Giter Site home page Giter Site logo

schnipdip / raisensu Goto Github PK

View Code? Open in Web Editor NEW
1.0 2.0 2.0 132 KB

A simple license asset management tool.

License: Other

Python 97.51% Shell 2.49%
monitoring license license-management license-manager manager lite asset assets-management asset-management sqlite3 postgresql software-licensing software-management

raisensu's Introduction

BuildStatus Codacy Badge Known Vulnerabilities Language grade: Python Total alerts

reisensu_img

A simple license asset management tool.

Key Features

Supports license encryption.

Supports license expiration SMTP notifications.

Supports license expiration logs.

Supports license expiration monitoring service.

Supports Sqlite3 and Postgres.

Get Started

  1. Install requirements pip3 install -r requirements.txt
  2. Generate Encryption Key python generate_key.py
  3. Build the database table python raisensu.py -t

Possible Arguments

optional arguments:

  -h, --help   show this help message and exit
  
  -c           Parse through import.csv file
  
  -d           Delete Asset
  
  --delete_all  Delete all records in table
  
  -t           Create a New Table if it has not been created already
  
  -v           View all entries
  
  -u           Update an entry
  
  -o           Select a specific asset(s) to return
  
  -n NAME      Name of the License Product
  
  -a HOSTNAME  Name of the hostname the license is attached to
  
  -l LICENSE   License data
  
  -q QUANTITY  Total Number of licenses
  
  -x EXPIRE    License expiration date [requires .csv file]
  
  -e EXPORT    Export SQL Database to CSV file
  
  -s ENVIRONMENT Environment the license resides in
  
  -r DESCRIPTION Description of the license

Examples

  1. Getting help: python raisensu.py -h
  2. Adding a new asset from command-line: python raisensu.py -n 'Product Name' -l 'xopi08infsdfpoi3409c' -q 10 -x 12/31/2021 (-a is optional to add a host)
  3. Adding a new asset from command-line: python raisensu.py -n 'Product Name' -l 'xopi08infsdfpoi3409c' -q 1 -x 12/31/2021 -a Host01 -s 'Dev' -r 'License for Host01 in Dev'
  4. Import a list of assets from the import.csv file: python raisensu.py -c
  5. Update an asset: python raisensu.py -u - follow the steps
  6. View all assets in the database: python raisensu.py -v
  7. Export assets to a .csv file: python raisensu.py -e [location]

Output

reisensu_img

Configure Monitoring (optional)

  1. (Windows) Set up a Task Schedule for raisensu_monitor.py
  2. (Linux) Set up a Linux CronJob for raisensu_monitor.py
  3. Edit the monitor_settings.ini file with the appropriate configuration information that fits your environment

Troubleshooting

  1. (Linux) If you are having trouble with generate_key.py, issue the following command: dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64 > secret.key
  2. (Linux) If you are having trouble installing the pypip library psycopg2, use the following command pip3 install libpq-dev psycopg2-binary psycopg2
  3. For some reason, pandas isn't installing via the requirements.txt file. Do a pip3 install pandas to install Pandas.

Extra Functionality

  1. Achieving HA for Raisensu Linux services is possible with Corosync and Pacemaker. The two services files for Raisensu are:
    • raisensu_monitor.service
    • raisensu_timer.timer

raisensu's People

Contributors

codacy-badger avatar mend-bolt-for-github[bot] avatar

Stargazers

avatar

Watchers

avatar avatar

Forkers

jay-davisphem bellyfat

raisensu's Issues

CVE-2023-0286 (High) detected in cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

CVE-2023-0286 - High Severity Vulnerability

Vulnerable Library - cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/ed/b8/79858c68bafa7517c20859334ad270fe0c174a65c1ab80a9b8b377e7584b/cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /windows/requirements.txt

Path to vulnerable library: /windows/requirements.txt,/linux/requirements.txt

Dependency Hierarchy:

  • cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Publish Date: 2023-02-08

URL: CVE-2023-0286

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x4qr-2fvf-3mr5

Release Date: 2023-02-08

Fix Resolution: openssl-3.0.8;cryptography - 39.0.1;openssl-src - 111.25.0+1.1.1t,300.0.12+3.0.8

Step up your Open Source Security Game with Mend here

CVE-2023-23931 (Medium) detected in cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

CVE-2023-23931 - Medium Severity Vulnerability

Vulnerable Library - cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/ed/b8/79858c68bafa7517c20859334ad270fe0c174a65c1ab80a9b8b377e7584b/cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /windows/requirements.txt

Path to vulnerable library: /windows/requirements.txt,/linux/requirements.txt

Dependency Hierarchy:

  • cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.

Publish Date: 2023-02-07

URL: CVE-2023-23931

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931

Release Date: 2023-02-07

Fix Resolution: 39.0.1

Step up your Open Source Security Game with Mend here

CVE-2023-49083 (Critical) detected in cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

CVE-2023-49083 - Critical Severity Vulnerability

Vulnerable Library - cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/ed/b8/79858c68bafa7517c20859334ad270fe0c174a65c1ab80a9b8b377e7584b/cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /windows/requirements.txt

Path to vulnerable library: /windows/requirements.txt,/linux/requirements.txt

Dependency Hierarchy:

  • cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

Publish Date: 2023-11-29

URL: CVE-2023-49083

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-49083

Release Date: 2023-11-29

Fix Resolution: cryptography - 41.0.6

Step up your Open Source Security Game with Mend here

Select Object to Return

It would be nice to select licenses by hostname, name, id, expires, environment, description.

So if a user wants to only view the licenses in the dev environment, they can return those objects from the database.

CVE-2020-13091 (High) detected in pandas-0.24.2-cp27-cp27mu-manylinux1_x86_64.whl - autoclosed

CVE-2020-13091 - High Severity Vulnerability

Vulnerable Library - pandas-0.24.2-cp27-cp27mu-manylinux1_x86_64.whl

Powerful data structures for data analysis, time series, and statistics

Library home page: https://files.pythonhosted.org/packages/db/83/7d4008ffc2988066ff37f6a0bb6d7b60822367dcb36ba5e39aa7801fda54/pandas-0.24.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: Raisensu/windows/requirements.txt

Path to vulnerable library: Raisensu/windows/requirements.txt,Raisensu/linux/requirements.txt

Dependency Hierarchy:

  • pandas-0.24.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 09a5988efb8b45dd00f81a8e33f09bec222e45dd

Found in base branch: master

Vulnerability Details

** DISPUTED ** pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if reduce makes an os.system call. NOTE: third parties dispute this issue because the read_pickle() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner.

Publish Date: 2020-05-15

URL: CVE-2020-13091

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-13091

Release Date: 2020-05-19

Fix Resolution: pandas - 0.3.0.beta,1.0.4;autovizwidget - 0.12.7;pandas - 1.0.4,1.1.0rc0

Step up your Open Source Security Game with WhiteSource here

sqlite3.operationalerror on update transaction

File:

raisensu.py

Code:

cursor.execute('''UPDATE ASSETS SET ? = '?' WHERE ID = ?''', (updateColumn, setValue, updateIndex))

Return:

Traceback (most recent call last):
  File "main.py", line 149, in <module>
    update_asset()
  File "main.py", line 99, in update_asset
    cursor.execute('''UPDATE ASSETS SET ? = '?' WHERE ID = ?''', (updateColumn, setValue, updateIndex))
sqlite3.OperationalError: near "?": syntax error

Syntax Error: UPDATE new License when encrypted

file:

raisensu.py

code:

sql_update = "UPDATE ASSETS SET {0} = '{1}' WHERE ID = {2}".format(updateColumn, key_object.encrypt(setValue), updateIndex)

issue:
when updating the license column, a syntax error is thrown.

CVE-2021-33430 (Medium) detected in numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

CVE-2021-33430 - Medium Severity Vulnerability

Vulnerable Library - numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/3a/5f/47e578b3ae79e2624e205445ab77a1848acdaa2929a00eeef6b16eaaeb20/numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /linux/requirements.txt

Path to vulnerable library: /linux/requirements.txt,/windows/requirements.txt

Dependency Hierarchy:

  • pandas-0.24.2-cp27-cp27mu-manylinux1_x86_64.whl (Root Library)
    • numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

** DISPUTED ** A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further requires the use of uncommon API (complicated structured dtypes), which is very unlikely to be available to an unprivileged user.
Mend Note: After conducting further research, Mend has determined that numpy versions before 1.21.0 are vulnerable to CVE-2021-33430

Publish Date: 2021-12-17

URL: CVE-2021-33430

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33430

Release Date: 2021-12-17

Fix Resolution (numpy): 1.21.0

Direct dependency fix Resolution (pandas): 0.25.0

Step up your Open Source Security Game with Mend here

Add Env field

Add an env field for where the license/host is deployed.

CVE-2021-41496 (Medium) detected in numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

CVE-2021-41496 - Medium Severity Vulnerability

Vulnerable Library - numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/3a/5f/47e578b3ae79e2624e205445ab77a1848acdaa2929a00eeef6b16eaaeb20/numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /linux/requirements.txt

Path to vulnerable library: /linux/requirements.txt,/windows/requirements.txt

Dependency Hierarchy:

  • pandas-0.24.2-cp27-cp27mu-manylinux1_x86_64.whl (Root Library)
    • numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

** DISPUTED ** Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values. NOTE: The vendor does not agree this is a vulnerability; the negative dimensions can only be created by an already privileged user (or internally).
Mend Note: After conducting further research, Mend has determined that numpy versions before 1.22.0 are vulnerable to CVE-2021-41496

Publish Date: 2021-12-17

URL: CVE-2021-41496

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2020-36242 (Critical) detected in cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

CVE-2020-36242 - Critical Severity Vulnerability

Vulnerable Library - cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/ed/b8/79858c68bafa7517c20859334ad270fe0c174a65c1ab80a9b8b377e7584b/cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /windows/requirements.txt

Path to vulnerable library: /windows/requirements.txt,/linux/requirements.txt

Dependency Hierarchy:

  • cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Publish Date: 2021-02-07

URL: CVE-2020-36242

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-07

Fix Resolution: 3.3.2

Step up your Open Source Security Game with Mend here

CVE-2020-14422 (Medium) detected in ipaddress-1.0.23-py2.py3-none-any.whl

CVE-2020-14422 - Medium Severity Vulnerability

Vulnerable Library - ipaddress-1.0.23-py2.py3-none-any.whl

IPv4/IPv6 manipulation library

Library home page: https://files.pythonhosted.org/packages/c2/f8/49697181b1651d8347d24c095ce46c7346c37335ddc7d255833e7cde674d/ipaddress-1.0.23-py2.py3-none-any.whl

Path to dependency file: /linux/requirements.txt

Path to vulnerable library: /linux/requirements.txt,/windows/requirements.txt

Dependency Hierarchy:

  • cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl (Root Library)
    • ipaddress-1.0.23-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.

Publish Date: 2020-06-18

URL: CVE-2020-14422

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422

Release Date: 2020-06-18

Fix Resolution: v3.5.10,v3.6.12,v3.7.9,v3.8.4v3.9.0

Step up your Open Source Security Game with Mend here

generate_key.py create new keytab secret.key file

Issue:

Create the secret.key file if it doesn't already exist.

Possible Resolution:

 with open('secret.key', 'wb+') as key_file:
     if os.stat(key_file).st_size == 0:
         key_file.write(key)
     else:
         print ('''Key already exits. If you want to generate a new key delete the key in the secrets.key file.''')
         exit(0)

CVE-2021-34141 (Medium) detected in numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

CVE-2021-34141 - Medium Severity Vulnerability

Vulnerable Library - numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/3a/5f/47e578b3ae79e2624e205445ab77a1848acdaa2929a00eeef6b16eaaeb20/numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /linux/requirements.txt

Path to vulnerable library: /linux/requirements.txt,/windows/requirements.txt

Dependency Hierarchy:

  • pandas-0.24.2-cp27-cp27mu-manylinux1_x86_64.whl (Root Library)
    • numpy-1.16.6-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141

Publish Date: 2021-12-17

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141

Release Date: 2021-12-17

Fix Resolution (numpy): 1.22.0

Direct dependency fix Resolution (pandas): 0.25.0

Step up your Open Source Security Game with Mend here

Delete the secret.key file from the repo

Issue:

It's better to have the secret.key file be generated from the generate_key.py file. When cloning secret.key file from github it contains a single bit. That bit throws off the conditional check if os.stat(key_file).st_size == 0:.

Resolution:

Delete secret.key file

Reference Issue #5

CVE-2023-38325 (High) detected in cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

CVE-2023-38325 - High Severity Vulnerability

Vulnerable Library - cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/ed/b8/79858c68bafa7517c20859334ad270fe0c174a65c1ab80a9b8b377e7584b/cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /windows/requirements.txt

Path to vulnerable library: /windows/requirements.txt,/linux/requirements.txt

Dependency Hierarchy:

  • cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

Publish Date: 2023-07-14

URL: CVE-2023-38325

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-38325

Release Date: 2023-07-14

Fix Resolution: 41.0.2

Step up your Open Source Security Game with Mend here

CVE-2020-25659 (Medium) detected in cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

CVE-2020-25659 - Medium Severity Vulnerability

Vulnerable Library - cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/ed/b8/79858c68bafa7517c20859334ad270fe0c174a65c1ab80a9b8b377e7584b/cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /windows/requirements.txt

Path to vulnerable library: /windows/requirements.txt,/linux/requirements.txt

Dependency Hierarchy:

  • cryptography-3.1.1-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Publish Date: 2021-01-11

URL: CVE-2020-25659

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hggm-jpg3-v476

Release Date: 2021-01-11

Fix Resolution: 3.2

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.