dead10c5 / badge-project-template Goto Github PK

.github/workflows/markdown.yml

• actions/checkout v4
• nosborn/github-action-markdown-cli v3.3.0

.github/workflows/reuse.yml

• actions/checkout v4
• fsfe/reuse-action v2.0.0

src/requirements.txt

Vulnerable Library - esptool-4.7.0.tar.gz

Path to dependency file: /src/requirements.txt

Path to vulnerable library: /src/requirements.txt

Found in HEAD commit: 5881f15b59821b26b470414322d95f74bd6a15c2

CVE-2024-26130

Vulnerable Library - cryptography-42.0.1-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/f6/79/227c6f7e98657cf9387d5797d56e983165f294ed838679b2b8ca12118e18/cryptography-42.0.1-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /src/requirements.txt

Path to vulnerable library: /src/requirements.txt

Dependency Hierarchy:

• esptool-4.7.0.tar.gz (Root Library)
  • ❌ cryptography-42.0.1-cp37-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 5881f15b59821b26b470414322d95f74bd6a15c2

Found in base branch: main

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serialize_key_and_certificates is called with both a certificate whose public key did not match the provided private key and an encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...), then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a ValueError is properly raised.

Publish Date: 2024-02-21

URL: CVE-2024-26130

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6vqw-3v5j-54x4

Release Date: 2024-02-21

Fix Resolution: cryptography - 42.0.4

Step up your Open Source Security Game with Mend here

CVE-2024-23342

Vulnerable Library - ecdsa-0.18.0-py2.py3-none-any.whl

ECDSA cryptographic signature library (pure python)

Library home page: https://files.pythonhosted.org/packages/09/d4/4f05f5d16a4863b30ba96c23b23e942da8889abfa1cdbabf2a0df12a4532/ecdsa-0.18.0-py2.py3-none-any.whl

Path to dependency file: /src/requirements.txt

Path to vulnerable library: /src/requirements.txt

Dependency Hierarchy:

• esptool-4.7.0.tar.gz (Root Library)
  • ❌ ecdsa-0.18.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 5881f15b59821b26b470414322d95f74bd6a15c2

Found in base branch: main

Vulnerability Details

The ecdsa PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

Publish Date: 2024-01-23

URL: CVE-2024-23342

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Step up your Open Source Security Game with Mend here