lvcarlosja / bokeh Goto Github PK

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /tmp/ws-scm/bokeh

Path to vulnerable library: /bokeh,/tmp/ws-scm/bokeh/docker-tools/debian/requirements.txt

Dependency Hierarchy:

• bokeh-1.4.0.tar.gz (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.

Publish Date: 2020-06-25

URL: CVE-2020-10177

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /tmp/ws-scm/bokeh

Path to vulnerable library: /bokeh,/tmp/ws-scm/bokeh/docker-tools/debian/requirements.txt

Dependency Hierarchy:

• bokeh-1.4.0.tar.gz (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.

Publish Date: 2020-06-25

URL: CVE-2020-10378

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - jquery-1.12.4.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.js

Path to dependency file: /tmp/ws-scm/bokeh/bokehjs/node_modules/jquery-ui/demos/slider/multiple-vertical.html

Path to vulnerable library: /bokeh/bokehjs/node_modules/jquery-ui/demos/slider/../../external/jquery/jquery.js,/bokeh/bokehjs/node_modules/jquery-ui/demos/effect/../../external/jquery/jquery.js

Dependency Hierarchy:

• ❌ jquery-1.12.4.js (Vulnerable Library)

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Vulnerable Libraries - jquery-1.12.4.js, jquery-3.4.1.min.js

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /tmp/ws-scm/bokeh

Path to vulnerable library: /bokeh,/tmp/ws-scm/bokeh/docker-tools/debian/requirements.txt

Dependency Hierarchy:

• bokeh-1.4.0.tar.gz (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.

Publish Date: 2020-06-25

URL: CVE-2020-11538

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - jquery-1.12.4.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.js

Path to dependency file: /tmp/ws-scm/bokeh/bokehjs/node_modules/jquery-ui/demos/slider/multiple-vertical.html

Path to vulnerable library: /bokeh/bokehjs/node_modules/jquery-ui/demos/slider/../../external/jquery/jquery.js,/bokeh/bokehjs/node_modules/jquery-ui/demos/effect/../../external/jquery/jquery.js

Dependency Hierarchy:

• ❌ jquery-1.12.4.js (Vulnerable Library)

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /tmp/ws-scm/bokeh

Path to vulnerable library: /bokeh,/tmp/ws-scm/bokeh/docker-tools/debian/requirements.txt

Dependency Hierarchy:

• bokeh-1.4.0.tar.gz (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c.

Publish Date: 2020-06-25

URL: CVE-2020-10379

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/bokeh/bokehjs/package.json

Path to vulnerable library: /tmp/ws-scm/bokeh/bokehjs/node_modules/lodash/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

Vulnerable Library - ajv-6.12.2.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.2.tgz

Path to dependency file: /tmp/ws-scm/bokeh/bokehjs/package.json

Path to vulnerable library: /tmp/ws-scm/bokeh/bokehjs/node_modules/ajv/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ ajv-6.12.2.tgz (Vulnerable Library)

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

Release Date: 2020-07-15

Fix Resolution: ajv - 6.12.3

Vulnerable Library - PyYAML-5.3.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/3d/d9/ea9816aea31beeadccd03f1f8b625ecf8f645bd66744484d162d84803ce5/PyYAML-5.3.tar.gz

Path to dependency file: /tmp/ws-scm/bokeh

Path to vulnerable library: /bokeh

Dependency Hierarchy:

• ❌ PyYAML-5.3.tar.gz (Vulnerable Library)

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

Publish Date: 2020-03-24

URL: CVE-2020-1747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747

Release Date: 2020-03-24

Fix Resolution: 5.3.1

Vulnerable Libraries - jquery-1.12.4.js, jquery-3.4.1.min.js

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /tmp/ws-scm/bokeh

Path to vulnerable library: /bokeh,/tmp/ws-scm/bokeh/docker-tools/debian/requirements.txt

Dependency Hierarchy:

• bokeh-1.4.0.tar.gz (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: f258eb867515d3b493589886c4699a9ca032a6b0

Vulnerability Details

In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.

Publish Date: 2020-06-25

URL: CVE-2020-10994

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0