mvalle21 / flow Goto Github PK

Vulnerable Library - certifi-2020.12.5-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/5e/a0/5f06e1e1d463903cf0c0eebeb751791119ed7a4b3737fdc9a77f1cdfb51f/certifi-2020.12.5-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/flow

Dependency Hierarchy:

• responses-0.8.1-py2.py3-none-any.whl (Root Library)
  • requests-2.25.1-py2.py3-none-any.whl
    • ❌ certifi-2020.12.5-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: c78c9db7aa4d1fdd1aea6ad4e15a777c07e72d4d

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution: certifi - 2022.12.07

Vulnerable Libraries - py-1.10.0-py2.py3-none-any.whl, py-1.4.31-py2.py3-none-any.whl

Found in base branch: master

Vulnerability Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: This has been disputed by multiple third parties as not being reproduceable and they argue this is not a valid vulnerability.

Publish Date: 2022-10-16

URL: CVE-2022-42969

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Libraries - urllib3-1.26.3-py2.py3-none-any.whl, urllib3-1.24.2-py2.py3-none-any.whl

Found in HEAD commit: c78c9db7aa4d1fdd1aea6ad4e15a777c07e72d4d

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

Vulnerable Library - certifi-2020.12.5-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/5e/a0/5f06e1e1d463903cf0c0eebeb751791119ed7a4b3737fdc9a77f1cdfb51f/certifi-2020.12.5-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/flow

Dependency Hierarchy:

• responses-0.8.1-py2.py3-none-any.whl (Root Library)
  • requests-2.25.1-py2.py3-none-any.whl
    • ❌ certifi-2020.12.5-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Publish Date: 2023-07-25

URL: CVE-2023-37920

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xqr8-7jwr-rhp7

Release Date: 2023-07-25

Fix Resolution (certifi): 2023.7.22

Direct dependency fix Resolution (responses): 0.9.0

Vulnerable Library - GitPython-2.0.2-py2.py3-none-any.whl

Python Git Library

Library home page: https://files.pythonhosted.org/packages/9f/4e/c27ecaa02b1c6b6064c8c949d9203714fa228d127faf1b8e21f4759a5e89/GitPython-2.0.2-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /flow

Dependency Hierarchy:

• ❌ GitPython-2.0.2-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: c78c9db7aa4d1fdd1aea6ad4e15a777c07e72d4d

Found in base branch: master

Vulnerability Details

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Publish Date: 2022-12-06

URL: CVE-2022-24439

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Libraries - urllib3-1.26.3-py2.py3-none-any.whl, urllib3-1.24.2-py2.py3-none-any.whl

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution (urllib3): 1.26.5

Direct dependency fix Resolution (responses): 0.9.0

Vulnerable Library - urllib3-1.26.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/23/fc/8a49991f7905261f9ca9df5aa9b58363c3c821ce3e7f671895442b7100f2/urllib3-1.26.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• responses-0.8.1-py2.py3-none-any.whl (Root Library)
  • requests-2.25.1-py2.py3-none-any.whl
    • ❌ urllib3-1.26.3-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Publish Date: 2021-03-15

URL: CVE-2021-28363

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5phf-pp7p-vc2r

Release Date: 2021-03-15

Fix Resolution (urllib3): 1.26.4

Direct dependency fix Resolution (responses): 0.9.0

Vulnerable Library - requests-2.25.1-py2.py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/29/c1/24814557f1d22c56d50280771a17307e6bf87b70727d975fd6b2ce6b014a/requests-2.25.1-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /flow,/tmp/ws-scm/flow,/requirements.txt

Dependency Hierarchy:

• ❌ requests-2.25.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

Publish Date: 2024-05-20

URL: CVE-2024-35195

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-9wx4-h78v-vm56

Release Date: 2024-05-20

Fix Resolution: 2.32.0

Vulnerable Library - urllib3-1.24.2-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/df/1c/59cca3abf96f991f2ec3131a4ffe72ae3d9ea1f5894abe8a9c5e3c77cfee/urllib3-1.24.2-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /flow,/tmp/ws-scm/flow

Dependency Hierarchy:

• ❌ urllib3-1.24.2-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Publish Date: 2019-03-13

URL: CVE-2019-9740

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740

Release Date: 2019-03-13

Fix Resolution: 1.24.3

Vulnerable Library - requests-2.25.1-py2.py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/29/c1/24814557f1d22c56d50280771a17307e6bf87b70727d975fd6b2ce6b014a/requests-2.25.1-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /flow,/tmp/ws-scm/flow,/requirements.txt

Dependency Hierarchy:

• ❌ requests-2.25.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Publish Date: 2023-05-26

URL: CVE-2023-32681

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8r2-6x86-q33q

Release Date: 2023-05-26

Fix Resolution: 2.32.0

Vulnerable Library - certifi-2020.12.5-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/5e/a0/5f06e1e1d463903cf0c0eebeb751791119ed7a4b3737fdc9a77f1cdfb51f/certifi-2020.12.5-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/flow

Dependency Hierarchy:

• responses-0.8.1-py2.py3-none-any.whl (Root Library)
  • requests-2.25.1-py2.py3-none-any.whl
    • ❌ certifi-2020.12.5-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution (certifi): 2022.12.7

Direct dependency fix Resolution (responses): 0.9.0

Vulnerable Library - py-1.4.31-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/19/f2/4b71181a49a4673a12c8f5075b8744c5feb0ed9eba352dd22512d2c04d47/py-1.4.31-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /tmp/ws-scm/flow,/flow

Dependency Hierarchy:

• ❌ py-1.4.31-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Publish Date: 2020-12-09

URL: CVE-2020-29651

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hj5v-574p-mj7c

Release Date: 2020-12-09

Fix Resolution: 1.11.0

Vulnerable Library - urllib3-1.26.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/23/fc/8a49991f7905261f9ca9df5aa9b58363c3c821ce3e7f671895442b7100f2/urllib3-1.26.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• responses-0.8.1-py2.py3-none-any.whl (Root Library)
  • requests-2.25.1-py2.py3-none-any.whl
    • ❌ urllib3-1.26.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: c78c9db7aa4d1fdd1aea6ad4e15a777c07e72d4d

Found in base branch: master

Vulnerability Details

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Publish Date: 2021-03-15

URL: CVE-2021-28363

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5phf-pp7p-vc2r

Release Date: 2021-03-15

Fix Resolution: 1.26.4

Vulnerable Library - urllib3-1.24.2-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/df/1c/59cca3abf96f991f2ec3131a4ffe72ae3d9ea1f5894abe8a9c5e3c77cfee/urllib3-1.24.2-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /flow,/tmp/ws-scm/flow

Dependency Hierarchy:

• ❌ urllib3-1.24.2-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

Vulnerable Library - urllib3-1.24.2-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/df/1c/59cca3abf96f991f2ec3131a4ffe72ae3d9ea1f5894abe8a9c5e3c77cfee/urllib3-1.24.2-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /flow,/tmp/ws-scm/flow

Dependency Hierarchy:

• ❌ urllib3-1.24.2-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.

Publish Date: 2019-04-15

URL: CVE-2019-11236

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r64q-w8jr-g9qp

Release Date: 2019-04-15

Fix Resolution: 1.24.3

Vulnerable Library - GitPython-2.0.2-py2.py3-none-any.whl

GitPython is a Python library used to interact with Git repositories

Library home page: https://files.pythonhosted.org/packages/9f/4e/c27ecaa02b1c6b6064c8c949d9203714fa228d127faf1b8e21f4759a5e89/GitPython-2.0.2-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /flow

Dependency Hierarchy:

• ❌ GitPython-2.0.2-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Publish Date: 2022-12-06

URL: CVE-2022-24439

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Libraries - py-1.10.0-py2.py3-none-any.whl, py-1.4.31-py2.py3-none-any.whl

Found in HEAD commit: c78c9db7aa4d1fdd1aea6ad4e15a777c07e72d4d

Found in base branch: master

Vulnerability Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

Publish Date: 2022-10-16

URL: CVE-2022-42969

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - urllib3-1.24.2-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/df/1c/59cca3abf96f991f2ec3131a4ffe72ae3d9ea1f5894abe8a9c5e3c77cfee/urllib3-1.24.2-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /flow,/tmp/ws-scm/flow

Dependency Hierarchy:

• ❌ urllib3-1.24.2-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: c78c9db7aa4d1fdd1aea6ad4e15a777c07e72d4d

Found in base branch: master

Vulnerability Details

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.

Publish Date: 2019-04-15

URL: CVE-2019-11236

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r64q-w8jr-g9qp

Release Date: 2019-04-15

Fix Resolution: urllib3 - 1.24.3

Vulnerable Library - urllib3-1.24.2-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/df/1c/59cca3abf96f991f2ec3131a4ffe72ae3d9ea1f5894abe8a9c5e3c77cfee/urllib3-1.24.2-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /flow,/tmp/ws-scm/flow

Dependency Hierarchy:

• ❌ urllib3-1.24.2-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: c78c9db7aa4d1fdd1aea6ad4e15a777c07e72d4d

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Publish Date: 2019-03-13

URL: CVE-2019-9740

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740

Release Date: 2019-03-13

Fix Resolution: v2.7.17,v3.5.8,v3.6.9,3.7.4,3.7.5

Vulnerable Library - urllib3-1.24.2-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/df/1c/59cca3abf96f991f2ec3131a4ffe72ae3d9ea1f5894abe8a9c5e3c77cfee/urllib3-1.24.2-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /flow,/tmp/ws-scm/flow

Dependency Hierarchy:

• ❌ urllib3-1.24.2-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: c78c9db7aa4d1fdd1aea6ad4e15a777c07e72d4d

Found in base branch: master

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

Vulnerable Library - py-1.4.31-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/19/f2/4b71181a49a4673a12c8f5075b8744c5feb0ed9eba352dd22512d2c04d47/py-1.4.31-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/flow

Path to vulnerable library: /tmp/ws-scm/flow,/flow

Dependency Hierarchy:

• ❌ py-1.4.31-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

Publish Date: 2020-12-09

URL: CVE-2020-29651

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hj5v-574p-mj7c

Release Date: 2020-12-09

Fix Resolution: py - 1.10.0