python1's Introduction
python1's People
python1's Issues
PyJWT-2.3.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - PyJWT-2.3.0-py3-none-any.whl
JSON Web Token implementation in Python
Library home page: https://files.pythonhosted.org/packages/2a/4d/67cc66a0c49003dc216fc73db2d05a3b80c7193167fd113da1f2c678ac2a/PyJWT-2.3.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 5aed429330b2210831b13e67fe7fa885f4633cdc
Vulnerabilities
CVE | Severity | Dependency | Type | Fixed in | Remediation Available | |
---|---|---|---|---|---|---|
CVE-2022-29217 | 7.5 | PyJWT-2.3.0-py3-none-any.whl | Direct | PyJWT - 2.4.0 | ✅ |
Details
CVE-2022-29217
Vulnerable Library - PyJWT-2.3.0-py3-none-any.whl
JSON Web Token implementation in Python
Library home page: https://files.pythonhosted.org/packages/2a/4d/67cc66a0c49003dc216fc73db2d05a3b80c7193167fd113da1f2c678ac2a/PyJWT-2.3.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- ❌ PyJWT-2.3.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 5aed429330b2210831b13e67fe7fa885f4633cdc
Found in base branch: main
Vulnerability Details
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms()
to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms()
has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
Publish Date: 2022-05-24
URL: CVE-2022-29217
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217
Release Date: 2022-05-24
Fix Resolution: PyJWT - 2.4.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
waitress-2.1.1-py3-none-any.whl: 1 vulnerabilities (highest severity is: 5.9)
Vulnerable Library - waitress-2.1.1-py3-none-any.whl
Waitress WSGI server
Library home page: https://files.pythonhosted.org/packages/3c/ce/5761c7e60b9fdf526ddf461f416e67644147e83a30e8364d231ec62eb81e/waitress-2.1.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 5aed429330b2210831b13e67fe7fa885f4633cdc
Vulnerabilities
CVE | Severity | Dependency | Type | Fixed in | Remediation Available | |
---|---|---|---|---|---|---|
CVE-2022-31015 | 5.9 | waitress-2.1.1-py3-none-any.whl | Direct | waitress - 2.1.2 | ✅ |
Details
CVE-2022-31015
Vulnerable Library - waitress-2.1.1-py3-none-any.whl
Waitress WSGI server
Library home page: https://files.pythonhosted.org/packages/3c/ce/5761c7e60b9fdf526ddf461f416e67644147e83a30e8364d231ec62eb81e/waitress-2.1.1-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- ❌ waitress-2.1.1-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 5aed429330b2210831b13e67fe7fa885f4633cdc
Found in base branch: main
Vulnerability Details
Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread closing a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not handled and then causing the entire application to be killed. This issue has been fixed in Waitress 2.1.2 by no longer allowing the WSGI thread to close the socket. Instead, that is always delegated to the main thread. There is no work-around for this issue. However, users using waitress behind a reverse proxy server are less likely to have issues if the reverse proxy always reads the full response.
Publish Date: 2022-05-31
URL: CVE-2022-31015
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31015
Release Date: 2022-05-31
Fix Resolution: waitress - 2.1.2
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
Mako-1.1.6-py2.py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - Mako-1.1.6-py2.py3-none-any.whl
A super-fast templating language that borrows the best ideas from the existing templating languages.
Library home page: https://files.pythonhosted.org/packages/b4/4d/e03d08f16ee10e688bde9016bc80af8b78c7f36a8b37c7194da48f72207e/Mako-1.1.6-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Vulnerabilities
CVE | Severity | Dependency | Type | Fixed in | Remediation Available | |
---|---|---|---|---|---|---|
CVE-2022-40023 | 7.5 | Mako-1.1.6-py2.py3-none-any.whl | Direct | Mako - 1.2.2 | ✅ |
Details
CVE-2022-40023
Vulnerable Library - Mako-1.1.6-py2.py3-none-any.whl
A super-fast templating language that borrows the best ideas from the existing templating languages.
Library home page: https://files.pythonhosted.org/packages/b4/4d/e03d08f16ee10e688bde9016bc80af8b78c7f36a8b37c7194da48f72207e/Mako-1.1.6-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
- ❌ Mako-1.1.6-py2.py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.
Publish Date: 2022-09-07
URL: CVE-2022-40023
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-09-07
Fix Resolution: Mako - 1.2.2
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.