2975",
@@ -46762,16 +47984,6 @@
"<1.18.0"
],
"v": "<1.18.0"
- },
- {
- "advisory": "Ggshield 1.18.0 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/GitGuardian/ggshield/commit/3c67771a4d66accede14fa23dfce9ea51571e082",
- "cve": "CVE-2023-3817",
- "id": "pyup.io-60443",
- "more_info_path": "/vulnerabilities/CVE-2023-3817/60443",
- "specs": [
- "<1.18.0"
- ],
- "v": "<1.18.0"
}
],
"ghga-service-commons": [
@@ -47119,9 +48331,9 @@
"githubkit": [
{
"advisory": "Githubkit 0.9.4 updates its dependency 'cryptography' to v38.0.3 to include security fixes.",
- "cve": "CVE-2022-3602",
- "id": "pyup.io-52515",
- "more_info_path": "/vulnerabilities/CVE-2022-3602/52515",
+ "cve": "CVE-2022-3786",
+ "id": "pyup.io-52470",
+ "more_info_path": "/vulnerabilities/CVE-2022-3786/52470",
"specs": [
"<0.9.4"
],
@@ -47129,9 +48341,9 @@
},
{
"advisory": "Githubkit 0.9.4 updates its dependency 'cryptography' to v38.0.3 to include security fixes.",
- "cve": "CVE-2022-3786",
- "id": "pyup.io-52470",
- "more_info_path": "/vulnerabilities/CVE-2022-3786/52470",
+ "cve": "CVE-2022-3602",
+ "id": "pyup.io-52515",
+ "more_info_path": "/vulnerabilities/CVE-2022-3602/52515",
"specs": [
"<0.9.4"
],
@@ -47248,6 +48460,36 @@
],
"v": "<11.0.1,==12.0.0"
},
+ {
+ "advisory": "The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.",
+ "cve": "CVE-2013-1840",
+ "id": "pyup.io-67955",
+ "more_info_path": "/vulnerabilities/CVE-2013-1840/67955",
+ "specs": [
+ "<13.0.0"
+ ],
+ "v": "<13.0.0"
+ },
+ {
+ "advisory": "An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.",
+ "cve": "CVE-2017-7200",
+ "id": "pyup.io-67541",
+ "more_info_path": "/vulnerabilities/CVE-2017-7200/67541",
+ "specs": [
+ "<13.0.0"
+ ],
+ "v": "<13.0.0"
+ },
+ {
+ "advisory": "The API before 2.1 in OpenStack Image Registry and Delivery Service (Glance) makes it easier for local users to inject images into arbitrary tenants by adding the tenant as a member of the image.",
+ "cve": "CVE-2013-4354",
+ "id": "pyup.io-67992",
+ "more_info_path": "/vulnerabilities/CVE-2013-4354/67992",
+ "specs": [
+ "<2.1"
+ ],
+ "v": "<2.1"
+ },
{
"advisory": "Glance 23.0.1, 24.1.1 and 25.0.0 include a fix for CVE-2022-47951: An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.",
"cve": "CVE-2022-47951",
@@ -47260,6 +48502,16 @@
],
"v": "<23.0.1,>=24.0.0.0rc1,<24.1.1,>=25.0.0.0b1,<25.0.0"
},
+ {
+ "advisory": "The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision.",
+ "cve": "CVE-2015-8234",
+ "id": "pyup.io-70458",
+ "more_info_path": "/vulnerabilities/CVE-2015-8234/70458",
+ "specs": [
+ "<=11.0.0"
+ ],
+ "v": "<=11.0.0"
+ },
{
"advisory": "OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.",
"cve": "CVE-2013-4428",
@@ -47282,6 +48534,89 @@
],
"v": ">0"
},
+ {
+ "advisory": "OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log.",
+ "cve": "CVE-2014-1948",
+ "id": "pyup.io-70456",
+ "more_info_path": "/vulnerabilities/CVE-2014-1948/70456",
+ "specs": [
+ ">2010,<2013.2.2"
+ ],
+ "v": ">2010,<2013.2.2"
+ },
+ {
+ "advisory": "OpenStack Image Registry and Delivery Service (Glance) before 2013.2.4, 2014.x before 2014.1.3, and Juno before Juno-3, when using the V2 API, does not properly enforce the image_size_cap configuration option, which allows remote authenticated users to cause a denial of service (disk consumption) by uploading a large image.",
+ "cve": "CVE-2014-5356",
+ "id": "pyup.io-70455",
+ "more_info_path": "/vulnerabilities/CVE-2014-5356/70455",
+ "specs": [
+ ">2010,<2014.1.3"
+ ],
+ "v": ">2010,<2014.1.3"
+ },
+ {
+ "advisory": "The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.",
+ "cve": "CVE-2015-1195",
+ "id": "pyup.io-70453",
+ "more_info_path": "/vulnerabilities/CVE-2015-1195/70453",
+ "specs": [
+ ">2010,<2014.1.4",
+ ">=2014.2,<2014.2.2"
+ ],
+ "v": ">2010,<2014.1.4,>=2014.2,<2014.2.2"
+ },
+ {
+ "advisory": "OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881.",
+ "cve": "CVE-2014-9684",
+ "id": "pyup.io-70454",
+ "more_info_path": "/vulnerabilities/CVE-2014-9684/70454",
+ "specs": [
+ ">2010,<2014.2.3"
+ ],
+ "v": ">2010,<2014.2.3"
+ },
+ {
+ "advisory": "OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684.",
+ "cve": "CVE-2015-1881",
+ "id": "pyup.io-70452",
+ "more_info_path": "/vulnerabilities/CVE-2015-1881/70452",
+ "specs": [
+ ">2010,<2015.1.0"
+ ],
+ "v": ">2010,<2015.1.0"
+ },
+ {
+ "advisory": "OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them.",
+ "cve": "CVE-2015-3289",
+ "id": "pyup.io-70459",
+ "more_info_path": "/vulnerabilities/CVE-2015-3289/70459",
+ "specs": [
+ ">2010,<2015.1.1"
+ ],
+ "v": ">2010,<2015.1.1"
+ },
+ {
+ "advisory": "OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting an image in the saving state.",
+ "cve": "CVE-2014-9623",
+ "id": "pyup.io-70428",
+ "more_info_path": "/vulnerabilities/CVE-2014-9623/70428",
+ "specs": [
+ ">2010,<=2014.1.3",
+ ">=2014,<=2014.2"
+ ],
+ "v": ">2010,<=2014.1.3,>=2014,<=2014.2"
+ },
+ {
+ "advisory": "A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation.",
+ "cve": "CVE-2016-8611",
+ "id": "pyup.io-70621",
+ "more_info_path": "/vulnerabilities/CVE-2016-8611/70621",
+ "specs": [
+ ">2010,<=2015.1.4",
+ "<=26.0.0.0"
+ ],
+ "v": ">2010,<=2015.1.4,<=26.0.0.0"
+ },
{
"advisory": "OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.",
"cve": "CVE-2015-5251",
@@ -47315,6 +48650,36 @@
],
"v": ">=2010,<2015.1.3,>=11.0.0.0rc1,<11.0.2"
},
+ {
+ "advisory": "The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request, a different vulnerability than CVE-2012-5482.",
+ "cve": "CVE-2012-4573",
+ "id": "pyup.io-68003",
+ "more_info_path": "/vulnerabilities/CVE-2012-4573/68003",
+ "specs": [
+ ">=2012.2,<2013.2.4"
+ ],
+ "v": ">=2012.2,<2013.2.4"
+ },
+ {
+ "advisory": "The v2 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-4573.",
+ "cve": "CVE-2012-5482",
+ "id": "pyup.io-68004",
+ "more_info_path": "/vulnerabilities/CVE-2012-5482/68004",
+ "specs": [
+ ">=2012.2,<2013.2.4"
+ ],
+ "v": ">=2012.2,<2013.2.4"
+ },
+ {
+ "advisory": "store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive information by reading the error messages.",
+ "cve": "CVE-2013-0212",
+ "id": "pyup.io-68005",
+ "more_info_path": "/vulnerabilities/CVE-2013-0212/68005",
+ "specs": [
+ ">=2012.2,<2013.2.4"
+ ],
+ "v": ">=2012.2,<2013.2.4"
+ },
{
"advisory": "The Sheepdog backend in OpenStack Image Registry and Delivery Service (Glance) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote authenticated users with permission to insert or modify an image to execute arbitrary commands via a crafted location.",
"cve": "CVE-2014-0162",
@@ -47325,6 +48690,17 @@
],
"v": ">=2013.2.0,<2013.2.4"
},
+ {
+ "advisory": "The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.",
+ "cve": "CVE-2014-9493",
+ "id": "pyup.io-70429",
+ "more_info_path": "/vulnerabilities/CVE-2014-9493/70429",
+ "specs": [
+ ">=2014.1,<2014.1.4",
+ ">=2014.2,<2014.2.2"
+ ],
+ "v": ">=2014.1,<2014.1.4,>=2014.2,<2014.2.2"
+ },
{
"advisory": "The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image.",
"cve": "CVE-2015-5163",
@@ -47560,20 +48936,20 @@
"v": "<2.12.0"
},
{
- "advisory": "Gnoll 4.2.7 pins its dependency 'wheel' to versions >=0.38.0 to include a security fix.",
- "cve": "CVE-2022-40898",
- "id": "pyup.io-52496",
- "more_info_path": "/vulnerabilities/CVE-2022-40898/52496",
+ "advisory": "Gnoll 4.2.7 updates its dependency 'setuptools' to v65.5.1 to include a security fix.",
+ "cve": "CVE-2022-40897",
+ "id": "pyup.io-52493",
+ "more_info_path": "/vulnerabilities/CVE-2022-40897/52493",
"specs": [
"<4.2.7"
],
"v": "<4.2.7"
},
{
- "advisory": "Gnoll 4.2.7 updates its dependency 'setuptools' to v65.5.1 to include a security fix.",
- "cve": "CVE-2022-40897",
- "id": "pyup.io-52493",
- "more_info_path": "/vulnerabilities/CVE-2022-40897/52493",
+ "advisory": "Gnoll 4.2.7 pins its dependency 'wheel' to versions >=0.38.0 to include a security fix.",
+ "cve": "CVE-2022-40898",
+ "id": "pyup.io-52496",
+ "more_info_path": "/vulnerabilities/CVE-2022-40898/52496",
"specs": [
"<4.2.7"
],
@@ -47613,6 +48989,16 @@
}
],
"gns3-server": [
+ {
+ "advisory": "Untrusted search path vulnerability in GNS3 1.2.3 allows local users to gain privileges via a Trojan horse uuid.dll in an unspecified directory.",
+ "cve": "CVE-2015-2667",
+ "id": "pyup.io-70465",
+ "more_info_path": "/vulnerabilities/CVE-2015-2667/70465",
+ "specs": [
+ "<1.2.3"
+ ],
+ "v": "<1.2.3"
+ },
{
"advisory": "GNS3 ubridge through 0.9.18 on macOS, as used in GNS3 server before 2.1.17, allows a local attacker to read arbitrary files because it handles configuration-file errors by printing the configuration file while executing in a setuid root context.",
"cve": "CVE-2020-14976",
@@ -47859,16 +49245,6 @@
],
"v": "<0.67.0"
},
- {
- "advisory": "Gordo 1.12.0 updates its dependency \"numpy\" to v1.21.0 to include a security fix.",
- "cve": "CVE-2021-33430",
- "id": "pyup.io-51152",
- "more_info_path": "/vulnerabilities/CVE-2021-33430/51152",
- "specs": [
- "<1.12.0"
- ],
- "v": "<1.12.0"
- },
{
"advisory": "Gordo 1.12.0 updates its dependency \"TensorFlow\" requirement to \"~=2.7.0\" to include security fixes.",
"cve": "CVE-2022-21725",
@@ -48399,6 +49775,16 @@
],
"v": "<1.12.0"
},
+ {
+ "advisory": "Gordo 1.12.0 updates its dependency \"numpy\" to v1.21.0 to include a security fix.",
+ "cve": "CVE-2021-33430",
+ "id": "pyup.io-51152",
+ "more_info_path": "/vulnerabilities/CVE-2021-33430/51152",
+ "specs": [
+ "<1.12.0"
+ ],
+ "v": "<1.12.0"
+ },
{
"advisory": "Gordo 5.1.2 updates its dependency 'cryptography' to version '41.0.0' to include a security fix.\r\nhttps://github.com/equinor/gordo/pull/1324/commits/3e02a6e184236c6406fb6faa1dda440baa2af68a",
"cve": "CVE-2023-2650",
@@ -48584,6 +49970,18 @@
"v": "<2.8.6"
}
],
+ "gpyg": [
+ {
+ "advisory": "Gpyg version 0.3.0 resolves the issue with unquoted strings by ensuring user inputs are correctly quoted.",
+ "cve": "PVE-2024-67021",
+ "id": "pyup.io-67021",
+ "more_info_path": "/vulnerabilities/PVE-2024-67021/67021",
+ "specs": [
+ "<0.3.0"
+ ],
+ "v": "<0.3.0"
+ }
+ ],
"gradio": [
{
"advisory": "Gradio 2.6.0 fixes arbitrary file read vulnerabilities.\r\nhttps://github.com/gradio-app/gradio/pull/406",
@@ -48635,6 +50033,16 @@
],
"v": "<4.11.0"
},
+ {
+ "advisory": "Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository gradio-app/gradio prior to main.",
+ "cve": "CVE-2023-6572",
+ "id": "pyup.io-70406",
+ "more_info_path": "/vulnerabilities/CVE-2023-6572/70406",
+ "specs": [
+ "<4.14.0"
+ ],
+ "v": "<4.14.0"
+ },
{
"advisory": "Gradio version 4.19.1 introduces security enhancements to protect against timing attacks that could potentially guess Gradio passwords.\r\nhttps://github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b",
"cve": "PVE-2024-65402",
@@ -48896,20 +50304,20 @@
],
"graphscope": [
{
- "advisory": "Graphscope 0.7.0 updates its dependency 'Apache Commons IO' to v2.7 to include a security fix.",
- "cve": "CVE-2021-29425",
- "id": "pyup.io-42560",
- "more_info_path": "/vulnerabilities/CVE-2021-29425/42560",
+ "advisory": "Graphscope 0.7.0 updates its dependency 'SLF4J' to v1.7.31 to include a security fix.",
+ "cve": "CVE-2018-8088",
+ "id": "pyup.io-42561",
+ "more_info_path": "/vulnerabilities/CVE-2018-8088/42561",
"specs": [
"<0.7.0"
],
"v": "<0.7.0"
},
{
- "advisory": "Graphscope 0.7.0 updates its dependency 'SLF4J' to v1.7.31 to include a security fix.",
- "cve": "CVE-2018-8088",
- "id": "pyup.io-42561",
- "more_info_path": "/vulnerabilities/CVE-2018-8088/42561",
+ "advisory": "Graphscope 0.7.0 updates its dependency 'Apache Commons IO' to v2.7 to include a security fix.",
+ "cve": "CVE-2021-29425",
+ "id": "pyup.io-42560",
+ "more_info_path": "/vulnerabilities/CVE-2021-29425/42560",
"specs": [
"<0.7.0"
],
@@ -48994,20 +50402,20 @@
"v": "<1.2.0"
},
{
- "advisory": "Grpcio 1.3.0 includes a fix for CVE-2017-8359: Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.\r\nhttps://github.com/grpc/grpc/pull/10353/commits/aab6992c006be6fb80df73fd9f218365099c016d",
- "cve": "CVE-2017-8359",
- "id": "pyup.io-47263",
- "more_info_path": "/vulnerabilities/CVE-2017-8359/47263",
+ "advisory": "Grpcio 1.3.0 includes a fix for CVE-2017-9431: Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.\r\nhttps://github.com/grpc/grpc/pull/10492/commits/c6ec1155d026c91b1badb07ef1605bb747cff064",
+ "cve": "CVE-2017-9431",
+ "id": "pyup.io-47264",
+ "more_info_path": "/vulnerabilities/CVE-2017-9431/47264",
"specs": [
"<1.3.0"
],
"v": "<1.3.0"
},
{
- "advisory": "Grpcio 1.3.0 includes a fix for CVE-2017-9431: Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.\r\nhttps://github.com/grpc/grpc/pull/10492/commits/c6ec1155d026c91b1badb07ef1605bb747cff064",
- "cve": "CVE-2017-9431",
- "id": "pyup.io-47264",
- "more_info_path": "/vulnerabilities/CVE-2017-9431/47264",
+ "advisory": "Grpcio 1.3.0 includes a fix for CVE-2017-8359: Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.\r\nhttps://github.com/grpc/grpc/pull/10353/commits/aab6992c006be6fb80df73fd9f218365099c016d",
+ "cve": "CVE-2017-8359",
+ "id": "pyup.io-47263",
+ "more_info_path": "/vulnerabilities/CVE-2017-8359/47263",
"specs": [
"<1.3.0"
],
@@ -49024,20 +50432,20 @@
"v": "<1.53.0"
},
{
- "advisory": "Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.\r\nhttps://github.com/advisories/GHSA-cfgp-2977-2fmm",
- "cve": "CVE-2023-32731",
- "id": "pyup.io-59869",
- "more_info_path": "/vulnerabilities/CVE-2023-32731/59869",
+ "advisory": "Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.\r\nhttps://github.com/advisories/GHSA-9hxf-ppjv-w6rq",
+ "cve": "CVE-2023-32732",
+ "id": "pyup.io-59868",
+ "more_info_path": "/vulnerabilities/CVE-2023-32732/59868",
"specs": [
"<1.53.0"
],
"v": "<1.53.0"
},
{
- "advisory": "Grpcio 1.53.0 includes a fix for a Connection Termination vulnerability. The prior versions contain a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies.\r\nhttps://github.com/advisories/GHSA-9hxf-ppjv-w6rq",
- "cve": "CVE-2023-32732",
- "id": "pyup.io-59868",
- "more_info_path": "/vulnerabilities/CVE-2023-32732/59868",
+ "advisory": "Grpcio 1.53.0 includes a fix for a Connection Confusion vulnerability. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.\r\nhttps://github.com/advisories/GHSA-cfgp-2977-2fmm",
+ "cve": "CVE-2023-32731",
+ "id": "pyup.io-59869",
+ "more_info_path": "/vulnerabilities/CVE-2023-32731/59869",
"specs": [
"<1.53.0"
],
@@ -49093,9 +50501,9 @@
},
{
"advisory": "Grpcio-tools 1.3.0 depends on 'grpcio' v1.3.0, which includes security fixes.",
- "cve": "CVE-2017-8359",
- "id": "pyup.io-47169",
- "more_info_path": "/vulnerabilities/CVE-2017-8359/47169",
+ "cve": "CVE-2017-9431",
+ "id": "pyup.io-47168",
+ "more_info_path": "/vulnerabilities/CVE-2017-9431/47168",
"specs": [
"<1.3.0"
],
@@ -49103,9 +50511,9 @@
},
{
"advisory": "Grpcio-tools 1.3.0 depends on 'grpcio' v1.3.0, which includes security fixes.",
- "cve": "CVE-2017-9431",
- "id": "pyup.io-47168",
- "more_info_path": "/vulnerabilities/CVE-2017-9431/47168",
+ "cve": "CVE-2017-8359",
+ "id": "pyup.io-47169",
+ "more_info_path": "/vulnerabilities/CVE-2017-8359/47169",
"specs": [
"<1.3.0"
],
@@ -49324,9 +50732,9 @@
"gyver": [
{
"advisory": "Gyver 2.8.3 updates its dependency 'cryptography' to versions ^41.0.4 to include security fixes.",
- "cve": "CVE-2023-3446",
- "id": "pyup.io-61396",
- "more_info_path": "/vulnerabilities/CVE-2023-3446/61396",
+ "cve": "CVE-2023-38325",
+ "id": "pyup.io-61403",
+ "more_info_path": "/vulnerabilities/CVE-2023-38325/61403",
"specs": [
"<2.8.3"
],
@@ -49334,9 +50742,9 @@
},
{
"advisory": "Gyver 2.8.3 updates its dependency 'cryptography' to versions ^41.0.4 to include security fixes.",
- "cve": "CVE-2023-38325",
- "id": "pyup.io-61403",
- "more_info_path": "/vulnerabilities/CVE-2023-38325/61403",
+ "cve": "CVE-2023-3446",
+ "id": "pyup.io-61396",
+ "more_info_path": "/vulnerabilities/CVE-2023-3446/61396",
"specs": [
"<2.8.3"
],
@@ -49361,6 +50769,16 @@
"<2.8.4"
],
"v": "<2.8.4"
+ },
+ {
+ "advisory": "Gyver version 4.1.2 has upgraded its orjson dependency from version 3.9.4 to 3.10.0 to address the security issues outlined in CVE-2024-27454.",
+ "cve": "CVE-2024-27454",
+ "id": "pyup.io-68040",
+ "more_info_path": "/vulnerabilities/CVE-2024-27454/68040",
+ "specs": [
+ "<4.1.2"
+ ],
+ "v": "<4.1.2"
}
],
"h2o": [
@@ -49475,7 +50893,7 @@
"v": "<3.40.0.3"
},
{
- "advisory": "H2o 3.40.0.4 updates its dependency 'json-smart' to '2.4.10' to fix CVE-2023-1370.\r\n https://github.com/h2oai/h2o-3/pull/6680",
+ "advisory": "H2o 3.40.0.4 updates its dependency 'json-smart' to '2.4.10' to fix CVE-2023-1370.",
"cve": "CVE-2023-1370",
"id": "pyup.io-59335",
"more_info_path": "/vulnerabilities/CVE-2023-1370/59335",
@@ -49793,6 +51211,20 @@
"v": "<=1.16.6"
}
],
+ "heat": [
+ {
+ "advisory": "In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. Affected versions are <=5.0.3, >=6.0.0 <=6.1.0, and ==7.0.0.",
+ "cve": "CVE-2016-9185",
+ "id": "pyup.io-70500",
+ "more_info_path": "/vulnerabilities/CVE-2016-9185/70500",
+ "specs": [
+ "<=5.0.3",
+ ">=6.0.0,<=6.1.0",
+ "<=7.0.0"
+ ],
+ "v": "<=5.0.3,>=6.0.0,<=6.1.0,<=7.0.0"
+ }
+ ],
"heedy": [
{
"advisory": "Heedy 0.3.0a1 reports it its changelog: There might [...] be security issues. Use at your own risk.",
@@ -49829,6 +51261,18 @@
"v": ">0"
}
],
+ "help-tokens": [
+ {
+ "advisory": "Help-tokens 1.0.4 has updated its Jinja2 requirement from version 2.9.6 to 2.10.1 to address a known security vulnerability found in previous versions, as identified by CVE-2019-10906.",
+ "cve": "PVE-2024-67010",
+ "id": "pyup.io-67010",
+ "more_info_path": "/vulnerabilities/PVE-2024-67010/67010",
+ "specs": [
+ "<1.0.4"
+ ],
+ "v": "<1.0.4"
+ }
+ ],
"henosis": [
{
"advisory": "Henosis 0.0.11 uses 'yaml.safe_load()' to prevent a code execution vulnerability.",
@@ -49841,6 +51285,18 @@
"v": "<0.0.11"
}
],
+ "hexkit": [
+ {
+ "advisory": "Hexkit 2.2.0 has upgraded its cryptography library requirement to version 42.0.4 or later, addressing the security issue CVE-2024-26130.",
+ "cve": "CVE-2024-26130",
+ "id": "pyup.io-67587",
+ "more_info_path": "/vulnerabilities/CVE-2024-26130/67587",
+ "specs": [
+ "<2.2.0"
+ ],
+ "v": "<2.2.0"
+ }
+ ],
"heyoo": [
{
"advisory": "Heyoo version 0.4 has disabled the debug mode, which was previously activated by default in the hook. The app was vulnerable to exploitation once online.\r\nhttps://github.com/Neurotech-HQ/heyoo/pull/85/commits/7631be553bd15093d807f4446a3ab941e6a14994",
@@ -49936,6 +51392,18 @@
"v": "<1.2.0"
}
],
+ "hikari": [
+ {
+ "advisory": "Hikari version 2.0.0.dev73 addresses a bug where prematurely shutting down a bot during its startup phase led to a deadlock, enhancing stability and functionality during the bot's initialization process.",
+ "cve": "PVE-2024-67104",
+ "id": "pyup.io-67104",
+ "more_info_path": "/vulnerabilities/PVE-2024-67104/67104",
+ "specs": [
+ "<2.0.0.dev73"
+ ],
+ "v": "<2.0.0.dev73"
+ }
+ ],
"hippogym": [
{
"advisory": "Hippogym 1.1.0 updates its dependency 'pillow' to v7.1.0 to include security fixes.",
@@ -50175,6 +51643,16 @@
],
"v": "<2023.3.0"
},
+ {
+ "advisory": "The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote code execution (RCE). Version 2023.7 addresses this issue and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-161.",
+ "cve": "CVE-2023-44385",
+ "id": "pyup.io-70400",
+ "more_info_path": "/vulnerabilities/CVE-2023-44385/70400",
+ "specs": [
+ "<2023.7"
+ ],
+ "v": "<2023.7"
+ },
{
"advisory": "Homeassistant 2023.8.0 includes a fix for CVE-2023-41896: Whilst auditing the frontend code to identify hidden parameters, Cure53 detected 'auth_callback=1', which is leveraged by the WebSocket authentication logic in tandem with the 'state' parameter. The state parameter contains the 'hassUrl', which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the 'auth_callback' link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code\u2019s authentication flow. An optimal implementation in this regard would not trust the 'hassUrl' passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the 'js_url' for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0.\r\nhttps://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q",
"cve": "CVE-2023-41896",
@@ -50185,16 +51663,6 @@
],
"v": "<2023.8.0"
},
- {
- "advisory": "Homeassistant 2023.8.1 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/home-assistant/core/pull/97611",
- "cve": "CVE-2023-3817",
- "id": "pyup.io-60215",
- "more_info_path": "/vulnerabilities/CVE-2023-3817/60215",
- "specs": [
- "<2023.8.1"
- ],
- "v": "<2023.8.1"
- },
{
"advisory": "Homeassistant 2023.8.1 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/home-assistant/core/pull/97611",
"cve": "CVE-2023-3446",
@@ -50216,14 +51684,14 @@
"v": "<2023.8.1"
},
{
- "advisory": "Home assistant is an open source home automation. The audit team\u2019s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim\u2019s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim\u2019s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
- "cve": "CVE-2023-41893",
- "id": "pyup.io-65361",
- "more_info_path": "/vulnerabilities/CVE-2023-41893/65361",
+ "advisory": "Homeassistant 2023.8.1 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/home-assistant/core/pull/97611",
+ "cve": "CVE-2023-3817",
+ "id": "pyup.io-60215",
+ "more_info_path": "/vulnerabilities/CVE-2023-3817/60215",
"specs": [
- "<2023.9.0"
+ "<2023.8.1"
],
- "v": "<2023.9.0"
+ "v": "<2023.8.1"
},
{
"advisory": "Homeassistant 2023.9.0 includes a fix for CVE-2023-41899: In affected versions the 'hassio.addon_stdin' is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values.\r\nhttps://github.com/home-assistant/core/pull/99232",
@@ -50235,6 +51703,46 @@
],
"v": "<2023.9.0"
},
+ {
+ "advisory": "Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
+ "cve": "CVE-2023-41894",
+ "id": "pyup.io-70403",
+ "more_info_path": "/vulnerabilities/CVE-2023-41894/70403",
+ "specs": [
+ "<2023.9.0"
+ ],
+ "v": "<2023.9.0"
+ },
+ {
+ "advisory": "Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically ensures that it matches the `client_id` and the scheme represents either `http` or `https`, Home Assistant will fetch the `client_id` and check for `` HTML tags on the page. These URLs are not subjected to the same scheme validation and thus allow for arbitrary JavaScript execution on the Home Assistant administration page via usage of `javascript:` scheme URIs. This Cross-site Scripting (XSS) vulnerability can be executed on the Home Assistant frontend domain, which may be used for a full takeover of the Home Assistant account and installation. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
+ "cve": "CVE-2023-41895",
+ "id": "pyup.io-70402",
+ "more_info_path": "/vulnerabilities/CVE-2023-41895/70402",
+ "specs": [
+ "<2023.9.0"
+ ],
+ "v": "<2023.9.0"
+ },
+ {
+ "advisory": "Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
+ "cve": "CVE-2023-41897",
+ "id": "pyup.io-70401",
+ "more_info_path": "/vulnerabilities/CVE-2023-41897/70401",
+ "specs": [
+ "<2023.9.0"
+ ],
+ "v": "<2023.9.0"
+ },
+ {
+ "advisory": "Home assistant is an open source home automation. The audit team\u2019s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim\u2019s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim\u2019s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
+ "cve": "CVE-2023-41893",
+ "id": "pyup.io-65361",
+ "more_info_path": "/vulnerabilities/CVE-2023-41893/65361",
+ "specs": [
+ "<2023.9.0"
+ ],
+ "v": "<2023.9.0"
+ },
{
"advisory": "Homeassistant 2023.9.2 includes a fix for CVE-2023-41898: The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft.\r\nhttps://github.blog/2023-11-30-securing-our-home-labs-home-assistant-code-review",
"cve": "CVE-2023-41898",
@@ -50245,6 +51753,16 @@
],
"v": "<2023.9.2"
},
+ {
+ "advisory": "An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS operator to gain knowledge about internal network resources via the hardcoded DNS resolver configuration.",
+ "cve": "CVE-2020-36517",
+ "id": "pyup.io-70619",
+ "more_info_path": "/vulnerabilities/CVE-2020-36517/70619",
+ "specs": [
+ "<=2022.03"
+ ],
+ "v": "<=2022.03"
+ },
{
"advisory": "Home Assistant before version 2023.12.3 has a vulnerability where the login page would disclose all active user accounts to unauthenticated LAN requests. This aimed to simplify login by displaying user profiles, similar to other applications. However, it exposed accounts to any LAN-connected device. Version 2023.12.3 patches this issue, limiting account visibility to enhance security. This vulnerability was specific to requests from the local or any reachable private subnet.",
"cve": "CVE-2023-50715",
@@ -50322,20 +51840,20 @@
],
"honeybee-radiance-postprocess": [
{
- "advisory": "Honeybee-radiance-postprocess 0.4.166 updates its dependency 'setuptools' to v65.5.1 to include a security fix.",
- "cve": "CVE-2022-40897",
- "id": "pyup.io-53623",
- "more_info_path": "/vulnerabilities/CVE-2022-40897/53623",
+ "advisory": "Honeybee-radiance-postprocess 0.4.166 updates its dependency 'wheel' to v0.38.1 to include a security fix.",
+ "cve": "CVE-2022-40898",
+ "id": "pyup.io-53615",
+ "more_info_path": "/vulnerabilities/CVE-2022-40898/53615",
"specs": [
"<0.4.166"
],
"v": "<0.4.166"
},
{
- "advisory": "Honeybee-radiance-postprocess 0.4.166 updates its dependency 'wheel' to v0.38.1 to include a security fix.",
- "cve": "CVE-2022-40898",
- "id": "pyup.io-53615",
- "more_info_path": "/vulnerabilities/CVE-2022-40898/53615",
+ "advisory": "Honeybee-radiance-postprocess 0.4.166 updates its dependency 'setuptools' to v65.5.1 to include a security fix.",
+ "cve": "CVE-2022-40897",
+ "id": "pyup.io-53623",
+ "more_info_path": "/vulnerabilities/CVE-2022-40897/53623",
"specs": [
"<0.4.166"
],
@@ -50550,9 +52068,124 @@
"id": "pyup.io-37741",
"more_info_path": "/vulnerabilities/CVE-2012-5474/37741",
"specs": [
- ">=2000,<2012.1.1"
+ ">2010,<2012.1.1"
+ ],
+ "v": ">2010,<2012.1.1"
+ },
+ {
+ "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) \"Volumes\" or (2) \"Network Topology\" page.",
+ "cve": "CVE-2013-6858",
+ "id": "pyup.io-70589",
+ "more_info_path": "/vulnerabilities/CVE-2013-6858/70589",
+ "specs": [
+ ">2010,<2013.2.1"
+ ],
+ "v": ">2010,<2013.2.1"
+ },
+ {
+ "advisory": "Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578.",
+ "cve": "CVE-2014-3475",
+ "id": "pyup.io-70423",
+ "more_info_path": "/vulnerabilities/CVE-2014-3475/70423",
+ "specs": [
+ ">2010,<2013.2.4",
+ ">=2014.1,<2014.1.2"
+ ],
+ "v": ">2010,<2013.2.4,>=2014.1,<2014.1.2"
+ },
+ {
+ "advisory": "Cross-site scripting (XSS) vulnerability in the Groups panel in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-3475.",
+ "cve": "CVE-2014-8578",
+ "id": "pyup.io-70584",
+ "more_info_path": "/vulnerabilities/CVE-2014-8578/70584",
+ "specs": [
+ ">2010,<2013.2.4",
+ ">=2014.1,<2014.2"
],
- "v": ">=2000,<2012.1.1"
+ "v": ">2010,<2013.2.4,>=2014.1,<2014.2"
+ },
+ {
+ "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate.",
+ "cve": "CVE-2015-3988",
+ "id": "pyup.io-70417",
+ "more_info_path": "/vulnerabilities/CVE-2015-3988/70417",
+ "specs": [
+ ">2010,<2015.1.1"
+ ],
+ "v": ">2010,<2015.1.1"
+ },
+ {
+ "advisory": "Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter to auth/login/. NOTE: this issue was originally assigned CVE-2012-3542 by mistake.",
+ "cve": "CVE-2012-3540",
+ "id": "pyup.io-68014",
+ "more_info_path": "/vulnerabilities/CVE-2012-3540/68014",
+ "specs": [
+ ">2010,<=2012.1"
+ ],
+ "v": ">2010,<=2012.1"
+ },
+ {
+ "advisory": "Cross-site scripting (XSS) vulnerability in the refresh mechanism in the log viewer in horizon/static/horizon/js/horizon.js in OpenStack Dashboard (Horizon) folsom-1 and 2012.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the guest console.",
+ "cve": "CVE-2012-2094",
+ "id": "pyup.io-68011",
+ "more_info_path": "/vulnerabilities/CVE-2012-2094/68011",
+ "specs": [
+ ">2010,<=2012.1"
+ ],
+ "v": ">2010,<=2012.1"
+ },
+ {
+ "advisory": "Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class.",
+ "cve": "CVE-2015-3219",
+ "id": "pyup.io-70418",
+ "more_info_path": "/vulnerabilities/CVE-2015-3219/70418",
+ "specs": [
+ ">2014.2,<2014.2.4",
+ ">2015.1,<2015.1.1"
+ ],
+ "v": ">2014.2,<2014.2.4,>2015.1,<2015.1.1"
+ },
+ {
+ "advisory": "Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.",
+ "cve": "CVE-2014-3594",
+ "id": "pyup.io-70590",
+ "more_info_path": "/vulnerabilities/CVE-2014-3594/70590",
+ "specs": [
+ ">=2010,<2013.2.4",
+ ">=2014.1,<2014.1.2"
+ ],
+ "v": ">=2010,<2013.2.4,>=2014.1,<2014.1.2"
+ },
+ {
+ "advisory": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.",
+ "cve": "CVE-2014-8124",
+ "id": "pyup.io-70611",
+ "more_info_path": "/vulnerabilities/CVE-2014-8124/70611",
+ "specs": [
+ ">=2010,<2014.1.3",
+ ">=2014.2.0,<2014.2.1"
+ ],
+ "v": ">=2010,<2014.1.3,>=2014.2.0,<2014.2.1"
+ },
+ {
+ "advisory": "Session fixation vulnerability in OpenStack Dashboard (Horizon) folsom-1 and 2012.1 allows remote attackers to hijack web sessions via the sessionid cookie.",
+ "cve": "CVE-2012-2144",
+ "id": "pyup.io-68012",
+ "more_info_path": "/vulnerabilities/CVE-2012-2144/68012",
+ "specs": [
+ ">=2012,<2012.1.1"
+ ],
+ "v": ">=2012,<2012.1.1"
+ },
+ {
+ "advisory": "Within the RHOS Essex Preview (2012.2) of the OpenStack dashboard package, the file /etc/quantum/quantum.conf is world readable which exposes the admin password and token value.",
+ "cve": "CVE-2012-5476",
+ "id": "pyup.io-67991",
+ "more_info_path": "/vulnerabilities/CVE-2012-5476/67991",
+ "specs": [
+ ">=2012.2,<=2012.2"
+ ],
+ "v": ">=2012.2,<=2012.2"
},
{
"advisory": "The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.",
@@ -50573,6 +52206,18 @@
">=2013.2.0,<2013.2.4"
],
"v": ">=2013.2.0,<2013.2.4"
+ },
+ {
+ "advisory": "OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.",
+ "cve": "CVE-2017-7400",
+ "id": "pyup.io-67543",
+ "more_info_path": "/vulnerabilities/CVE-2017-7400/67543",
+ "specs": [
+ ">=9.0.0,<=9.1.1",
+ ">=10.0.0,<=10.0.2",
+ "==11.0.0"
+ ],
+ "v": ">=9.0.0,<=9.1.1,>=10.0.0,<=10.0.2,==11.0.0"
}
],
"horovod": [
@@ -52378,16 +54023,6 @@
],
"v": "<3.4.0"
},
- {
- "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.",
- "cve": "CVE-2020-8284",
- "id": "pyup.io-45867",
- "more_info_path": "/vulnerabilities/CVE-2020-8284/45867",
- "specs": [
- "<3.4.0"
- ],
- "v": "<3.4.0"
- },
{
"advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.",
"cve": "CVE-2020-8169",
@@ -52418,6 +54053,16 @@
],
"v": "<3.4.0"
},
+ {
+ "advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.",
+ "cve": "CVE-2020-8284",
+ "id": "pyup.io-45867",
+ "more_info_path": "/vulnerabilities/CVE-2020-8284/45867",
+ "specs": [
+ "<3.4.0"
+ ],
+ "v": "<3.4.0"
+ },
{
"advisory": "Hotaru 3.4.0 updates its dependency 'Tensorflow' minimum requirement to v2.6.1 to include security fixes.",
"cve": "CVE-2020-8286",
@@ -53897,6 +55542,18 @@
"v": "<0.1.2"
}
],
+ "ibis-framework": [
+ {
+ "advisory": "Ibis-framework versions before 7.1.0 are susceptible to an OS Command Injection vulnerability due to improper neutralization of special elements used in OS commands. This vulnerability allows attackers to execute arbitrary code on the system where the ibis-framework is deployed.",
+ "cve": "CVE-2023-47248",
+ "id": "pyup.io-68084",
+ "more_info_path": "/vulnerabilities/CVE-2023-47248/68084",
+ "specs": [
+ "<7.1.0"
+ ],
+ "v": "<7.1.0"
+ }
+ ],
"ibis-substrait": [
{
"advisory": "Ibis-substrait version 2.11.1 upgrades its protobuf dependency to version 3.20.2 in response to the security vulnerability CVE-2022-1941.\r\nhttps://github.com/ibis-project/ibis-substrait/commit/d45f2399cd19b5014a0de1deb74abbdbd3a24aa7",
@@ -53921,6 +55578,28 @@
"v": "<1.0.1"
}
],
+ "ibmsecurity": [
+ {
+ "advisory": "Affected versions of Ibmsecurity are vulnerable to a Insecure Communications flaw. All the SSL/TLS connections to the remote ISVA server are configured in an insecure way.",
+ "cve": "PVE-2024-67500",
+ "id": "pyup.io-67500",
+ "more_info_path": "/vulnerabilities/PVE-2024-67500/67500",
+ "specs": [
+ "<2024.4.5.0"
+ ],
+ "v": "<2024.4.5.0"
+ },
+ {
+ "advisory": "Affected versions of Ibmsecurity are vulnerable to a Hardcoded Credentials flaw.",
+ "cve": "PVE-2024-67530",
+ "id": "pyup.io-67530",
+ "more_info_path": "/vulnerabilities/PVE-2024-67530/67530",
+ "specs": [
+ "<2024.4.5.0"
+ ],
+ "v": "<2024.4.5.0"
+ }
+ ],
"idchecker": [
{
"advisory": "Idchecker was re-created for security reasons.",
@@ -53933,6 +55612,18 @@
"v": "<1.1.2"
}
],
+ "idna": [
+ {
+ "advisory": "CVE-2024-3651 impacts the idna.encode() function, where a specially crafted argument could lead to significant resource consumption, causing a denial-of-service. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter.",
+ "cve": "CVE-2024-3651",
+ "id": "pyup.io-67895",
+ "more_info_path": "/vulnerabilities/CVE-2024-3651/67895",
+ "specs": [
+ "<3.7"
+ ],
+ "v": "<3.7"
+ }
+ ],
"ietfdata": [
{
"advisory": "Ietfdata 0.6.3 updates its dependency 'certifi' to v2022.12.7 to include a security fix.",
@@ -54263,10 +55954,10 @@
"v": "<1.0.1"
},
{
- "advisory": "In-toto 2.0.0 fixes a security issue: Configuration Read From Local Directory.\r\nhttps://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf",
- "cve": "CVE-2023-32076",
- "id": "pyup.io-58654",
- "more_info_path": "/vulnerabilities/CVE-2023-32076/58654",
+ "advisory": "In-toto 2.0.0 fixes a security issue: Functionaries Do Not Perform Verification.\r\nhttps://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x",
+ "cve": "PVE-2023-58647",
+ "id": "pyup.io-58647",
+ "more_info_path": "/vulnerabilities/PVE-2023-58647/58647",
"specs": [
"<2.0.0"
],
@@ -54283,10 +55974,10 @@
"v": "<2.0.0"
},
{
- "advisory": "In-toto 2.0.0 fixes a security issue: Functionaries Do Not Perform Verification.\r\nhttps://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x",
- "cve": "PVE-2023-58647",
- "id": "pyup.io-58647",
- "more_info_path": "/vulnerabilities/PVE-2023-58647/58647",
+ "advisory": "In-toto 2.0.0 fixes a security issue: Configuration Read From Local Directory.\r\nhttps://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf",
+ "cve": "CVE-2023-32076",
+ "id": "pyup.io-58654",
+ "more_info_path": "/vulnerabilities/CVE-2023-32076/58654",
"specs": [
"<2.0.0"
],
@@ -54303,6 +55994,16 @@
"<0.46.0"
],
"v": "<0.46.0"
+ },
+ {
+ "advisory": "Inboard version 0.68.0 has updated its gunicorn dependency from version 21.2.0 to 22.0.0 to address the security vulnerability detailed in CVE-2024-1135.",
+ "cve": "CVE-2024-1135",
+ "id": "pyup.io-70536",
+ "more_info_path": "/vulnerabilities/CVE-2024-1135/70536",
+ "specs": [
+ "<0.68.0"
+ ],
+ "v": "<0.68.0"
}
],
"incrivelsim": [
@@ -54359,6 +56060,16 @@
],
"v": "<2.1.3"
},
+ {
+ "advisory": "Indico 2.2.8 updates its dependency 'bleach' to v3.1.4 to include security fixes.",
+ "cve": "CVE-2020-6817",
+ "id": "pyup.io-43466",
+ "more_info_path": "/vulnerabilities/CVE-2020-6817/43466",
+ "specs": [
+ "<2.2.8"
+ ],
+ "v": "<2.2.8"
+ },
{
"advisory": "Indico 2.2.8 updates its dependency 'pillow' to v6.2.2 to include security fixes.",
"cve": "CVE-2020-5312",
@@ -54370,10 +56081,20 @@
"v": "<2.2.8"
},
{
- "advisory": "Indico 2.2.8 updates its dependency 'bleach' to v3.1.4 to include security fixes.",
- "cve": "CVE-2020-6817",
- "id": "pyup.io-43466",
- "more_info_path": "/vulnerabilities/CVE-2020-6817/43466",
+ "advisory": "Indico 2.2.8 updates its dependency 'pillow' to v6.2.2 to include security fixes.",
+ "cve": "CVE-2019-19911",
+ "id": "pyup.io-43465",
+ "more_info_path": "/vulnerabilities/CVE-2019-19911/43465",
+ "specs": [
+ "<2.2.8"
+ ],
+ "v": "<2.2.8"
+ },
+ {
+ "advisory": "Indico 2.2.8 updates its dependency 'pillow' to v6.2.2 to include security fixes.",
+ "cve": "CVE-2020-5310",
+ "id": "pyup.io-38163",
+ "more_info_path": "/vulnerabilities/CVE-2020-5310/38163",
"specs": [
"<2.2.8"
],
@@ -54409,26 +56130,6 @@
],
"v": "<2.2.8"
},
- {
- "advisory": "Indico 2.2.8 updates its dependency 'pillow' to v6.2.2 to include security fixes.",
- "cve": "CVE-2020-5310",
- "id": "pyup.io-38163",
- "more_info_path": "/vulnerabilities/CVE-2020-5310/38163",
- "specs": [
- "<2.2.8"
- ],
- "v": "<2.2.8"
- },
- {
- "advisory": "Indico 2.2.8 updates its dependency 'pillow' to v6.2.2 to include security fixes.",
- "cve": "CVE-2019-19911",
- "id": "pyup.io-43465",
- "more_info_path": "/vulnerabilities/CVE-2019-19911/43465",
- "specs": [
- "<2.2.8"
- ],
- "v": "<2.2.8"
- },
{
"advisory": "Indico 2.3.1 fixes a potential data leakage between OAuth-authenticated and unauthenticated HTTP API requests for the same resource. Developers believe this issue was not exploitable in any Indico instance.",
"cve": "PVE-2022-48311",
@@ -54489,6 +56190,16 @@
],
"v": "<3.0rc1"
},
+ {
+ "advisory": "Indico 3.2.3 updates its dependency 'cryptography ' to include a security fix.",
+ "cve": "CVE-2023-0286",
+ "id": "pyup.io-53450",
+ "more_info_path": "/vulnerabilities/CVE-2023-0286/53450",
+ "specs": [
+ "<3.2.3"
+ ],
+ "v": "<3.2.3"
+ },
{
"advisory": "Indico 3.2.3 sanitizes HTML in global announcement messages to avoid XSS attacks.",
"cve": "PVE-2023-53437",
@@ -54509,16 +56220,6 @@
],
"v": "<3.2.3"
},
- {
- "advisory": "Indico 3.2.3 updates its dependency 'cryptography ' to include a security fix.",
- "cve": "CVE-2023-0286",
- "id": "pyup.io-53450",
- "more_info_path": "/vulnerabilities/CVE-2023-0286/53450",
- "specs": [
- "<3.2.3"
- ],
- "v": "<3.2.3"
- },
{
"advisory": "Indico 3.2.5 includes a fix for a XSS vulnerability.\r\nhttps://github.com/indico/indico/pull/5818",
"cve": "PVE-2023-59202",
@@ -67225,20 +68926,20 @@
"v": "<0.8.0"
},
{
- "advisory": "Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.\r\nhttps://github.com/inventree/InvenTree/security/advisories/GHSA-7rq4-qcpw-74gq",
- "cve": "CVE-2022-2112",
- "id": "pyup.io-54072",
- "more_info_path": "/vulnerabilities/CVE-2022-2112/54072",
+ "advisory": "Inventree 0.7.2 includes a security fix: Affected versions can have malicious javascript code injected into the users browser by other authenticated users, as data fields retrieved from the database are not properly sanitized before displaying in various front-end views.\r\n- https://huntr.dev/bounties/4cae8442-c042-43c2-ad89-6f666eaf3d57/\r\n- https://huntr.dev/bounties/9d640ef2-c52c-4106-b043-f7497d577078/\r\n- https://huntr.dev/bounties/b114e82f-6c02-485b-82ea-e242f89169c2/\r\n- https://huntr.dev/bounties/22783cd3-1b2c-48fc-b31f-03b53c86da0b/",
+ "cve": "PVE-2023-55205",
+ "id": "pyup.io-55205",
+ "more_info_path": "/vulnerabilities/PVE-2023-55205/55205",
"specs": [
">=0,<0.7.2"
],
"v": ">=0,<0.7.2"
},
{
- "advisory": "Inventree 0.7.2 includes a security fix: Affected versions can have malicious javascript code injected into the users browser by other authenticated users, as data fields retrieved from the database are not properly sanitized before displaying in various front-end views.\r\n- https://huntr.dev/bounties/4cae8442-c042-43c2-ad89-6f666eaf3d57/\r\n- https://huntr.dev/bounties/9d640ef2-c52c-4106-b043-f7497d577078/\r\n- https://huntr.dev/bounties/b114e82f-6c02-485b-82ea-e242f89169c2/\r\n- https://huntr.dev/bounties/22783cd3-1b2c-48fc-b31f-03b53c86da0b/",
- "cve": "PVE-2023-55205",
- "id": "pyup.io-55205",
- "more_info_path": "/vulnerabilities/PVE-2023-55205/55205",
+ "advisory": "Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.\r\nhttps://github.com/inventree/InvenTree/security/advisories/GHSA-7rq4-qcpw-74gq",
+ "cve": "CVE-2022-2112",
+ "id": "pyup.io-54072",
+ "more_info_path": "/vulnerabilities/CVE-2022-2112/54072",
"specs": [
">=0,<0.7.2"
],
@@ -67266,16 +68967,6 @@
}
],
"invokeai": [
- {
- "advisory": "Invokeai 2.0.2 updates its dependency, transformers, from version 4.19.2 to 4.21.3. This update was prompted by a vulnerability identified as CVE-2023-6730.\r\nhttps://github.com/invoke-ai/InvokeAI/commit/90d37eac034592cc3aed5a15a98971801b21988e",
- "cve": "CVE-2023-6730",
- "id": "pyup.io-63304",
- "more_info_path": "/vulnerabilities/CVE-2023-6730/63304",
- "specs": [
- "<2.0.2"
- ],
- "v": "<2.0.2"
- },
{
"advisory": "Invokeai 2.0.2 updates its dependency, protobuf, from version 3.19.4 to 3.19.6. This update was prompted by a vulnerability identified as CVE-2022-1941.\r\nhttps://github.com/invoke-ai/InvokeAI/commit/90d37eac034592cc3aed5a15a98971801b21988e",
"cve": "CVE-2022-1941",
@@ -67295,6 +68986,16 @@
"<2.0.2"
],
"v": "<2.0.2"
+ },
+ {
+ "advisory": "Invokeai 2.0.2 updates its dependency, transformers, from version 4.19.2 to 4.21.3. This update was prompted by a vulnerability identified as CVE-2023-6730.\r\nhttps://github.com/invoke-ai/InvokeAI/commit/90d37eac034592cc3aed5a15a98971801b21988e",
+ "cve": "CVE-2023-6730",
+ "id": "pyup.io-63304",
+ "more_info_path": "/vulnerabilities/CVE-2023-6730/63304",
+ "specs": [
+ "<2.0.2"
+ ],
+ "v": "<2.0.2"
}
],
"iotedgehubdev": [
@@ -67310,6 +69011,56 @@
}
],
"ipa": [
+ {
+ "advisory": "Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.",
+ "cve": "CVE-2014-7850",
+ "id": "pyup.io-70471",
+ "more_info_path": "/vulnerabilities/CVE-2014-7850/70471",
+ "specs": [
+ "<4.1.2"
+ ],
+ "v": "<4.1.2"
+ },
+ {
+ "advisory": "ipa-kra-install in FreeIPA before 4.2.2 puts the CA agent certificate and private key in /etc/httpd/alias/kra-agent.pem, which is world readable.",
+ "cve": "CVE-2015-5284",
+ "id": "pyup.io-70467",
+ "more_info_path": "/vulnerabilities/CVE-2015-5284/70467",
+ "specs": [
+ "<4.2.2"
+ ],
+ "v": "<4.2.2"
+ },
+ {
+ "advisory": "The cert_revoke command in FreeIPA does not check for the \"revoke certificate\" permission, which allows remote authenticated users to revoke arbitrary certificates by leveraging the \"retrieve certificate\" permission.",
+ "cve": "CVE-2016-5404",
+ "id": "pyup.io-70534",
+ "more_info_path": "/vulnerabilities/CVE-2016-5404/70534",
+ "specs": [
+ "<4.3.3"
+ ],
+ "v": "<4.3.3"
+ },
+ {
+ "advisory": "A vulnerability was found in ipa before 4.4. IdM's ca-del, ca-disable, and ca-enable commands did not properly check the user's permissions while modifying CAs in Dogtag. An authenticated, unauthorized attacker could use this flaw to delete, disable, or enable CAs causing various denial of service problems with certificate issuance, OCSP signing, and deletion of secret keys.",
+ "cve": "CVE-2017-2590",
+ "id": "pyup.io-67440",
+ "more_info_path": "/vulnerabilities/CVE-2017-2590/67440",
+ "specs": [
+ "<4.4.0"
+ ],
+ "v": "<4.4.0"
+ },
+ {
+ "advisory": "Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary naming or key usage information and subsequently use such certificates for other attacks.",
+ "cve": "CVE-2016-9575",
+ "id": "pyup.io-70518",
+ "more_info_path": "/vulnerabilities/CVE-2016-9575/70518",
+ "specs": [
+ "<4.4.3"
+ ],
+ "v": "<4.4.3"
+ },
{
"advisory": "A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points, FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for the reflection of a cookie representing an already logged-in user. An attacker would always have to go through a new authentication attempt.",
"cve": "CVE-2023-5455",
@@ -67322,6 +69073,77 @@
],
"v": "<4.6.10,>=4.7.0,<4.9.14,>=4.10.0,<4.10.3"
},
+ {
+ "advisory": "ipa 3.0 does not properly check server identity before sending credential containing cookies",
+ "cve": "CVE-2012-5631",
+ "id": "pyup.io-67962",
+ "more_info_path": "/vulnerabilities/CVE-2012-5631/67962",
+ "specs": [
+ "<=3.0.0"
+ ],
+ "v": "<=3.0.0"
+ },
+ {
+ "advisory": "FreeIPA 4.4.0 allows remote attackers to request an arbitrary SAN name for services.",
+ "cve": "CVE-2016-5414",
+ "id": "pyup.io-70514",
+ "more_info_path": "/vulnerabilities/CVE-2016-5414/70514",
+ "specs": [
+ "<=4.4.0"
+ ],
+ "v": "<=4.4.0"
+ },
+ {
+ "advisory": "FreeIPA might display user data improperly via vectors involving non-printable characters.",
+ "cve": "CVE-2015-5179",
+ "id": "pyup.io-70469",
+ "more_info_path": "/vulnerabilities/CVE-2015-5179/70469",
+ "specs": [
+ "<=4.5.0"
+ ],
+ "v": "<=4.5.0"
+ },
+ {
+ "advisory": "FreeIPA uses a default password policy that locks an account after 5 unsuccessful authentication attempts, which allows remote attackers to cause a denial of service by locking out the account in which system services run on.",
+ "cve": "CVE-2016-7030",
+ "id": "pyup.io-70516",
+ "more_info_path": "/vulnerabilities/CVE-2016-7030/70516",
+ "specs": [
+ "<=4.6.0"
+ ],
+ "v": "<=4.6.0"
+ },
+ {
+ "advisory": "FreeIPA 4.0.x before 4.0.5 and 4.1.x before 4.1.1, when 2FA is enabled, allows remote attackers to bypass the password requirement of the two-factor authentication leveraging an enabled OTP token, which triggers an anonymous bind.",
+ "cve": "CVE-2014-7828",
+ "id": "pyup.io-70473",
+ "more_info_path": "/vulnerabilities/CVE-2014-7828/70473",
+ "specs": [
+ ">=4.0,<4.0.5",
+ ">4.1,<4.1.1"
+ ],
+ "v": ">=4.0,<4.0.5,>4.1,<4.1.1"
+ },
+ {
+ "advisory": "A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability.",
+ "cve": "CVE-2020-1722",
+ "id": "pyup.io-70581",
+ "more_info_path": "/vulnerabilities/CVE-2020-1722/70581",
+ "specs": [
+ ">=4.0.0,<=4.8.0"
+ ],
+ "v": ">=4.0.0,<=4.8.0"
+ },
+ {
+ "advisory": "It was found that FreeIPA 4.2.0 and later could disclose password hashes to users having the 'System: Read Stage Users' permission. A remote, authenticated attacker could potentially use this flaw to disclose the password hashes belonging to Stage Users. This security issue does not result in disclosure of password hashes belonging to active standard users. NOTE: some developers feel that this report is a suggestion for a design change to Stage User activation, not a statement of a vulnerability.",
+ "cve": "CVE-2017-12169",
+ "id": "pyup.io-67439",
+ "more_info_path": "/vulnerabilities/CVE-2017-12169/67439",
+ "specs": [
+ ">=4.2.0"
+ ],
+ "v": ">=4.2.0"
+ },
{
"advisory": "A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed.",
"cve": "CVE-2019-10195",
@@ -67460,6 +69282,37 @@
}
],
"ipsilon": [
+ {
+ "advisory": "providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not properly check permissions to update the SAML2 Service Provider (SP) owner, which allows remote authenticated users to cause a denial of service via a duplicate SP name.",
+ "cve": "CVE-2015-5217",
+ "id": "pyup.io-70463",
+ "more_info_path": "/vulnerabilities/CVE-2015-5217/70463",
+ "specs": [
+ "<1.0.1"
+ ],
+ "v": "<1.0.1"
+ },
+ {
+ "advisory": "** DISPUTED ** The default configuration of the Jinja templating engine used in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not enable auto-escaping, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via template variables. NOTE: This may be a duplicate of CVE-2015-5216. Moreover, the Jinja development team does not enable auto-escape by default for performance issues as explained in https://jinja.palletsprojects.com/en/master/faq/#why-is-autoescaping-not-the-default.",
+ "cve": "CVE-2015-5215",
+ "id": "pyup.io-70464",
+ "more_info_path": "/vulnerabilities/CVE-2015-5215/70464",
+ "specs": [
+ "<1.0.1"
+ ],
+ "v": "<1.0.1"
+ },
+ {
+ "advisory": "providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which allows remote authenticated users to cause a denial of service by deleting a SAML2 Service Provider (SP).",
+ "cve": "CVE-2015-5301",
+ "id": "pyup.io-70462",
+ "more_info_path": "/vulnerabilities/CVE-2015-5301/70462",
+ "specs": [
+ "<1.0.2",
+ ">=1.1,<1.1.1"
+ ],
+ "v": "<1.0.2,>=1.1,<1.1.1"
+ },
{
"advisory": "The Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not properly escape certain characters in a Python exception-message template, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via an HTTP response. See: CVE-2015-5216.",
"cve": "CVE-2015-5216",
@@ -68107,6 +69960,18 @@
"v": "<0.6.12"
}
],
+ "ironic": [
+ {
+ "advisory": "OpenStack Ironic 4.2.0 through 4.2.1 does not \"clean\" the disk after use, which allows remote authenticated users to obtain sensitive information.",
+ "cve": "CVE-2015-7514",
+ "id": "pyup.io-70476",
+ "more_info_path": "/vulnerabilities/CVE-2015-7514/70476",
+ "specs": [
+ "<4.2.2"
+ ],
+ "v": "<4.2.2"
+ }
+ ],
"ironic-discoverd": [
{
"advisory": "Ironic-inspector (aka ironic-discoverd) 2.3.0 includes a fix for CVE-2015-5306: When debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.\r\nhttps://opendev.org/openstack/ironic-inspector/commit/77d0052c5133034490386fbfadfdb1bdb49aa44f",
@@ -68157,6 +70022,18 @@
"v": ">=4.2.0,<4.2.3"
}
],
+ "irssi": [
+ {
+ "advisory": "Irssi 1.1.x before 1.1.2 has a use after free when hidden lines are expired from the scroll buffer.",
+ "cve": "CVE-2019-5882",
+ "id": "pyup.io-70575",
+ "more_info_path": "/vulnerabilities/CVE-2019-5882/70575",
+ "specs": [
+ "<1.1.2"
+ ],
+ "v": "<1.1.2"
+ }
+ ],
"iscc-core": [
{
"advisory": "Iscc-core 0.2.0 uses a cryptographycally safe random choice function.\r\nhttps://github.com/iscc/iscc-core/commit/87570e28fb14fd016bc0f1938d1a23397a98edb4",
@@ -68495,16 +70372,6 @@
],
"v": "<2.0.0"
},
- {
- "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29552",
- "id": "pyup.io-44144",
- "more_info_path": "/vulnerabilities/CVE-2021-29552/44144",
- "specs": [
- "<2.0.0"
- ],
- "v": "<2.0.0"
- },
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
"cve": "CVE-2021-29549",
@@ -68537,9 +70404,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29512",
- "id": "pyup.io-44088",
- "more_info_path": "/vulnerabilities/CVE-2021-29512/44088",
+ "cve": "CVE-2021-29586",
+ "id": "pyup.io-44107",
+ "more_info_path": "/vulnerabilities/CVE-2021-29586/44107",
"specs": [
"<2.0.0"
],
@@ -68547,9 +70414,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29551",
- "id": "pyup.io-44096",
- "more_info_path": "/vulnerabilities/CVE-2021-29551/44096",
+ "cve": "CVE-2021-29579",
+ "id": "pyup.io-44101",
+ "more_info_path": "/vulnerabilities/CVE-2021-29579/44101",
"specs": [
"<2.0.0"
],
@@ -68557,9 +70424,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29541",
- "id": "pyup.io-44130",
- "more_info_path": "/vulnerabilities/CVE-2021-29541/44130",
+ "cve": "CVE-2021-29512",
+ "id": "pyup.io-44088",
+ "more_info_path": "/vulnerabilities/CVE-2021-29512/44088",
"specs": [
"<2.0.0"
],
@@ -68585,6 +70452,16 @@
],
"v": "<2.0.0"
},
+ {
+ "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
+ "cve": "CVE-2021-29541",
+ "id": "pyup.io-44130",
+ "more_info_path": "/vulnerabilities/CVE-2021-29541/44130",
+ "specs": [
+ "<2.0.0"
+ ],
+ "v": "<2.0.0"
+ },
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
"cve": "CVE-2021-29598",
@@ -68595,6 +70472,36 @@
],
"v": "<2.0.0"
},
+ {
+ "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
+ "cve": "CVE-2021-29551",
+ "id": "pyup.io-44096",
+ "more_info_path": "/vulnerabilities/CVE-2021-29551/44096",
+ "specs": [
+ "<2.0.0"
+ ],
+ "v": "<2.0.0"
+ },
+ {
+ "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
+ "cve": "CVE-2021-29567",
+ "id": "pyup.io-44086",
+ "more_info_path": "/vulnerabilities/CVE-2021-29567/44086",
+ "specs": [
+ "<2.0.0"
+ ],
+ "v": "<2.0.0"
+ },
+ {
+ "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
+ "cve": "CVE-2021-29552",
+ "id": "pyup.io-44144",
+ "more_info_path": "/vulnerabilities/CVE-2021-29552/44144",
+ "specs": [
+ "<2.0.0"
+ ],
+ "v": "<2.0.0"
+ },
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
"cve": "CVE-2021-29615",
@@ -68605,6 +70512,16 @@
],
"v": "<2.0.0"
},
+ {
+ "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
+ "cve": "CVE-2021-29553",
+ "id": "pyup.io-44141",
+ "more_info_path": "/vulnerabilities/CVE-2021-29553/44141",
+ "specs": [
+ "<2.0.0"
+ ],
+ "v": "<2.0.0"
+ },
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
"cve": "CVE-2021-29595",
@@ -68667,9 +70584,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29546",
- "id": "pyup.io-44135",
- "more_info_path": "/vulnerabilities/CVE-2021-29546/44135",
+ "cve": "CVE-2021-29618",
+ "id": "pyup.io-44140",
+ "more_info_path": "/vulnerabilities/CVE-2021-29618/44140",
"specs": [
"<2.0.0"
],
@@ -68677,9 +70594,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29618",
- "id": "pyup.io-44140",
- "more_info_path": "/vulnerabilities/CVE-2021-29618/44140",
+ "cve": "CVE-2021-29546",
+ "id": "pyup.io-44135",
+ "more_info_path": "/vulnerabilities/CVE-2021-29546/44135",
"specs": [
"<2.0.0"
],
@@ -68735,16 +70652,6 @@
],
"v": "<2.0.0"
},
- {
- "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29586",
- "id": "pyup.io-44107",
- "more_info_path": "/vulnerabilities/CVE-2021-29586/44107",
- "specs": [
- "<2.0.0"
- ],
- "v": "<2.0.0"
- },
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
"cve": "CVE-2021-29608",
@@ -68757,9 +70664,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29523",
- "id": "pyup.io-44068",
- "more_info_path": "/vulnerabilities/CVE-2021-29523/44068",
+ "cve": "CVE-2021-29526",
+ "id": "pyup.io-44157",
+ "more_info_path": "/vulnerabilities/CVE-2021-29526/44157",
"specs": [
"<2.0.0"
],
@@ -68767,9 +70674,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29526",
- "id": "pyup.io-44157",
- "more_info_path": "/vulnerabilities/CVE-2021-29526/44157",
+ "cve": "CVE-2021-29523",
+ "id": "pyup.io-44068",
+ "more_info_path": "/vulnerabilities/CVE-2021-29523/44068",
"specs": [
"<2.0.0"
],
@@ -68895,16 +70802,6 @@
],
"v": "<2.0.0"
},
- {
- "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29579",
- "id": "pyup.io-44101",
- "more_info_path": "/vulnerabilities/CVE-2021-29579/44101",
- "specs": [
- "<2.0.0"
- ],
- "v": "<2.0.0"
- },
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
"cve": "CVE-2021-29522",
@@ -69037,9 +70934,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29534",
- "id": "pyup.io-44075",
- "more_info_path": "/vulnerabilities/CVE-2021-29534/44075",
+ "cve": "CVE-2021-29513",
+ "id": "pyup.io-44097",
+ "more_info_path": "/vulnerabilities/CVE-2021-29513/44097",
"specs": [
"<2.0.0"
],
@@ -69047,9 +70944,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29513",
- "id": "pyup.io-44097",
- "more_info_path": "/vulnerabilities/CVE-2021-29513/44097",
+ "cve": "CVE-2021-29534",
+ "id": "pyup.io-44075",
+ "more_info_path": "/vulnerabilities/CVE-2021-29534/44075",
"specs": [
"<2.0.0"
],
@@ -69117,19 +71014,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29532",
- "id": "pyup.io-44070",
- "more_info_path": "/vulnerabilities/CVE-2021-29532/44070",
- "specs": [
- "<2.0.0"
- ],
- "v": "<2.0.0"
- },
- {
- "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29524",
- "id": "pyup.io-44064",
- "more_info_path": "/vulnerabilities/CVE-2021-29524/44064",
+ "cve": "CVE-2021-29544",
+ "id": "pyup.io-44074",
+ "more_info_path": "/vulnerabilities/CVE-2021-29544/44074",
"specs": [
"<2.0.0"
],
@@ -69137,9 +71024,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29619",
- "id": "pyup.io-44143",
- "more_info_path": "/vulnerabilities/CVE-2021-29619/44143",
+ "cve": "CVE-2021-29552",
+ "id": "pyup.io-44142",
+ "more_info_path": "/vulnerabilities/CVE-2021-29552/44142",
"specs": [
"<2.0.0"
],
@@ -69147,9 +71034,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29544",
- "id": "pyup.io-44074",
- "more_info_path": "/vulnerabilities/CVE-2021-29544/44074",
+ "cve": "CVE-2021-29532",
+ "id": "pyup.io-44070",
+ "more_info_path": "/vulnerabilities/CVE-2021-29532/44070",
"specs": [
"<2.0.0"
],
@@ -69157,9 +71044,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29552",
- "id": "pyup.io-44142",
- "more_info_path": "/vulnerabilities/CVE-2021-29552/44142",
+ "cve": "CVE-2021-29619",
+ "id": "pyup.io-44143",
+ "more_info_path": "/vulnerabilities/CVE-2021-29619/44143",
"specs": [
"<2.0.0"
],
@@ -69167,9 +71054,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29569",
- "id": "pyup.io-44161",
- "more_info_path": "/vulnerabilities/CVE-2021-29569/44161",
+ "cve": "CVE-2021-29524",
+ "id": "pyup.io-44064",
+ "more_info_path": "/vulnerabilities/CVE-2021-29524/44064",
"specs": [
"<2.0.0"
],
@@ -69197,19 +71084,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29533",
- "id": "pyup.io-44089",
- "more_info_path": "/vulnerabilities/CVE-2021-29533/44089",
- "specs": [
- "<2.0.0"
- ],
- "v": "<2.0.0"
- },
- {
- "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29612",
- "id": "pyup.io-44134",
- "more_info_path": "/vulnerabilities/CVE-2021-29612/44134",
+ "cve": "CVE-2021-29577",
+ "id": "pyup.io-44171",
+ "more_info_path": "/vulnerabilities/CVE-2021-29577/44171",
"specs": [
"<2.0.0"
],
@@ -69217,9 +71094,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29567",
- "id": "pyup.io-44086",
- "more_info_path": "/vulnerabilities/CVE-2021-29567/44086",
+ "cve": "CVE-2021-29533",
+ "id": "pyup.io-44089",
+ "more_info_path": "/vulnerabilities/CVE-2021-29533/44089",
"specs": [
"<2.0.0"
],
@@ -69227,9 +71104,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29577",
- "id": "pyup.io-44171",
- "more_info_path": "/vulnerabilities/CVE-2021-29577/44171",
+ "cve": "CVE-2021-29612",
+ "id": "pyup.io-44134",
+ "more_info_path": "/vulnerabilities/CVE-2021-29612/44134",
"specs": [
"<2.0.0"
],
@@ -69275,16 +71152,6 @@
],
"v": "<2.0.0"
},
- {
- "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29540",
- "id": "pyup.io-44094",
- "more_info_path": "/vulnerabilities/CVE-2021-29540/44094",
- "specs": [
- "<2.0.0"
- ],
- "v": "<2.0.0"
- },
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
"cve": "CVE-2021-29601",
@@ -69357,9 +71224,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2020-8286",
- "id": "pyup.io-44155",
- "more_info_path": "/vulnerabilities/CVE-2020-8286/44155",
+ "cve": "CVE-2021-29611",
+ "id": "pyup.io-44133",
+ "more_info_path": "/vulnerabilities/CVE-2021-29611/44133",
"specs": [
"<2.0.0"
],
@@ -69367,9 +71234,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29611",
- "id": "pyup.io-44133",
- "more_info_path": "/vulnerabilities/CVE-2021-29611/44133",
+ "cve": "CVE-2020-8286",
+ "id": "pyup.io-44155",
+ "more_info_path": "/vulnerabilities/CVE-2020-8286/44155",
"specs": [
"<2.0.0"
],
@@ -69377,9 +71244,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29590",
- "id": "pyup.io-44109",
- "more_info_path": "/vulnerabilities/CVE-2021-29590/44109",
+ "cve": "CVE-2021-29607",
+ "id": "pyup.io-44131",
+ "more_info_path": "/vulnerabilities/CVE-2021-29607/44131",
"specs": [
"<2.0.0"
],
@@ -69387,9 +71254,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29548",
- "id": "pyup.io-44091",
- "more_info_path": "/vulnerabilities/CVE-2021-29548/44091",
+ "cve": "CVE-2021-29599",
+ "id": "pyup.io-44123",
+ "more_info_path": "/vulnerabilities/CVE-2021-29599/44123",
"specs": [
"<2.0.0"
],
@@ -69397,9 +71264,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29607",
- "id": "pyup.io-44131",
- "more_info_path": "/vulnerabilities/CVE-2021-29607/44131",
+ "cve": "CVE-2021-29590",
+ "id": "pyup.io-44109",
+ "more_info_path": "/vulnerabilities/CVE-2021-29590/44109",
"specs": [
"<2.0.0"
],
@@ -69407,9 +71274,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29599",
- "id": "pyup.io-44123",
- "more_info_path": "/vulnerabilities/CVE-2021-29599/44123",
+ "cve": "CVE-2021-29548",
+ "id": "pyup.io-44091",
+ "more_info_path": "/vulnerabilities/CVE-2021-29548/44091",
"specs": [
"<2.0.0"
],
@@ -69447,9 +71314,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29553",
- "id": "pyup.io-44141",
- "more_info_path": "/vulnerabilities/CVE-2021-29553/44141",
+ "cve": "CVE-2021-29527",
+ "id": "pyup.io-44116",
+ "more_info_path": "/vulnerabilities/CVE-2021-29527/44116",
"specs": [
"<2.0.0"
],
@@ -69457,9 +71324,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29527",
- "id": "pyup.io-44116",
- "more_info_path": "/vulnerabilities/CVE-2021-29527/44116",
+ "cve": "CVE-2020-8177",
+ "id": "pyup.io-44146",
+ "more_info_path": "/vulnerabilities/CVE-2020-8177/44146",
"specs": [
"<2.0.0"
],
@@ -69467,9 +71334,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2020-8177",
- "id": "pyup.io-44146",
- "more_info_path": "/vulnerabilities/CVE-2020-8177/44146",
+ "cve": "CVE-2021-29580",
+ "id": "pyup.io-44099",
+ "more_info_path": "/vulnerabilities/CVE-2021-29580/44099",
"specs": [
"<2.0.0"
],
@@ -69487,9 +71354,19 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29580",
- "id": "pyup.io-44099",
- "more_info_path": "/vulnerabilities/CVE-2021-29580/44099",
+ "cve": "CVE-2021-29569",
+ "id": "pyup.io-44161",
+ "more_info_path": "/vulnerabilities/CVE-2021-29569/44161",
+ "specs": [
+ "<2.0.0"
+ ],
+ "v": "<2.0.0"
+ },
+ {
+ "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
+ "cve": "CVE-2021-29540",
+ "id": "pyup.io-44094",
+ "more_info_path": "/vulnerabilities/CVE-2021-29540/44094",
"specs": [
"<2.0.0"
],
@@ -69505,6 +71382,16 @@
],
"v": "<2.0.0"
},
+ {
+ "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
+ "cve": "CVE-2021-29610",
+ "id": "pyup.io-44076",
+ "more_info_path": "/vulnerabilities/CVE-2021-29610/44076",
+ "specs": [
+ "<2.0.0"
+ ],
+ "v": "<2.0.0"
+ },
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
"cve": "CVE-2020-8284",
@@ -69547,19 +71434,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29564",
- "id": "pyup.io-44066",
- "more_info_path": "/vulnerabilities/CVE-2021-29564/44066",
- "specs": [
- "<2.0.0"
- ],
- "v": "<2.0.0"
- },
- {
- "advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29516",
- "id": "pyup.io-44159",
- "more_info_path": "/vulnerabilities/CVE-2021-29516/44159",
+ "cve": "CVE-2021-29563",
+ "id": "pyup.io-44080",
+ "more_info_path": "/vulnerabilities/CVE-2021-29563/44080",
"specs": [
"<2.0.0"
],
@@ -69577,9 +71454,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29610",
- "id": "pyup.io-44076",
- "more_info_path": "/vulnerabilities/CVE-2021-29610/44076",
+ "cve": "CVE-2021-29564",
+ "id": "pyup.io-44066",
+ "more_info_path": "/vulnerabilities/CVE-2021-29564/44066",
"specs": [
"<2.0.0"
],
@@ -69587,9 +71464,9 @@
},
{
"advisory": "Jina version 2.0.0 updates its dependency \"Tensorflow\" to v2.4.2 to include security fixes.",
- "cve": "CVE-2021-29563",
- "id": "pyup.io-44080",
- "more_info_path": "/vulnerabilities/CVE-2021-29563/44080",
+ "cve": "CVE-2021-29516",
+ "id": "pyup.io-44159",
+ "more_info_path": "/vulnerabilities/CVE-2021-29516/44159",
"specs": [
"<2.0.0"
],
@@ -69687,6 +71564,16 @@
],
"v": "<3.1.3"
},
+ {
+ "advisory": "** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the \"source\" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.",
+ "cve": "CVE-2019-8341",
+ "id": "pyup.io-70612",
+ "more_info_path": "/vulnerabilities/CVE-2019-8341/70612",
+ "specs": [
+ "<=2.10"
+ ],
+ "v": "<=2.10"
+ },
{
"advisory": "Jinja2 2.10.1 adds 'SandboxedEnvironment' to handle 'str.format_map' in order to prevent code execution through untrusted format strings.\r\nhttps://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26",
"cve": "CVE-2019-10906",
@@ -69918,20 +71805,20 @@
"v": "<1.1.1"
},
{
- "advisory": "Joblib 1.2.0 fixes a security issue where 'eval(pre_dispatch)' could potentially run arbitrary code. Now only basic numerics are supported.\r\nhttps://github.com/joblib/joblib/pull/1327",
- "cve": "PVE-2022-51041",
- "id": "pyup.io-51041",
- "more_info_path": "/vulnerabilities/PVE-2022-51041/51041",
+ "advisory": "Joblib 1.2.0 includes a fix for CVE-2022-21797: The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.\r\nhttps://github.com/joblib/joblib/issues/1128",
+ "cve": "CVE-2022-21797",
+ "id": "pyup.io-51242",
+ "more_info_path": "/vulnerabilities/CVE-2022-21797/51242",
"specs": [
"<1.2.0"
],
"v": "<1.2.0"
},
{
- "advisory": "Joblib 1.2.0 includes a fix for CVE-2022-21797: The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.\r\nhttps://github.com/joblib/joblib/issues/1128",
- "cve": "CVE-2022-21797",
- "id": "pyup.io-51242",
- "more_info_path": "/vulnerabilities/CVE-2022-21797/51242",
+ "advisory": "Joblib 1.2.0 fixes a security issue where 'eval(pre_dispatch)' could potentially run arbitrary code. Now only basic numerics are supported.\r\nhttps://github.com/joblib/joblib/pull/1327",
+ "cve": "PVE-2022-51041",
+ "id": "pyup.io-51041",
+ "more_info_path": "/vulnerabilities/PVE-2022-51041/51041",
"specs": [
"<1.2.0"
],
@@ -71171,20 +73058,20 @@
"v": "<1.4.0"
},
{
- "advisory": "Jwcrypto version 1.5.1 addresses a potential DoS issue with p2c headers, limiting the default maximum to 16384 to prevent excessive resource usage. For applications requiring more iterations, the jwa default max needs to be adjusted manually.\r\nhttps://github.com/latchset/jwcrypto/commit/d2655d370586cb830e49acfb450f87598da60be8",
- "cve": "PVE-2023-63154",
- "id": "pyup.io-63154",
- "more_info_path": "/vulnerabilities/PVE-2023-63154/63154",
+ "advisory": "A vulnerability was found in JWCrypto versions before 1.5.1. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.",
+ "cve": "CVE-2023-6681",
+ "id": "pyup.io-66713",
+ "more_info_path": "/vulnerabilities/CVE-2023-6681/66713",
"specs": [
"<1.5.1"
],
"v": "<1.5.1"
},
{
- "advisory": "A vulnerability was found in JWCrypto versions before 1.5.1. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.",
- "cve": "CVE-2023-6681",
- "id": "pyup.io-66713",
- "more_info_path": "/vulnerabilities/CVE-2023-6681/66713",
+ "advisory": "Jwcrypto version 1.5.1 addresses a potential DoS issue with p2c headers, limiting the default maximum to 16384 to prevent excessive resource usage. For applications requiring more iterations, the jwa default max needs to be adjusted manually.\r\nhttps://github.com/latchset/jwcrypto/commit/d2655d370586cb830e49acfb450f87598da60be8",
+ "cve": "PVE-2023-63154",
+ "id": "pyup.io-63154",
+ "more_info_path": "/vulnerabilities/PVE-2023-63154/63154",
"specs": [
"<1.5.1"
],
@@ -71603,6 +73490,28 @@
"v": ">=0.7,<0.7.1"
}
],
+ "keycloak-httpd-client-install": [
+ {
+ "advisory": "keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link.",
+ "cve": "CVE-2017-15111",
+ "id": "pyup.io-67428",
+ "more_info_path": "/vulnerabilities/CVE-2017-15111/67428",
+ "specs": [
+ "<0.8"
+ ],
+ "v": "<0.8"
+ },
+ {
+ "advisory": "keycloak-httpd-client-install versions before 0.8 allow users to insecurely pass password through command line, leaking it via command history and process info to other local users.",
+ "cve": "CVE-2017-15112",
+ "id": "pyup.io-67429",
+ "more_info_path": "/vulnerabilities/CVE-2017-15112/67429",
+ "specs": [
+ "<0.8"
+ ],
+ "v": "<0.8"
+ }
+ ],
"keylime": [
{
"advisory": "A vulnerability in Keylime before 6.3.0 allows an attacker to craft a request to the agent that resets the U and V keys as if the agent were being re-added to a verifier. This could lead to a remote code execution.",
@@ -71758,6 +73667,29 @@
}
],
"keystone": [
+ {
+ "advisory": "In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated \"GET /v3/OS-FEDERATION/projects\" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.",
+ "cve": "CVE-2018-14432",
+ "id": "pyup.io-70607",
+ "more_info_path": "/vulnerabilities/CVE-2018-14432/70607",
+ "specs": [
+ "<11.04",
+ ">=12.0.0,<12.0.0",
+ ">=13.0.0<13.0.0"
+ ],
+ "v": "<11.04,>=12.0.0,<12.0.0,>=13.0.0<13.0.0"
+ },
+ {
+ "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.",
+ "cve": "CVE-2020-12691",
+ "id": "pyup.io-38585",
+ "more_info_path": "/vulnerabilities/CVE-2020-12691/38585",
+ "specs": [
+ "<15.0.1",
+ ">=16.0.0.0rc1,<=16.0.0"
+ ],
+ "v": "<15.0.1,>=16.0.0.0rc1,<=16.0.0"
+ },
{
"advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. See: CVE-2020-12690.",
"cve": "CVE-2020-12690",
@@ -71780,17 +73712,6 @@
],
"v": "<15.0.1,>=16.0.0.0rc1,<=16.0.0"
},
- {
- "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.",
- "cve": "CVE-2020-12691",
- "id": "pyup.io-38585",
- "more_info_path": "/vulnerabilities/CVE-2020-12691/38585",
- "specs": [
- "<15.0.1",
- ">=16.0.0.0rc1,<=16.0.0"
- ],
- "v": "<15.0.1,>=16.0.0.0rc1,<=16.0.0"
- },
{
"advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.",
"cve": "CVE-2020-12689",
@@ -71802,6 +73723,17 @@
],
"v": "<15.0.1,>=16.0.0.0rc1,<=16.0.0"
},
+ {
+ "advisory": "OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs.",
+ "cve": "CVE-2015-3646",
+ "id": "pyup.io-70443",
+ "more_info_path": "/vulnerabilities/CVE-2015-3646/70443",
+ "specs": [
+ "<2014.1.5",
+ ">=2014.2,<2014.2.4"
+ ],
+ "v": "<2014.1.5,>=2014.2,<2014.2.4"
+ },
{
"advisory": "In Keystone versions prior to 8.0.0, It is possible to remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB). See also: CVE-2012-1572 and https://security.openstack.org/ossa/OSSA-2012-002.html.\r\nhttps://github.com/openstack/keystone/commit/239e4f64c2134338b32ffd6d42c0b6ff70cd040c",
"cve": "CVE-2012-1572",
@@ -71812,6 +73744,26 @@
],
"v": "<8.0.0"
},
+ {
+ "advisory": "The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token.",
+ "cve": "CVE-2016-4911",
+ "id": "pyup.io-70597",
+ "more_info_path": "/vulnerabilities/CVE-2016-4911/70597",
+ "specs": [
+ "<9.0.1"
+ ],
+ "v": "<9.0.1"
+ },
+ {
+ "advisory": "An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles.",
+ "cve": "CVE-2017-2673",
+ "id": "pyup.io-70606",
+ "more_info_path": "/vulnerabilities/CVE-2017-2673/70606",
+ "specs": [
+ "<=12.0.3-9\u00b6"
+ ],
+ "v": "<=12.0.3-9\u00b6"
+ },
{
"advisory": "The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges.",
"cve": "CVE-2013-4477",
@@ -71863,6 +73815,76 @@
],
"v": ">0"
},
+ {
+ "advisory": "The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions.",
+ "cve": "CVE-2014-2237",
+ "id": "pyup.io-70451",
+ "more_info_path": "/vulnerabilities/CVE-2014-2237/70451",
+ "specs": [
+ ">2010,<2013.2.3"
+ ],
+ "v": ">2010,<2013.2.3"
+ },
+ {
+ "advisory": "The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka \"authentication chaining.\"",
+ "cve": "CVE-2014-2828",
+ "id": "pyup.io-70450",
+ "more_info_path": "/vulnerabilities/CVE-2014-2828/70450",
+ "specs": [
+ ">2010,<2014.1"
+ ],
+ "v": ">2010,<2014.1"
+ },
+ {
+ "advisory": "OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain.",
+ "cve": "CVE-2014-5253",
+ "id": "pyup.io-70444",
+ "more_info_path": "/vulnerabilities/CVE-2014-5253/70444",
+ "specs": [
+ ">2010,<2014.2"
+ ],
+ "v": ">2010,<2014.2"
+ },
+ {
+ "advisory": "The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token.",
+ "cve": "CVE-2014-5251",
+ "id": "pyup.io-70446",
+ "more_info_path": "/vulnerabilities/CVE-2014-5251/70446",
+ "specs": [
+ ">2010,<2014.2"
+ ],
+ "v": ">2010,<2014.2"
+ },
+ {
+ "advisory": "OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.",
+ "cve": "CVE-2014-3520",
+ "id": "pyup.io-70447",
+ "more_info_path": "/vulnerabilities/CVE-2014-3520/70447",
+ "specs": [
+ ">2010,<2014.2"
+ ],
+ "v": ">2010,<2014.2"
+ },
+ {
+ "advisory": "OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.",
+ "cve": "CVE-2014-3476",
+ "id": "pyup.io-70448",
+ "more_info_path": "/vulnerabilities/CVE-2014-3476/70448",
+ "specs": [
+ ">2010,<2014.2"
+ ],
+ "v": ">2010,<2014.2"
+ },
+ {
+ "advisory": "The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.",
+ "cve": "CVE-2014-5252",
+ "id": "pyup.io-70445",
+ "more_info_path": "/vulnerabilities/CVE-2014-5252/70445",
+ "specs": [
+ ">2010,<2014.2"
+ ],
+ "v": ">2010,<2014.2"
+ },
{
"advisory": "Keystone versions 16.0.2, 17.0.1, 18.0.1 and 19.0.1 include a fix for CVE-2021-38155: OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.\r\nhttps://security.openstack.org/ossa/OSSA-2021-003.html",
"cve": "CVE-2021-38155",
@@ -71906,6 +73928,16 @@
],
"v": ">=2010,<2012.1.3"
},
+ {
+ "advisory": "OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.\r\nhttps://review.opendev.org/c/openstack/keystone/+/24906",
+ "cve": "CVE-2013-1865",
+ "id": "pyup.io-35416",
+ "more_info_path": "/vulnerabilities/CVE-2013-1865/35416",
+ "specs": [
+ ">=2010,<2012.2"
+ ],
+ "v": ">=2010,<2012.2"
+ },
{
"advisory": "OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.",
"cve": "CVE-2012-5563",
@@ -71917,14 +73949,146 @@
"v": ">=2010,<2012.2"
},
{
- "advisory": "OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.\r\nhttps://review.opendev.org/c/openstack/keystone/+/24906",
- "cve": "CVE-2013-1865",
- "id": "pyup.io-35416",
- "more_info_path": "/vulnerabilities/CVE-2013-1865/35416",
+ "advisory": "The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by \"$(admin_token)\" in the publicurl endpoint field.",
+ "cve": "CVE-2014-3621",
+ "id": "pyup.io-70603",
+ "more_info_path": "/vulnerabilities/CVE-2014-3621/70603",
"specs": [
- ">=2010,<2012.2"
+ ">=2010,<2013.2.3",
+ ">=2014.1,<2014.1.2.1"
],
- "v": ">=2010,<2012.2"
+ "v": ">=2010,<2013.2.3,>=2014.1,<2014.1.2.1"
+ },
+ {
+ "advisory": "Directory traversal vulnerability in virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2) and Essex (2012.1), when used over libvirt-based hypervisors, allows remote authenticated users to write arbitrary files to the disk image via a .. (dot dot) in the path attribute of a file element.",
+ "cve": "CVE-2012-3360",
+ "id": "pyup.io-68022",
+ "more_info_path": "/vulnerabilities/CVE-2012-3360/68022",
+ "specs": [
+ ">=2010.1-rc2,<=2012.2"
+ ],
+ "v": ">=2010.1-rc2,<=2012.2"
+ },
+ {
+ "advisory": "OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.",
+ "cve": "CVE-2012-3426",
+ "id": "pyup.io-68007",
+ "more_info_path": "/vulnerabilities/CVE-2012-3426/68007",
+ "specs": [
+ ">=2011.3.1,<2012.1.1"
+ ],
+ "v": ">=2011.3.1,<2012.1.1"
+ },
+ {
+ "advisory": "OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant.",
+ "cve": "CVE-2012-4457",
+ "id": "pyup.io-68008",
+ "more_info_path": "/vulnerabilities/CVE-2012-4457/68008",
+ "specs": [
+ ">=2011.3.1,<2012.1.2"
+ ],
+ "v": ">=2011.3.1,<2012.1.2"
+ },
+ {
+ "advisory": "OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token.",
+ "cve": "CVE-2013-2059",
+ "id": "pyup.io-67997",
+ "more_info_path": "/vulnerabilities/CVE-2013-2059/67997",
+ "specs": [
+ ">=2011.3.1,<2012.2.4",
+ ">=2013,<2013.1.1"
+ ],
+ "v": ">=2011.3.1,<2012.2.4,>=2013,<2013.1.1"
+ },
+ {
+ "advisory": "OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.",
+ "cve": "CVE-2013-0282",
+ "id": "pyup.io-67995",
+ "more_info_path": "/vulnerabilities/CVE-2013-0282/67995",
+ "specs": [
+ ">=2011.3.1,<2013.1"
+ ],
+ "v": ">=2011.3.1,<2013.1"
+ },
+ {
+ "advisory": "OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests.",
+ "cve": "CVE-2013-2014",
+ "id": "pyup.io-67996",
+ "more_info_path": "/vulnerabilities/CVE-2013-2014/67996",
+ "specs": [
+ ">=2011.3.1,<2013.1"
+ ],
+ "v": ">=2011.3.1,<2013.1"
+ },
+ {
+ "advisory": "OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file.",
+ "cve": "CVE-2013-2006",
+ "id": "pyup.io-68009",
+ "more_info_path": "/vulnerabilities/CVE-2013-2006/68009",
+ "specs": [
+ ">=2011.3.1,<2013.1"
+ ],
+ "v": ">=2011.3.1,<2013.1"
+ },
+ {
+ "advisory": "OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password.",
+ "cve": "CVE-2013-2157",
+ "id": "pyup.io-67998",
+ "more_info_path": "/vulnerabilities/CVE-2013-2157/67998",
+ "specs": [
+ ">=2011.3.1,<2013.1.3"
+ ],
+ "v": ">=2011.3.1,<2013.1.3"
+ },
+ {
+ "advisory": "OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.",
+ "cve": "CVE-2013-4222",
+ "id": "pyup.io-68010",
+ "more_info_path": "/vulnerabilities/CVE-2013-4222/68010",
+ "specs": [
+ ">=2011.3.1,<2013.1.3"
+ ],
+ "v": ">=2011.3.1,<2013.1.3"
+ },
+ {
+ "advisory": "OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to cause a denial of service (disk consumption) via many invalid token requests that trigger excessive generation of log entries.",
+ "cve": "CVE-2013-0247",
+ "id": "pyup.io-67994",
+ "more_info_path": "/vulnerabilities/CVE-2013-0247/67994",
+ "specs": [
+ ">=2011.3.1,<2013.1.g3"
+ ],
+ "v": ">=2011.3.1,<2013.1.g3"
+ },
+ {
+ "advisory": "The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.",
+ "cve": "CVE-2013-6391",
+ "id": "pyup.io-68002",
+ "more_info_path": "/vulnerabilities/CVE-2013-6391/68002",
+ "specs": [
+ ">=2011.3.1,<2013.2.1"
+ ],
+ "v": ">=2011.3.1,<2013.2.1"
+ },
+ {
+ "advisory": "tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon Elastic Compute Cloud (Amazon EC2) is configured, uses world-readable permissions for /etc/keystone/ec2rc, which allows local users to obtain access to EC2 services by reading administrative access and secret values from this file.",
+ "cve": "CVE-2012-5483",
+ "id": "pyup.io-67993",
+ "more_info_path": "/vulnerabilities/CVE-2012-5483/67993",
+ "specs": [
+ ">=2011.3.1,<=2012.1.3"
+ ],
+ "v": ">=2011.3.1,<=2012.1.3"
+ },
+ {
+ "advisory": "OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.",
+ "cve": "CVE-2012-5571",
+ "id": "pyup.io-68006",
+ "more_info_path": "/vulnerabilities/CVE-2012-5571/68006",
+ "specs": [
+ ">=2011.3.1,<=2013.2"
+ ],
+ "v": ">=2011.3.1,<=2013.2"
},
{
"advisory": "The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token.",
@@ -73156,9 +75320,9 @@
},
{
"advisory": "Kserve 0.9.0rc0 updates its dependency 'ray' to v1.9.2 to include security fixes.",
- "cve": "CVE-2021-45046",
- "id": "pyup.io-49420",
- "more_info_path": "/vulnerabilities/CVE-2021-45046/49420",
+ "cve": "CVE-2021-44228",
+ "id": "pyup.io-49405",
+ "more_info_path": "/vulnerabilities/CVE-2021-44228/49405",
"specs": [
"<0.9.0rc0"
],
@@ -73166,9 +75330,9 @@
},
{
"advisory": "Kserve 0.9.0rc0 updates its dependency 'ray' to v1.9.2 to include security fixes.",
- "cve": "CVE-2021-44228",
- "id": "pyup.io-49405",
- "more_info_path": "/vulnerabilities/CVE-2021-44228/49405",
+ "cve": "CVE-2021-45046",
+ "id": "pyup.io-49420",
+ "more_info_path": "/vulnerabilities/CVE-2021-45046/49420",
"specs": [
"<0.9.0rc0"
],
@@ -73507,20 +75671,20 @@
"v": "<1.10.1"
},
{
- "advisory": "Label-studio 1.11.0 addresses the CVE-2023-47116 by introducing more exhaustive IP validation for Server Side Request Forgery (SSRF) defenses. This includes banning all IPs within reserved blocks, for both IPv4 and IPv6, by default. The system also allows users to ban additional blocks using USER_ADDITIONAL_BANNED_SUBNETS, or to specify their full list of banned IP blocks themselves using USE_DEFAULT_BANNED_SUBNETS. By default, USE_DEFAULT_BANNED_SUBNETS is set to True. Additionally, the error message has been made more informative when SSRF protection blocks an upload.\r\nhttps://github.com/HumanSignal/label-studio/pull/5316",
- "cve": "CVE-2023-47116",
- "id": "pyup.io-64822",
- "more_info_path": "/vulnerabilities/CVE-2023-47116/64822",
+ "advisory": "Label Studio before 1.11.0 is vulnerable to cross-site scripting (XSS) because it fails to properly sanitize data uploaded via the file upload feature before it is rendered within Choices or Labels tags. This vulnerability allows attackers to inject malicious scripts that could execute within the user's browser session. However, exploitation is contingent upon the attacker having permission to use the \"data import\" function.",
+ "cve": "CVE-2024-26152",
+ "id": "pyup.io-66696",
+ "more_info_path": "/vulnerabilities/CVE-2024-26152/66696",
"specs": [
"<1.11.0"
],
"v": "<1.11.0"
},
{
- "advisory": "Label Studio before 1.11.0 is vulnerable to cross-site scripting (XSS) because it fails to properly sanitize data uploaded via the file upload feature before it is rendered within Choices or Labels tags. This vulnerability allows attackers to inject malicious scripts that could execute within the user's browser session. However, exploitation is contingent upon the attacker having permission to use the \"data import\" function.",
- "cve": "CVE-2024-26152",
- "id": "pyup.io-66696",
- "more_info_path": "/vulnerabilities/CVE-2024-26152/66696",
+ "advisory": "Label-studio 1.11.0 addresses the CVE-2023-47116 by introducing more exhaustive IP validation for Server Side Request Forgery (SSRF) defenses. This includes banning all IPs within reserved blocks, for both IPv4 and IPv6, by default. The system also allows users to ban additional blocks using USER_ADDITIONAL_BANNED_SUBNETS, or to specify their full list of banned IP blocks themselves using USE_DEFAULT_BANNED_SUBNETS. By default, USE_DEFAULT_BANNED_SUBNETS is set to True. Additionally, the error message has been made more informative when SSRF protection blocks an upload.\r\nhttps://github.com/HumanSignal/label-studio/pull/5316",
+ "cve": "CVE-2023-47116",
+ "id": "pyup.io-64822",
+ "more_info_path": "/vulnerabilities/CVE-2023-47116/64822",
"specs": [
"<1.11.0"
],
@@ -73907,20 +76071,20 @@
],
"ladybug-comfort": [
{
- "advisory": "Ladybug-comfort 0.16.18 updates its dependency 'wheel' to v0.38.1 to include a security fix.",
- "cve": "CVE-2022-40898",
- "id": "pyup.io-52877",
- "more_info_path": "/vulnerabilities/CVE-2022-40898/52877",
+ "advisory": "Ladybug-comfort 0.16.18 updates its dependency 'setuptools' to v65.5.1 to include a security fix.",
+ "cve": "CVE-2022-40897",
+ "id": "pyup.io-52844",
+ "more_info_path": "/vulnerabilities/CVE-2022-40897/52844",
"specs": [
"<0.16.18"
],
"v": "<0.16.18"
},
{
- "advisory": "Ladybug-comfort 0.16.18 updates its dependency 'setuptools' to v65.5.1 to include a security fix.",
- "cve": "CVE-2022-40897",
- "id": "pyup.io-52844",
- "more_info_path": "/vulnerabilities/CVE-2022-40897/52844",
+ "advisory": "Ladybug-comfort 0.16.18 updates its dependency 'wheel' to v0.38.1 to include a security fix.",
+ "cve": "CVE-2022-40898",
+ "id": "pyup.io-52877",
+ "more_info_path": "/vulnerabilities/CVE-2022-40898/52877",
"specs": [
"<0.16.18"
],
@@ -74031,20 +76195,20 @@
"v": "<0.0.236"
},
{
- "advisory": "Langchain 0.0.236 includes a fix for CVE-2023-36258: Versions before 0.0.236 allow an attacker to execute arbitrary code via the PALChain in the python exec method.\r\nhttps://github.com/langchain-ai/langchain/issues/5872\r\nhttps://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e",
- "cve": "CVE-2023-36258",
- "id": "pyup.io-59294",
- "more_info_path": "/vulnerabilities/CVE-2023-36258/59294",
+ "advisory": "Langchain 0.0.236 includes a fix for an Arbitrary Code Execution vulnerability. In affected versions, the vulnerability allows an attacker to execute arbitrary code via the Python exec calls in the PALChain.\r\nhttps://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137\r\nhttps://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e",
+ "cve": "CVE-2023-36095",
+ "id": "pyup.io-60218",
+ "more_info_path": "/vulnerabilities/CVE-2023-36095/60218",
"specs": [
"<0.0.236"
],
"v": "<0.0.236"
},
{
- "advisory": "Langchain 0.0.236 includes a fix for an Arbitrary Code Execution vulnerability. In affected versions, the vulnerability allows an attacker to execute arbitrary code via the Python exec calls in the PALChain.\r\nhttps://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137\r\nhttps://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e",
- "cve": "CVE-2023-36095",
- "id": "pyup.io-60218",
- "more_info_path": "/vulnerabilities/CVE-2023-36095/60218",
+ "advisory": "Langchain 0.0.236 includes a fix for CVE-2023-36258: Versions before 0.0.236 allow an attacker to execute arbitrary code via the PALChain in the python exec method.\r\nhttps://github.com/langchain-ai/langchain/issues/5872\r\nhttps://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e",
+ "cve": "CVE-2023-36258",
+ "id": "pyup.io-59294",
+ "more_info_path": "/vulnerabilities/CVE-2023-36258/59294",
"specs": [
"<0.0.236"
],
@@ -74196,12 +76360,22 @@
"id": "pyup.io-66962",
"more_info_path": "/vulnerabilities/CVE-2024-1455/66962",
"specs": [
- ">=0"
+ ">=0,<1.4"
],
- "v": ">=0"
+ "v": ">=0,<1.4"
}
],
"langchain-experimental": [
+ {
+ "advisory": "langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.",
+ "cve": "CVE-2023-45920",
+ "id": "pyup.io-68479",
+ "more_info_path": "/vulnerabilities/CVE-2023-45920/68479",
+ "specs": [
+ "<0.0.52"
+ ],
+ "v": "<0.0.52"
+ },
{
"advisory": "Langchain_experimental allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via the PALChain in the python exec method.\r\nhttps://github.com/langchain-ai/langchain/commit/4c97a10bd0d9385cfee234a63b5bd826a295e483\r\nhttps://github.com/pypa/advisory-database/blob/main/vulns/langchain-experimental/PYSEC-2023-194.yaml",
"cve": "CVE-2023-44467",
@@ -74412,16 +76586,6 @@
],
"v": "<2.2.2"
},
- {
- "advisory": "Lazuli 2.2.3 updates its dependency 'mkdocs' to v1.3.1 to include a security fix.",
- "cve": "CVE-2021-40978",
- "id": "pyup.io-50476",
- "more_info_path": "/vulnerabilities/CVE-2021-40978/50476",
- "specs": [
- "<2.2.3"
- ],
- "v": "<2.2.3"
- },
{
"advisory": "Lazuli 2.2.3 updates its dependency 'nltk' to v3.7 to include security fixes.",
"cve": "CVE-2021-43854",
@@ -74511,6 +76675,16 @@
"<2.2.3"
],
"v": "<2.2.3"
+ },
+ {
+ "advisory": "Lazuli 2.2.3 updates its dependency 'mkdocs' to v1.3.1 to include a security fix.",
+ "cve": "CVE-2021-40978",
+ "id": "pyup.io-50476",
+ "more_info_path": "/vulnerabilities/CVE-2021-40978/50476",
+ "specs": [
+ "<2.2.3"
+ ],
+ "v": "<2.2.3"
}
],
"lbt-dragonfly": [
@@ -74640,6 +76814,18 @@
"v": ">0,<0"
}
],
+ "ledfx": [
+ {
+ "advisory": "Ledfx 2.0.70 addresses and resolves a critical issue that could cause crashes due to a race condition and the presence of empty virtual data. The race condition could potentially be exploited to cause a denial of service (DoS).",
+ "cve": "PVE-2024-67135",
+ "id": "pyup.io-67135",
+ "more_info_path": "/vulnerabilities/PVE-2024-67135/67135",
+ "specs": [
+ "<2.0.70"
+ ],
+ "v": "<2.0.70"
+ }
+ ],
"lekt": [
{
"advisory": "Lekt 14.0.13 updates Open EDX image version to 14.2.1, which includes a security fix for a XSS vulnerability in edx-platform.\r\nhttps://github.com/lektorium-tutor/lekt/commit/b46a7b0fa806604eddaed8646a2a8712a8508c79",
@@ -74752,10 +76938,10 @@
],
"lg-rez": [
{
- "advisory": "Lg-rez 2.1.4 updates its dependency 'rsa' to v4.7 to include a security fix.",
- "cve": "CVE-2020-25658",
- "id": "pyup.io-42106",
- "more_info_path": "/vulnerabilities/CVE-2020-25658/42106",
+ "advisory": "Lg-rez version 2.1.4 updates its dependency 'pillow' to v8.2.0 to include security fixes.",
+ "cve": "CVE-2021-28676",
+ "id": "pyup.io-42104",
+ "more_info_path": "/vulnerabilities/CVE-2021-28676/42104",
"specs": [
"<2.1.4"
],
@@ -74763,9 +76949,9 @@
},
{
"advisory": "Lg-rez version 2.1.4 updates its dependency 'pillow' to v8.2.0 to include security fixes.",
- "cve": "CVE-2021-28678",
- "id": "pyup.io-42049",
- "more_info_path": "/vulnerabilities/CVE-2021-28678/42049",
+ "cve": "CVE-2021-28677",
+ "id": "pyup.io-42105",
+ "more_info_path": "/vulnerabilities/CVE-2021-28677/42105",
"specs": [
"<2.1.4"
],
@@ -74773,19 +76959,19 @@
},
{
"advisory": "Lg-rez version 2.1.4 updates its dependency 'pillow' to v8.2.0 to include security fixes.",
- "cve": "CVE-2021-28677",
- "id": "pyup.io-42105",
- "more_info_path": "/vulnerabilities/CVE-2021-28677/42105",
+ "cve": "CVE-2021-28678",
+ "id": "pyup.io-42049",
+ "more_info_path": "/vulnerabilities/CVE-2021-28678/42049",
"specs": [
"<2.1.4"
],
"v": "<2.1.4"
},
{
- "advisory": "Lg-rez version 2.1.4 updates its dependency 'pillow' to v8.2.0 to include security fixes.",
- "cve": "CVE-2021-28676",
- "id": "pyup.io-42104",
- "more_info_path": "/vulnerabilities/CVE-2021-28676/42104",
+ "advisory": "Lg-rez 2.1.4 updates its dependency 'rsa' to v4.7 to include a security fix.",
+ "cve": "CVE-2020-25658",
+ "id": "pyup.io-42106",
+ "more_info_path": "/vulnerabilities/CVE-2020-25658/42106",
"specs": [
"<2.1.4"
],
@@ -74958,20 +77144,20 @@
],
"libretranslate": [
{
- "advisory": "Libretranslate 1.5.4 updates its Flask dependency from 2.2.2 to 2.2.5. This upgrade addresses the vulnerability identified as CVE-2023-30861.\r\nhttps://github.com/LibreTranslate/LibreTranslate/pull/570/commits/51341d92ade55e47d94ac2f6dd095fcc226e62d0",
- "cve": "CVE-2023-30861",
- "id": "pyup.io-63742",
- "more_info_path": "/vulnerabilities/CVE-2023-30861/63742",
+ "advisory": "Libretranslate 1.5.4 updates its Werkzeug dependency from 2.2.2 to 2.3.8. This upgrade addresses the vulnerability identified as CVE-2023-25577.\r\nhttps://github.com/LibreTranslate/LibreTranslate/pull/570/commits/51341d92ade55e47d94ac2f6dd095fcc226e62d0",
+ "cve": "CVE-2023-25577",
+ "id": "pyup.io-64074",
+ "more_info_path": "/vulnerabilities/CVE-2023-25577/64074",
"specs": [
"<1.5.4"
],
"v": "<1.5.4"
},
{
- "advisory": "Libretranslate 1.5.4 updates its Werkzeug dependency from 2.2.2 to 2.3.8. This upgrade addresses the vulnerability identified as CVE-2023-25577.\r\nhttps://github.com/LibreTranslate/LibreTranslate/pull/570/commits/51341d92ade55e47d94ac2f6dd095fcc226e62d0",
- "cve": "CVE-2023-25577",
- "id": "pyup.io-64074",
- "more_info_path": "/vulnerabilities/CVE-2023-25577/64074",
+ "advisory": "Libretranslate 1.5.4 updates its Flask dependency from 2.2.2 to 2.2.5. This upgrade addresses the vulnerability identified as CVE-2023-30861.\r\nhttps://github.com/LibreTranslate/LibreTranslate/pull/570/commits/51341d92ade55e47d94ac2f6dd095fcc226e62d0",
+ "cve": "CVE-2023-30861",
+ "id": "pyup.io-63742",
+ "more_info_path": "/vulnerabilities/CVE-2023-30861/63742",
"specs": [
"<1.5.4"
],
@@ -75327,16 +77513,6 @@
}
],
"lightning": [
- {
- "advisory": "Lightning 2.0.4 updates its dependency 'vite' to version '2.9.16' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/7d2a46efa9834c3bb0bc1069df0a2e3a6e855d01",
- "cve": "CVE-2022-35204",
- "id": "pyup.io-59185",
- "more_info_path": "/vulnerabilities/CVE-2022-35204/59185",
- "specs": [
- "<2.0.4"
- ],
- "v": "<2.0.4"
- },
{
"advisory": "Lightning 2.0.4 updates its dependency 'vite' to version '2.9.16' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/7d2a46efa9834c3bb0bc1069df0a2e3a6e855d01",
"cve": "CVE-2023-34092",
@@ -75348,10 +77524,10 @@
"v": "<2.0.4"
},
{
- "advisory": "Lightning 2.0.4 updates its dependency 'redis' to version '4.5.5' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/0831e138c02e492bdd384be99079d949c93b1e8e",
- "cve": "CVE-2023-28858",
- "id": "pyup.io-59186",
- "more_info_path": "/vulnerabilities/CVE-2023-28858/59186",
+ "advisory": "Lightning 2.0.4 updates its dependency 'vite' to version '2.9.16' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/7d2a46efa9834c3bb0bc1069df0a2e3a6e855d01",
+ "cve": "CVE-2022-35204",
+ "id": "pyup.io-59185",
+ "more_info_path": "/vulnerabilities/CVE-2022-35204/59185",
"specs": [
"<2.0.4"
],
@@ -75376,6 +77552,16 @@
"<2.0.4"
],
"v": "<2.0.4"
+ },
+ {
+ "advisory": "Lightning 2.0.4 updates its dependency 'redis' to version '4.5.5' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/0831e138c02e492bdd384be99079d949c93b1e8e",
+ "cve": "CVE-2023-28858",
+ "id": "pyup.io-59186",
+ "more_info_path": "/vulnerabilities/CVE-2023-28858/59186",
+ "specs": [
+ "<2.0.4"
+ ],
+ "v": "<2.0.4"
}
],
"lilac": [
@@ -75632,6 +77818,38 @@
"v": "<0.0.102"
}
],
+ "litellm": [
+ {
+ "advisory": "Litellm version 1.35.1.dev1 introduces a low-severity security fix by disabling demo accounts on the Admin UI. Previously, the Proxy used a hardcoded demo account with no permissions, posing a potential security risk.",
+ "cve": "PVE-2024-67612",
+ "id": "pyup.io-67612",
+ "more_info_path": "/vulnerabilities/PVE-2024-67612/67612",
+ "specs": [
+ "<1.35.1.dev1"
+ ],
+ "v": "<1.35.1.dev1"
+ },
+ {
+ "advisory": "Affected versions of Litellm are vulnerable to improper authorization. Users could remove files from litellm proxy server when calling /audio/transcriptions.",
+ "cve": "PVE-2024-68072",
+ "id": "pyup.io-68072",
+ "more_info_path": "/vulnerabilities/PVE-2024-68072/68072",
+ "specs": [
+ "<1.35.18"
+ ],
+ "v": "<1.35.18"
+ },
+ {
+ "advisory": "Litellm version 1.35.20.dev2 resolves an issue where users could inadvertently delete files from the Litellm proxy server when accessing the `/audio/transcriptions` endpoint.",
+ "cve": "PVE-2024-69610",
+ "id": "pyup.io-69610",
+ "more_info_path": "/vulnerabilities/PVE-2024-69610/69610",
+ "specs": [
+ "<1.35.20.dev2"
+ ],
+ "v": "<1.35.20.dev2"
+ }
+ ],
"lithops": [
{
"advisory": "Lithops 1.0.1 fixes a flask security issue. See: CVE-2018-1000656.",
@@ -76378,6 +78596,18 @@
"v": "<0.8.5"
}
],
+ "loggerhead": [
+ {
+ "advisory": "Cross-site scripting (XSS) vulnerability in templatefunctions.py in Loggerhead before 1.18.1 allows remote authenticated users to inject arbitrary web script or HTML via a filename, which is not properly handled in a revision view.",
+ "cve": "CVE-2011-0728",
+ "id": "pyup.io-67952",
+ "more_info_path": "/vulnerabilities/CVE-2011-0728/67952",
+ "specs": [
+ "<1.18.1"
+ ],
+ "v": "<1.18.1"
+ }
+ ],
"logilab-common": [
{
"advisory": "The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file.",
@@ -76401,16 +78631,6 @@
}
],
"logprep": [
- {
- "advisory": "Logprep 7.0.0 updates its dependency 'urllib3' to include a security fix.",
- "cve": "CVE-2023-43804",
- "id": "pyup.io-61804",
- "more_info_path": "/vulnerabilities/CVE-2023-43804/61804",
- "specs": [
- "<7.0.0"
- ],
- "v": "<7.0.0"
- },
{
"advisory": "Logprep 7.0.0 updates its dependency 'certifi' to include a security fix.",
"cve": "CVE-2023-37920",
@@ -76430,6 +78650,16 @@
"<7.0.0"
],
"v": "<7.0.0"
+ },
+ {
+ "advisory": "Logprep 7.0.0 updates its dependency 'urllib3' to include a security fix.",
+ "cve": "CVE-2023-43804",
+ "id": "pyup.io-61804",
+ "more_info_path": "/vulnerabilities/CVE-2023-43804/61804",
+ "specs": [
+ "<7.0.0"
+ ],
+ "v": "<7.0.0"
}
],
"loguru": [
@@ -76956,20 +79186,20 @@
"v": "<0.9.62"
},
{
- "advisory": "Mage-ai 0.9.62 has updated its cryptography dependency from 36.0.2 to 41.0.6 to address the security issue identified as CVE-2024-22195.",
- "cve": "CVE-2024-0727",
- "id": "pyup.io-65072",
- "more_info_path": "/vulnerabilities/CVE-2024-0727/65072",
+ "advisory": "Mage-ai 0.9.62 has updated its ipython dependency from 7.34.0 to 8.10.0 to address the security issue identified as CVE-2023-24816.",
+ "cve": "CVE-2023-24816",
+ "id": "pyup.io-65071",
+ "more_info_path": "/vulnerabilities/CVE-2023-24816/65071",
"specs": [
"<0.9.62"
],
"v": "<0.9.62"
},
{
- "advisory": "Mage-ai 0.9.62 has updated its ipython dependency from 7.34.0 to 8.10.0 to address the security issue identified as CVE-2023-24816.",
- "cve": "CVE-2023-24816",
- "id": "pyup.io-65071",
- "more_info_path": "/vulnerabilities/CVE-2023-24816/65071",
+ "advisory": "Mage-ai 0.9.62 has updated its cryptography dependency from 36.0.2 to 41.0.6 to address the security issue identified as CVE-2024-22195.",
+ "cve": "CVE-2024-0727",
+ "id": "pyup.io-65072",
+ "more_info_path": "/vulnerabilities/CVE-2024-0727/65072",
"specs": [
"<0.9.62"
],
@@ -76986,20 +79216,20 @@
"v": "<0.9.62"
},
{
- "advisory": "Mage-ai version 0.9.65 updates its jupyter-server dependency to 2.11.2 from the previous 1.23.5 in response to the security vulnerability CVE-2023-49080.\r\nhttps://github.com/mage-ai/mage-ai/pull/4444/commits/6fd7c487c4accb1af62438b07b876d732d3c301a",
- "cve": "CVE-2023-49080",
- "id": "pyup.io-66645",
- "more_info_path": "/vulnerabilities/CVE-2023-49080/66645",
+ "advisory": "Mage-ai version 0.9.65 updates its Jinja2 dependency to 3.1.3 from the previous 3.1.2 in response to the security vulnerability CVE-2024-22195.\r\nhttps://github.com/mage-ai/mage-ai/pull/4444/commits/6fd7c487c4accb1af62438b07b876d732d3c301a",
+ "cve": "CVE-2024-22195",
+ "id": "pyup.io-66072",
+ "more_info_path": "/vulnerabilities/CVE-2024-22195/66072",
"specs": [
"<0.9.65"
],
"v": "<0.9.65"
},
{
- "advisory": "Mage-ai version 0.9.65 updates its Jinja2 dependency to 3.1.3 from the previous 3.1.2 in response to the security vulnerability CVE-2024-22195.\r\nhttps://github.com/mage-ai/mage-ai/pull/4444/commits/6fd7c487c4accb1af62438b07b876d732d3c301a",
- "cve": "CVE-2024-22195",
- "id": "pyup.io-66072",
- "more_info_path": "/vulnerabilities/CVE-2024-22195/66072",
+ "advisory": "Mage-ai version 0.9.65 updates its jupyter-server dependency to 2.11.2 from the previous 1.23.5 in response to the security vulnerability CVE-2023-49080.\r\nhttps://github.com/mage-ai/mage-ai/pull/4444/commits/6fd7c487c4accb1af62438b07b876d732d3c301a",
+ "cve": "CVE-2023-49080",
+ "id": "pyup.io-66645",
+ "more_info_path": "/vulnerabilities/CVE-2023-49080/66645",
"specs": [
"<0.9.65"
],
@@ -77040,6 +79270,18 @@
"v": ">0"
}
],
+ "mailchecker": [
+ {
+ "advisory": "Mailchecker version 3.2.9 includes a security enhancement by forcing the lodash library to update to versions greater than 4.17.5. This update addresses the CVE-2018-3721.",
+ "cve": "CVE-2018-3721",
+ "id": "pyup.io-68095",
+ "more_info_path": "/vulnerabilities/CVE-2018-3721/68095",
+ "specs": [
+ "<3.2.9"
+ ],
+ "v": "<3.2.9"
+ }
+ ],
"mailman": [
{
"advisory": "Mailman 2.1.14 includes a fix for CVE-2011-0707: Three XSS flaws due improper escaping of the full name of the member.",
@@ -77091,6 +79333,26 @@
],
"v": "<2.1.28"
},
+ {
+ "advisory": "/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.",
+ "cve": "CVE-2020-12108",
+ "id": "pyup.io-70585",
+ "more_info_path": "/vulnerabilities/CVE-2020-12108/70585",
+ "specs": [
+ "<2.1.31"
+ ],
+ "v": "<2.1.31"
+ },
+ {
+ "advisory": "GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.",
+ "cve": "CVE-2020-15011",
+ "id": "pyup.io-70582",
+ "more_info_path": "/vulnerabilities/CVE-2020-15011/70582",
+ "specs": [
+ "<2.1.33"
+ ],
+ "v": "<2.1.33"
+ },
{
"advisory": "GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).",
"cve": "CVE-2021-42097",
@@ -77231,6 +79493,16 @@
],
"v": "<=2.1"
},
+ {
+ "advisory": "Cross-site request forgery (CSRF) vulnerability in the admin web interface in GNU Mailman before 2.1.15 allows remote attackers to hijack the authentication of administrators.",
+ "cve": "CVE-2016-7123",
+ "id": "pyup.io-70520",
+ "more_info_path": "/vulnerabilities/CVE-2016-7123/70520",
+ "specs": [
+ "<=2.1.14"
+ ],
+ "v": "<=2.1.14"
+ },
{
"advisory": "Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.",
"cve": "CVE-2018-0618",
@@ -77414,6 +79686,18 @@
"v": ">=2.1.4,<=2.1.6"
}
],
+ "mailpile": [
+ {
+ "advisory": "The \"Security and Privacy\" Encryption feature in Mailpile before 1.0.0rc4 does not exclude disabled, revoked, and expired keys.",
+ "cve": "CVE-2018-20954",
+ "id": "pyup.io-70572",
+ "more_info_path": "/vulnerabilities/CVE-2018-20954/70572",
+ "specs": [
+ "<1.0.0rc4"
+ ],
+ "v": "<1.0.0rc4"
+ }
+ ],
"mako": [
{
"advisory": "Mako 0.3.4 includes a fix for CVE-2010-2480: Improper escaping of single quotes in escape.cgi (XSS).",
@@ -77473,6 +79757,26 @@
}
],
"manila": [
+ {
+ "advisory": "User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even \"admin\" users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0.",
+ "cve": "CVE-2020-27781",
+ "id": "pyup.io-70605",
+ "more_info_path": "/vulnerabilities/CVE-2020-27781/70605",
+ "specs": [
+ "<16.2.0"
+ ],
+ "v": "<16.2.0"
+ },
+ {
+ "advisory": "Cross-site scripting (XSS) vulnerability in the \"Shares\" overview in Openstack Manila before 2.5.1 allows remote authenticated users to inject arbitrary web script or HTML via the Metadata field in the \"Create Share\" form.",
+ "cve": "CVE-2016-6519",
+ "id": "pyup.io-70604",
+ "more_info_path": "/vulnerabilities/CVE-2016-6519/70604",
+ "specs": [
+ "<2.5.1"
+ ],
+ "v": "<2.5.1"
+ },
{
"advisory": "OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks. See: CVE-2020-9543.",
"cve": "CVE-2020-9543",
@@ -77817,6 +80121,16 @@
"<0.3.5"
],
"v": "<0.3.5"
+ },
+ {
+ "advisory": "Dbt-snowflake 1.8.0b2 updates its cryptography requirement to version 42.0.4 or newer, addressing security concerns highlighted by CVE-2024-26130.",
+ "cve": "CVE-2024-31207",
+ "id": "pyup.io-67471",
+ "more_info_path": "/vulnerabilities/CVE-2024-31207/67471",
+ "specs": [
+ "<0.3.9"
+ ],
+ "v": "<0.3.9"
}
],
"markdown-it-py": [
@@ -78279,6 +80593,16 @@
],
"v": "<0.10.0"
},
+ {
+ "advisory": "Matlab-proxy version 0.15.1 addresses an issue where token authentication was invalidated due to cookie overlap from other servers operating on different ports within the same domain.",
+ "cve": "PVE-2024-70494",
+ "id": "pyup.io-70494",
+ "more_info_path": "/vulnerabilities/PVE-2024-70494/70494",
+ "specs": [
+ "<0.15.1"
+ ],
+ "v": "<0.15.1"
+ },
{
"advisory": "Matlab-proxy 0.8.0 includes a fix for an unsafe defaults vulnerability.\r\nhttps://github.com/mathworks/matlab-proxy/commit/b446ec20374e8adb3b3f79ba49ce4ccb73f1bcf4",
"cve": "PVE-2023-61464",
@@ -78422,6 +80746,36 @@
],
"v": "<0.28.1"
},
+ {
+ "advisory": "The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.",
+ "cve": "CVE-2018-12291",
+ "id": "pyup.io-67946",
+ "more_info_path": "/vulnerabilities/CVE-2018-12291/67946",
+ "specs": [
+ "<0.31.1"
+ ],
+ "v": "<0.31.1"
+ },
+ {
+ "advisory": "In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.",
+ "cve": "CVE-2018-12423",
+ "id": "pyup.io-67947",
+ "more_info_path": "/vulnerabilities/CVE-2018-12423/67947",
+ "specs": [
+ "<0.31.2"
+ ],
+ "v": "<0.31.2"
+ },
+ {
+ "advisory": "Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.",
+ "cve": "CVE-2018-16515",
+ "id": "pyup.io-67948",
+ "more_info_path": "/vulnerabilities/CVE-2018-16515/67948",
+ "specs": [
+ "<0.33.3.1"
+ ],
+ "v": "<0.33.3.1"
+ },
{
"advisory": "Matrix-synapse 1.25.0 includes a fix for CVE-2021-21273: Open redirects on some federation and push requests.\r\nhttps://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p",
"cve": "CVE-2021-21273",
@@ -78823,6 +81177,16 @@
"<4.4.10"
],
"v": "<4.4.10"
+ },
+ {
+ "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a (1) tag or the (2) title of a source in a Staging folder, (3) Name field in a bootstrap setup, or Title field in a (4) smart link or (5) web form.",
+ "cve": "CVE-2014-3840",
+ "id": "pyup.io-70422",
+ "more_info_path": "/vulnerabilities/CVE-2014-3840/70422",
+ "specs": [
+ "<=0.13"
+ ],
+ "v": "<=0.13"
}
],
"md4c": [
@@ -79019,6 +81383,18 @@
"v": "<0.1.20"
}
],
+ "meraki": [
+ {
+ "advisory": "Versions of aiohttp before 1.40.1, an asynchronous HTTP client/server framework for asyncio and Python, are susceptible to a vulnerability where improper validation allows an attacker to modify or create a new HTTP request by controlling the HTTP version of the request. This issue specifically affects environments where the attacker has the ability to control the HTTP version.",
+ "cve": "CVE-2023-49081",
+ "id": "pyup.io-68085",
+ "more_info_path": "/vulnerabilities/CVE-2023-49081/68085",
+ "specs": [
+ "<1.40.1"
+ ],
+ "v": "<1.40.1"
+ }
+ ],
"mercurial": [
{
"advisory": "Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middle attack.",
@@ -79273,20 +81649,20 @@
],
"metricflow": [
{
- "advisory": "Metricflow 0.100.0 updates its dependency 'snowflake-connector-python' to 2.7.8 to include a security fix.",
- "cve": "CVE-2022-29217",
- "id": "pyup.io-50267",
- "more_info_path": "/vulnerabilities/CVE-2022-29217/50267",
+ "advisory": "Metricflow 0.100.0 updates its dependency 'numpy' to v1.22.2 to include a security fix.",
+ "cve": "CVE-2021-41495",
+ "id": "pyup.io-50258",
+ "more_info_path": "/vulnerabilities/CVE-2021-41495/50258",
"specs": [
"<0.100.0"
],
"v": "<0.100.0"
},
{
- "advisory": "Metricflow 0.100.0 updates its dependency 'numpy' to v1.22.2 to include a security fix.",
- "cve": "CVE-2021-41495",
- "id": "pyup.io-50258",
- "more_info_path": "/vulnerabilities/CVE-2021-41495/50258",
+ "advisory": "Metricflow 0.100.0 updates its dependency 'snowflake-connector-python' to 2.7.8 to include a security fix.",
+ "cve": "CVE-2022-29217",
+ "id": "pyup.io-50267",
+ "more_info_path": "/vulnerabilities/CVE-2022-29217/50267",
"specs": [
"<0.100.0"
],
@@ -79356,6 +81732,26 @@
],
"v": "<=4.3.1"
},
+ {
+ "advisory": "An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header.",
+ "cve": "CVE-2024-22311",
+ "id": "pyup.io-68491",
+ "more_info_path": "/vulnerabilities/CVE-2024-22311/68491",
+ "specs": [
+ "<=6.0.0"
+ ],
+ "v": "<=6.0.0"
+ },
+ {
+ "advisory": "An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request.",
+ "cve": "CVE-2023-45922",
+ "id": "pyup.io-68492",
+ "more_info_path": "/vulnerabilities/CVE-2023-45922/68492",
+ "specs": [
+ "<=6.0.0"
+ ],
+ "v": "<=6.0.0"
+ },
{
"advisory": "Cross Site Scripting (XSS) in Mezzanine v4.3.1 allows remote attackers to execute arbitrary code via the 'Description' field of the component 'admin/blog/blogpost/add/'. This issue is different than CVE-2018-16632.",
"cve": "CVE-2020-19002",
@@ -79489,6 +81885,30 @@
"v": "<2024.1.5"
}
],
+ "micropython-copy": [
+ {
+ "advisory": "A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.",
+ "cve": "CVE-2023-7152",
+ "id": "pyup.io-70396",
+ "more_info_path": "/vulnerabilities/CVE-2023-7152/70396",
+ "specs": [
+ "<1.22.0"
+ ],
+ "v": "<1.22.0"
+ }
+ ],
+ "micropython-io": [
+ {
+ "advisory": "A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.",
+ "cve": "CVE-2023-7152",
+ "id": "pyup.io-70397",
+ "more_info_path": "/vulnerabilities/CVE-2023-7152/70397",
+ "specs": [
+ "<1.22.0"
+ ],
+ "v": "<1.22.0"
+ }
+ ],
"micropython-mdns": [
{
"advisory": "Micropython-mdns 1.3.0 updates its dependency 'wheel' to v0.38.0 to include a security fix.",
@@ -79514,9 +81934,9 @@
},
{
"advisory": "Microstructpy 1.5.4 updates its dependency 'numpy' to v1.22.0 to include security fixes.",
- "cve": "CVE-2021-33430",
- "id": "pyup.io-50871",
- "more_info_path": "/vulnerabilities/CVE-2021-33430/50871",
+ "cve": "CVE-2021-34141",
+ "id": "pyup.io-50914",
+ "more_info_path": "/vulnerabilities/CVE-2021-34141/50914",
"specs": [
"<1.5.4"
],
@@ -79524,9 +81944,9 @@
},
{
"advisory": "Microstructpy 1.5.4 updates its dependency 'numpy' to v1.22.0 to include security fixes.",
- "cve": "CVE-2021-34141",
- "id": "pyup.io-50914",
- "more_info_path": "/vulnerabilities/CVE-2021-34141/50914",
+ "cve": "CVE-2021-33430",
+ "id": "pyup.io-50871",
+ "more_info_path": "/vulnerabilities/CVE-2021-33430/50871",
"specs": [
"<1.5.4"
],
@@ -79613,20 +82033,20 @@
"v": "<22.11.4.3"
},
{
- "advisory": "Mindsdb 23.11.4.1 fixes a security bug related to the file upload security. \r\nhttps://github.com/mindsdb/mindsdb/commit/9dfec88ed0840cf3eb7805d6383067d256d9f7d3",
- "cve": "PVE-2023-62723",
- "id": "pyup.io-62723",
- "more_info_path": "/vulnerabilities/PVE-2023-62723/62723",
+ "advisory": "MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in `file.py`. This can lead to limited information disclosure. Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue.",
+ "cve": "CVE-2023-49795",
+ "id": "pyup.io-65355",
+ "more_info_path": "/vulnerabilities/CVE-2023-49795/65355",
"specs": [
"<23.11.4.1"
],
"v": "<23.11.4.1"
},
{
- "advisory": "MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in `file.py`. This can lead to limited information disclosure. Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue.",
- "cve": "CVE-2023-49795",
- "id": "pyup.io-65355",
- "more_info_path": "/vulnerabilities/CVE-2023-49795/65355",
+ "advisory": "Mindsdb 23.11.4.1 fixes a security bug related to the file upload security. \r\nhttps://github.com/mindsdb/mindsdb/commit/9dfec88ed0840cf3eb7805d6383067d256d9f7d3",
+ "cve": "PVE-2023-62723",
+ "id": "pyup.io-62723",
+ "more_info_path": "/vulnerabilities/PVE-2023-62723/62723",
"specs": [
"<23.11.4.1"
],
@@ -79695,20 +82115,10 @@
"v": "<0.5.0-beta"
},
{
- "advisory": "Mindspore 0.5.0beta upgrades its dependency 'SQLite' to handle CVE-2020-13630.",
- "cve": "CVE-2020-13630",
- "id": "pyup.io-40836",
- "more_info_path": "/vulnerabilities/CVE-2020-13630/40836",
- "specs": [
- "<0.5.0beta"
- ],
- "v": "<0.5.0beta"
- },
- {
- "advisory": "Mindspore 0.5.0beta upgrades its dependency 'SQLite' to version 3.32.2 to include security fixes.",
- "cve": "CVE-2020-11655",
- "id": "pyup.io-40834",
- "more_info_path": "/vulnerabilities/CVE-2020-11655/40834",
+ "advisory": "Mindspore 0.5.0beta updates the underlying 'libjpeg-turbo' dependency to 2.0.4 to handle CVE-2020-13790.",
+ "cve": "CVE-2020-13790",
+ "id": "pyup.io-41016",
+ "more_info_path": "/vulnerabilities/CVE-2020-13790/41016",
"specs": [
"<0.5.0beta"
],
@@ -79725,20 +82135,20 @@
"v": "<0.5.0beta"
},
{
- "advisory": "Mindspore 0.5.0beta updates its dependency 'sqlite' to v3.32.2 to include security fixes.",
- "cve": "CVE-2020-11656",
- "id": "pyup.io-41006",
- "more_info_path": "/vulnerabilities/CVE-2020-11656/41006",
+ "advisory": "Mindspore 0.5.0beta upgrades its dependency 'SQLite' to handle CVE-2020-13630.",
+ "cve": "CVE-2020-13630",
+ "id": "pyup.io-40836",
+ "more_info_path": "/vulnerabilities/CVE-2020-13630/40836",
"specs": [
"<0.5.0beta"
],
"v": "<0.5.0beta"
},
{
- "advisory": "Mindspore 0.5.0beta updates the underlying 'libjpeg-turbo' dependency to 2.0.4 to handle CVE-2020-13790.",
- "cve": "CVE-2020-13790",
- "id": "pyup.io-41016",
- "more_info_path": "/vulnerabilities/CVE-2020-13790/41016",
+ "advisory": "Mindspore 0.5.0beta updates its dependency 'sqlite' to v3.32.2 to include security fixes.",
+ "cve": "CVE-2020-11656",
+ "id": "pyup.io-41006",
+ "more_info_path": "/vulnerabilities/CVE-2020-11656/41006",
"specs": [
"<0.5.0beta"
],
@@ -79784,6 +82194,16 @@
],
"v": "<0.5.0beta"
},
+ {
+ "advisory": "Mindspore 0.5.0beta upgrades its dependency 'SQLite' to version 3.32.2 to include security fixes.",
+ "cve": "CVE-2020-11655",
+ "id": "pyup.io-40834",
+ "more_info_path": "/vulnerabilities/CVE-2020-11655/40834",
+ "specs": [
+ "<0.5.0beta"
+ ],
+ "v": "<0.5.0beta"
+ },
{
"advisory": "Mindspore 0.5.0beta upgrades its depedency 'SQLite' to 3.32.2 to handle CVE-2020-13632.",
"cve": "CVE-2020-13632",
@@ -79855,20 +82275,20 @@
"v": ">=0.7.0,<1.3.0"
},
{
- "advisory": "When performing the inference shape operation of Affine, Concat, MatMul, ArgMinMax, EmbeddingLookup, and Gather operators, if the input shape size is 0, it will access data outside of bounds of shape which allocated from heap buffers.",
- "cve": "CVE-2021-33648",
- "id": "pyup.io-65822",
- "more_info_path": "/vulnerabilities/CVE-2021-33648/65822",
+ "advisory": "When performing the analytical operation of the DepthwiseConv2D operator, if the attribute depth_multiplier is 0, it will cause a division by 0 exception.",
+ "cve": "CVE-2021-33651",
+ "id": "pyup.io-65825",
+ "more_info_path": "/vulnerabilities/CVE-2021-33651/65825",
"specs": [
">=1.1.0,<1.3.0"
],
"v": ">=1.1.0,<1.3.0"
},
{
- "advisory": "When performing the analytical operation of the DepthwiseConv2D operator, if the attribute depth_multiplier is 0, it will cause a division by 0 exception.",
- "cve": "CVE-2021-33651",
- "id": "pyup.io-65825",
- "more_info_path": "/vulnerabilities/CVE-2021-33651/65825",
+ "advisory": "When performing the inference shape operation of Affine, Concat, MatMul, ArgMinMax, EmbeddingLookup, and Gather operators, if the input shape size is 0, it will access data outside of bounds of shape which allocated from heap buffers.",
+ "cve": "CVE-2021-33648",
+ "id": "pyup.io-65822",
+ "more_info_path": "/vulnerabilities/CVE-2021-33648/65822",
"specs": [
">=1.1.0,<1.3.0"
],
@@ -80126,9 +82546,9 @@
},
{
"advisory": "Mitmproxy 9.0.1 updates its precompiled binaries with OpenSSL 3.0.7, to include security fixes.",
- "cve": "CVE-2022-3602",
- "id": "pyup.io-51778",
- "more_info_path": "/vulnerabilities/CVE-2022-3602/51778",
+ "cve": "CVE-2022-3786",
+ "id": "pyup.io-51651",
+ "more_info_path": "/vulnerabilities/CVE-2022-3786/51651",
"specs": [
"<9.0.1"
],
@@ -80136,9 +82556,9 @@
},
{
"advisory": "Mitmproxy 9.0.1 updates its precompiled binaries with OpenSSL 3.0.7, to include security fixes.",
- "cve": "CVE-2022-3786",
- "id": "pyup.io-51651",
- "more_info_path": "/vulnerabilities/CVE-2022-3786/51651",
+ "cve": "CVE-2022-3602",
+ "id": "pyup.io-51778",
+ "more_info_path": "/vulnerabilities/CVE-2022-3602/51778",
"specs": [
"<9.0.1"
],
@@ -80208,16 +82628,6 @@
}
],
"mjml": [
- {
- "advisory": "Version 0.11.0 of Mjml addresses a security concern where HTML entities like > were not properly escaped in the output, potentially allowing the injection of untrusted data.\r\nhttps://github.com/FelixSchwarz/mjml-python/commit/8d410b7a500703080bb14ed7e3d2663fe16767e6",
- "cve": "PVE-2024-65629",
- "id": "pyup.io-65629",
- "more_info_path": "/vulnerabilities/PVE-2024-65629/65629",
- "specs": [
- "<0.11.0"
- ],
- "v": "<0.11.0"
- },
{
"advisory": "The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input like `<script>` would be rendered as `