Vulnerable Library - PyJWT-2.3.0-py3-none-any.whl

JSON Web Token implementation in Python

Library home page: https://files.pythonhosted.org/packages/2a/4d/67cc66a0c49003dc216fc73db2d05a3b80c7193167fd113da1f2c678ac2a/PyJWT-2.3.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 5aed429330b2210831b13e67fe7fa885f4633cdc

CVE-2022-29217

Vulnerable Library - PyJWT-2.3.0-py3-none-any.whl

JSON Web Token implementation in Python

Library home page: https://files.pythonhosted.org/packages/2a/4d/67cc66a0c49003dc216fc73db2d05a3b80c7193167fd113da1f2c678ac2a/PyJWT-2.3.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ PyJWT-2.3.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 5aed429330b2210831b13e67fe7fa885f4633cdc

Found in base branch: main

Vulnerability Details

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms() to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms() has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

Publish Date: 2022-05-24

URL: CVE-2022-29217

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217

Release Date: 2022-05-24

Fix Resolution: PyJWT - 2.4.0

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - waitress-2.1.1-py3-none-any.whl

Waitress WSGI server

Library home page: https://files.pythonhosted.org/packages/3c/ce/5761c7e60b9fdf526ddf461f416e67644147e83a30e8364d231ec62eb81e/waitress-2.1.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 5aed429330b2210831b13e67fe7fa885f4633cdc

CVE-2022-31015

Vulnerable Library - waitress-2.1.1-py3-none-any.whl

Waitress WSGI server

Library home page: https://files.pythonhosted.org/packages/3c/ce/5761c7e60b9fdf526ddf461f416e67644147e83a30e8364d231ec62eb81e/waitress-2.1.1-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ waitress-2.1.1-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 5aed429330b2210831b13e67fe7fa885f4633cdc

Found in base branch: main

Vulnerability Details

Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and 2.1.1 may terminate early due to a thread closing a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not handled and then causing the entire application to be killed. This issue has been fixed in Waitress 2.1.2 by no longer allowing the WSGI thread to close the socket. Instead, that is always delegated to the main thread. There is no work-around for this issue. However, users using waitress behind a reverse proxy server are less likely to have issues if the reverse proxy always reads the full response.

Publish Date: 2022-05-31

URL: CVE-2022-31015

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31015

Release Date: 2022-05-31

Fix Resolution: waitress - 2.1.2

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - Mako-1.1.6-py2.py3-none-any.whl

A super-fast templating language that borrows the best ideas from the existing templating languages.

Library home page: https://files.pythonhosted.org/packages/b4/4d/e03d08f16ee10e688bde9016bc80af8b78c7f36a8b37c7194da48f72207e/Mako-1.1.6-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

CVE-2022-40023

Vulnerable Library - Mako-1.1.6-py2.py3-none-any.whl

A super-fast templating language that borrows the best ideas from the existing templating languages.

Library home page: https://files.pythonhosted.org/packages/b4/4d/e03d08f16ee10e688bde9016bc80af8b78c7f36a8b37c7194da48f72207e/Mako-1.1.6-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ Mako-1.1.6-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

Publish Date: 2022-09-07

URL: CVE-2022-40023

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-09-07

Fix Resolution: Mako - 1.2.2

⛑️ Automatic Remediation is available for this issue