goldenrecursion / goldnlp Goto Github PK

Vulnerable Library - grpcio-1.41.0-cp310-cp310-linux_armv7l.whl

HTTP/2-based RPC framework

Library home page: https://files.pythonhosted.org/packages/ea/0f/d180273caab3e1fea6d369c41694a0902c5b187746611471163a4f86ef21/grpcio-1.41.0-cp310-cp310-linux_armv7l.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-32731

Vulnerable Library - grpcio-1.41.0-cp310-cp310-linux_armv7l.whl

HTTP/2-based RPC framework

Library home page: https://files.pythonhosted.org/packages/ea/0f/d180273caab3e1fea6d369c41694a0902c5b187746611471163a4f86ef21/grpcio-1.41.0-cp310-cp310-linux_armv7l.whl

Dependency Hierarchy:

• ❌ grpcio-1.41.0-cp310-cp310-linux_armv7l.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  grpc/grpc#33005 grpc/grpc#33005

Publish Date: 2023-06-09

URL: CVE-2023-32731

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-cfgp-2977-2fmm

Release Date: 2023-06-09

Fix Resolution: grpc- 1.53.0;grpcio- 1.53.0;io.grpc:grpc-protobuf:1.53.0

Vulnerable Library - Pygments-2.13.0-py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/4f/82/672cd382e5b39ab1cd422a672382f08a1fb3d08d9e0c0f3707f33a52063b/Pygments-2.13.0-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2022-40896

Vulnerable Library - Pygments-2.13.0-py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/4f/82/672cd382e5b39ab1cd422a672382f08a1fb3d08d9e0c0f3707f33a52063b/Pygments-2.13.0-py3-none-any.whl

Dependency Hierarchy:

• ❌ Pygments-2.13.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.

Publish Date: 2023-07-19

URL: CVE-2022-40896

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pyup.io/vulnerabilities/CVE-2022-40896/58910/

Release Date: 2023-07-19

Fix Resolution: pygments - 2.15.0

Vulnerable Library - jupyter_server-1.23.0-py3-none-any.whl

=?utf-8?q?The_backend=E2=80=94i=2Ee=2E_core_services=2C_APIs=2C_and_REST_endpoints=E2=80=94to_Jupyter_web_applications=2E?=

Library home page: https://files.pythonhosted.org/packages/f0/e6/db3d6a52475296a3acafd657be7f2e995b1e7d90b280e822d7028519552d/jupyter_server-1.23.0-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-40170

Vulnerable Library - jupyter_server-1.23.0-py3-none-any.whl

=?utf-8?q?The_backend=E2=80=94i=2Ee=2E_core_services=2C_APIs=2C_and_REST_endpoints=E2=80=94to_Jupyter_web_applications=2E?=

Library home page: https://files.pythonhosted.org/packages/f0/e6/db3d6a52475296a3acafd657be7f2e995b1e7d90b280e822d7028519552d/jupyter_server-1.23.0-py3-none-any.whl

Dependency Hierarchy:

• ❌ jupyter_server-1.23.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on /files/ URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit 87a49272728 which has been included in release 2.7.2. Users are advised to upgrade. Users unable to upgrade may use the lower performance --ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler, which implements the correct checks.

Publish Date: 2023-08-28

URL: CVE-2023-40170

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-40170

Release Date: 2023-08-28

Fix Resolution: 2.7.2

CVE-2023-39968

Vulnerable Library - jupyter_server-1.23.0-py3-none-any.whl

=?utf-8?q?The_backend=E2=80=94i=2Ee=2E_core_services=2C_APIs=2C_and_REST_endpoints=E2=80=94to_Jupyter_web_applications=2E?=

Library home page: https://files.pythonhosted.org/packages/f0/e6/db3d6a52475296a3acafd657be7f2e995b1e7d90b280e822d7028519552d/jupyter_server-1.23.0-py3-none-any.whl

Dependency Hierarchy:

• ❌ jupyter_server-1.23.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit 29036259 which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-08-28

URL: CVE-2023-39968

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-39968

Release Date: 2023-08-28

Fix Resolution: 2.7.2

CVE-2023-49080

Vulnerable Library - jupyter_server-1.23.0-py3-none-any.whl

=?utf-8?q?The_backend=E2=80=94i=2Ee=2E_core_services=2C_APIs=2C_and_REST_endpoints=E2=80=94to_Jupyter_web_applications=2E?=

Library home page: https://files.pythonhosted.org/packages/f0/e6/db3d6a52475296a3acafd657be7f2e995b1e7d90b280e822d7028519552d/jupyter_server-1.23.0-py3-none-any.whl

Dependency Hierarchy:

• ❌ jupyter_server-1.23.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests coming from an authenticated user include traceback information, which can include path information. There is no known mechanism by which to trigger these errors without authentication, so the paths revealed are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment. A fix has been introduced in commit 0056c3aa52 which no longer includes traceback information in JSON error responses. For compatibility, the traceback field is present, but always empty. This commit has been included in version 2.11.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-12-04

URL: CVE-2023-49080

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-49080

Release Date: 2023-12-04

Fix Resolution: 2.11.2

Vulnerable Library - pymdown_extensions-9.8-py3-none-any.whl

Extension pack for Python Markdown.

Library home page: https://files.pythonhosted.org/packages/33/85/397e718b306f4a8a8743f31d1c1a79679711d1d52bcd6224dd9ff6d8082c/pymdown_extensions-9.8-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-32309

Vulnerable Library - pymdown_extensions-9.8-py3-none-any.whl

Extension pack for Python Markdown.

Library home page: https://files.pythonhosted.org/packages/33/85/397e718b306f4a8a8743f31d1c1a79679711d1d52bcd6224dd9ff6d8082c/pymdown_extensions-9.8-py3-none-any.whl

Dependency Hierarchy:

• ❌ pymdown_extensions-9.8-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

PyMdown Extensions is a set of extensions for the Python-Markdown markdown project. In affected versions an arbitrary file read is possible when using include file syntax. By using the syntax --8<--"/etc/passwd" or --8<--"/proc/self/environ" the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths: --8<-- "../../../../etc/passwd". Within the Snippets extension, there exists a base_path option but the implementation is vulnerable to Directory Traversal. The vulnerable section exists in get_snippet_path(self, path) lines 155 to 174 in snippets.py. Any readable file on the host where the plugin is executing may have its content exposed. This can impact any use of Snippets that exposes the use of Snippets to external users. It is never recommended to use Snippets to process user-facing, dynamic content. It is designed to process known content on the backend under the control of the host, but if someone were to accidentally enable it for user-facing content, undesired information could be exposed. This issue has been addressed in version 10.0. Users are advised to upgrade. Users unable to upgrade may restrict relative paths by filtering input.

Publish Date: 2023-05-15

URL: CVE-2023-32309

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-32309

Release Date: 2023-05-15

Fix Resolution: 10.2

Vulnerable Library - numpy-1.21.6-cp310-cp310-macosx_10_9_universal2.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/ff/c6/05ae3c7f75b596e1bb3d78131c331eada9376a03d1af9801bd40e4675023/numpy-1.21.6-cp310-cp310-macosx_10_9_universal2.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2021-34141

Vulnerable Library - numpy-1.21.6-cp310-cp310-macosx_10_9_universal2.whl

NumPy is the fundamental package for array computing with Python.

Library home page: https://files.pythonhosted.org/packages/ff/c6/05ae3c7f75b596e1bb3d78131c331eada9376a03d1af9801bd40e4675023/numpy-1.21.6-cp310-cp310-macosx_10_9_universal2.whl

Dependency Hierarchy:

• ❌ numpy-1.21.6-cp310-cp310-macosx_10_9_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is "completely harmless."
Mend Note: After conducting further research, Mend has determined that versions 1.12.0 through 1.21.6 of numpy are vulnerable to CVE-2021-34141

Publish Date: 2021-12-17

URL: CVE-2021-34141

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141

Release Date: 2021-12-17

Fix Resolution: 1.22.0

Vulnerable Library - nltk-3.7-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/43/0b/8298798bc5a9a007b7cae3f846a3d9a325953e0f9c238affa478b4d59324/nltk-3.7-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

WS-2022-0437

Vulnerable Library - nltk-3.7-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/43/0b/8298798bc5a9a007b7cae3f846a3d9a325953e0f9c238affa478b4d59324/nltk-3.7-py3-none-any.whl

Dependency Hierarchy:

• ❌ nltk-3.7-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

In nltk/nltk, a reflected XSS can be achieved by simply creating a URL, which leads to browser hijacking, and sensitive information loss.

Publish Date: 2022-12-23

URL: WS-2022-0437

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/861a8d11-0fe9-4c2f-9112-af3a9559fa87/

Release Date: 2022-12-23

Fix Resolution: 3.8.1

WS-2022-0438

Vulnerable Library - nltk-3.7-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/43/0b/8298798bc5a9a007b7cae3f846a3d9a325953e0f9c238affa478b4d59324/nltk-3.7-py3-none-any.whl

Dependency Hierarchy:

• ❌ nltk-3.7-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

In nltk prior to 3.8.1, a user who visits a malicious link with wordnet browser open will execute code on system. This may lead to RCE by inducing user to visit a link.

Publish Date: 2022-12-29

URL: WS-2022-0438

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/cd3957f0-2c9c-416d-bc3a-190a5b7ce4a6/

Release Date: 2022-12-29

Fix Resolution: 3.8.1

Vulnerable Library - urllib3-1.26.12-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/6f/de/5be2e3eed8426f871b170663333a0f627fc2924cc386cd41be065e7ea870/urllib3-1.26.12-py2.py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-43804

Vulnerable Library - urllib3-1.26.12-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/6f/de/5be2e3eed8426f871b170663333a0f627fc2924cc386cd41be065e7ea870/urllib3-1.26.12-py2.py3-none-any.whl

Dependency Hierarchy:

• ❌ urllib3-1.26.12-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Publish Date: 2023-10-04

URL: CVE-2023-43804

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804

Release Date: 2023-10-04

Fix Resolution: 1.26.17

CVE-2023-45803

Vulnerable Library - urllib3-1.26.12-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/6f/de/5be2e3eed8426f871b170663333a0f627fc2924cc386cd41be065e7ea870/urllib3-1.26.12-py2.py3-none-any.whl

Dependency Hierarchy:

• ❌ urllib3-1.26.12-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Publish Date: 2023-10-17

URL: CVE-2023-45803

CVSS 3 Score Details (4.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-g4mx-q9vg-27p4

Release Date: 2023-10-17

Fix Resolution: 1.26.18

Vulnerable Library - torch-1.13.0-cp39-cp39-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/9b/65/9bfeaa7b08a727f07b617c036c4fc52e28e5aef88d890c857c1f33850aa0/torch-1.13.0-cp39-cp39-manylinux1_x86_64.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2022-45907

Vulnerable Library - torch-1.13.0-cp39-cp39-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/9b/65/9bfeaa7b08a727f07b617c036c4fc52e28e5aef88d890c857c1f33850aa0/torch-1.13.0-cp39-cp39-manylinux1_x86_64.whl

Dependency Hierarchy:

• ❌ torch-1.13.0-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

Publish Date: 2022-11-26

URL: CVE-2022-45907

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-45907

Release Date: 2022-11-26

Fix Resolution: torch - 1.13.1

docker-compose.yml

Dockerfile

• nvidia/cuda 11.0.3-devel-ubuntu20.04

.github/workflows/codeql-analysis.yml

• actions/checkout v3
• github/codeql-action v2
• github/codeql-action v2
• github/codeql-action v2

.github/workflows/docker-run.yml

• actions/checkout v3

.github/workflows/pypi_publish.yml

• actions/checkout v2
• actions/setup-python v2
• abatilo/actions-poetry v2.1.3

pyproject.toml

• poetry-core >=1.0.0

pyproject.toml

• python ^3.7.10, <3.11
• wheel ^0.36.2
• jupyterlab ^3.0.0
• ipywidgets ^7.6.3
• spacy ~3.1.0
• blis <=0.7.5
• nltk ^3.6.2
• pandas 1.3.0
• pillow ^8.3.1
• scipy ^1.7.0
• simhash 1.9.0
• langdetect 1.0.7
• Pyphen 0.9.5
• dateparser 1.0.0
• fold-to-ascii 1.0.2.post1
• fastnn ^0.3.0
• uvicorn ^0.14.0
• fastapi ^0.67.0
• numba ^0.55.2
• numpy 1.21.6
• openai ^0.15.0
• tqdm ^4.63.0
• boto3 ^1.21.23
• torch 1.*
• torchvision 0.*
• extruct ^0.13.0
• top2vec ^1.0.24
• gensim ^3.8.3
• boilerpy3 ^1.0.5
• pytidylib ^0.3.2
• mkdocs-material ^8.1.6
• mkdocstrings ^0.17.0
• mkdocs-render-swagger-plugin ^0.0.3
• networkx ^2.6.3
• pytest ^5.2
• flake8 ^3.8.4
• black ^22.1.0
• isort ^5.10.1

Vulnerable Library - requests-2.28.1-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/ca/91/6d9b8ccacd0412c08820f72cebaa4f0c0441b5cda699c90f618b6f8a1b42/requests-2.28.1-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-32681

Vulnerable Library - requests-2.28.1-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/ca/91/6d9b8ccacd0412c08820f72cebaa4f0c0441b5cda699c90f618b6f8a1b42/requests-2.28.1-py3-none-any.whl

Dependency Hierarchy:

• ❌ requests-2.28.1-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Publish Date: 2023-05-26

URL: CVE-2023-32681

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8r2-6x86-q33q

Release Date: 2023-05-26

Fix Resolution: requests -2.31.0

pyproject.toml

• nltk ^3.6.2
• numpy 1.21.6

Vulnerable Library - jupyterlab-3.5.0-py3-none-any.whl

JupyterLab computational environment

Library home page: https://files.pythonhosted.org/packages/2b/d4/e0627f216bfb451e807cb8c2c8a0fc27e47cc76e483e539e8e213b95518e/jupyterlab-3.5.0-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2024-22421

Vulnerable Library - jupyterlab-3.5.0-py3-none-any.whl

JupyterLab computational environment

Library home page: https://files.pythonhosted.org/packages/2b/d4/e0627f216bfb451e807cb8c2c8a0fc27e47cc76e483e539e8e213b95518e/jupyterlab-3.5.0-py3-none-any.whl

Dependency Hierarchy:

• ❌ jupyterlab-3.5.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.

Publish Date: 2024-01-19

URL: CVE-2024-22421

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-22421

Release Date: 2024-01-19

Fix Resolution: 3.6.7

Vulnerable Library - py-1.11.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2022-42969

Vulnerable Library - py-1.11.0-py2.py3-none-any.whl

library with cross-python path, ini-parsing, io, code, log facilities

Library home page: https://files.pythonhosted.org/packages/f6/f0/10642828a8dfb741e5f3fbaac830550a518a775c7fff6f04a007259b0548/py-1.11.0-py2.py3-none-any.whl

Dependency Hierarchy:

• ❌ py-1.11.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

Publish Date: 2022-10-16

URL: CVE-2022-42969

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - fonttools-4.38.0-py3-none-any.whl

Tools to manipulate font files

Library home page: https://files.pythonhosted.org/packages/e3/d9/e9bae85e84737e76ebbcbea13607236da0c0699baed0ae4f1151b728a608/fonttools-4.38.0-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-45139

Vulnerable Library - fonttools-4.38.0-py3-none-any.whl

Tools to manipulate font files

Library home page: https://files.pythonhosted.org/packages/e3/d9/e9bae85e84737e76ebbcbea13607236da0c0699baed0ae4f1151b728a608/fonttools-4.38.0-py3-none-any.whl

Dependency Hierarchy:

• ❌ fonttools-4.38.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

Publish Date: 2024-01-10

URL: CVE-2023-45139

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-6673-4983-2vx5

Release Date: 2024-01-10

Fix Resolution: 4.43.0

Vulnerable Library - certifi-2022.9.24-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/1d/38/fa96a426e0c0e68aabc68e896584b83ad1eec779265a028e156ce509630e/certifi-2022.9.24-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-37920

Vulnerable Library - certifi-2022.9.24-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/1d/38/fa96a426e0c0e68aabc68e896584b83ad1eec779265a028e156ce509630e/certifi-2022.9.24-py3-none-any.whl

Dependency Hierarchy:

• ❌ certifi-2022.9.24-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Publish Date: 2023-07-25

URL: CVE-2023-37920

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xqr8-7jwr-rhp7

Release Date: 2023-07-25

Fix Resolution: 2023.7.22

CVE-2022-23491

Vulnerable Library - certifi-2022.9.24-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/1d/38/fa96a426e0c0e68aabc68e896584b83ad1eec779265a028e156ce509630e/certifi-2022.9.24-py3-none-any.whl

Dependency Hierarchy:

• ❌ certifi-2022.9.24-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution: 2022.12.7

Vulnerable Library - pyRdfa3-3.5.3-py3-none-any.whl

pyRdfa Libray

Library home page: https://files.pythonhosted.org/packages/01/40/8727792baf872086867db42eedf399734b9dd2800202c9a2727dc075301b/pyRdfa3-3.5.3-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2022-4396

Vulnerable Library - pyRdfa3-3.5.3-py3-none-any.whl

pyRdfa Libray

Library home page: https://files.pythonhosted.org/packages/01/40/8727792baf872086867db42eedf399734b9dd2800202c9a2727dc075301b/pyRdfa3-3.5.3-py3-none-any.whl

Dependency Hierarchy:

• ❌ pyRdfa3-3.5.3-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in RDFlib pyrdfa3 and classified as problematic. This issue affects the function _get_option of the file pyRdfa/init.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is ffd1d62dd50d5f4190013b39cedcdfbd81f3ce3e. It is recommended to apply a patch to fix this issue. The identifier VDB-215249 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2022-12-10

URL: CVE-2022-4396

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Vulnerable Library - starlette-0.14.2-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

WS-2023-0037

Vulnerable Library - starlette-0.14.2-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl

Dependency Hierarchy:

• ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

A Denial of Service (DoS) vulnerability was discovered in starlette prior to 0.25.0. The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files). Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill. This can be triggered by sending too many small form fields with no content, or too many empty files.

Publish Date: 2023-02-14

URL: WS-2023-0037

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-74m5-2c7w-9w3x

Release Date: 2023-02-14

Fix Resolution: 0.26.0

CVE-2023-29159

Vulnerable Library - starlette-0.14.2-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl

Dependency Hierarchy:

• ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.

Publish Date: 2023-06-01

URL: CVE-2023-29159

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-v5gw-mw7f-84px

Release Date: 2023-06-01

Fix Resolution: 0.28.0

CVE-2023-30798

Vulnerable Library - starlette-0.14.2-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl

Dependency Hierarchy:

• ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

Publish Date: 2023-04-21

URL: CVE-2023-30798

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-30798

Release Date: 2023-04-21

Fix Resolution: 0.26.0

WS-2023-0138

Vulnerable Library - starlette-0.14.2-py3-none-any.whl

The little ASGI library that shines.

Library home page: https://files.pythonhosted.org/packages/15/34/db1890f442a1cd3a2c761f4109a0eb4e63503218d70a8c8e97faa09a5500/starlette-0.14.2-py3-none-any.whl

Dependency Hierarchy:

• ❌ starlette-0.14.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

starlette before 0.27.0 is vulnerable to Path Traversal. When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is als. which vulnerability.

Publish Date: 2023-05-16

URL: WS-2023-0138

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-v5gw-mw7f-84px

Release Date: 2023-05-16

Fix Resolution: 0.28.0

Vulnerable Library - gevent-22.10.2.tar.gz

Coroutine-based network library

Library home page: https://files.pythonhosted.org/packages/9f/4a/e9e57cb9495f0c7943b1d5965c4bdd0d78bc4a433a7c96ee034b16c01520/gevent-22.10.2.tar.gz

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-41419

Vulnerable Library - gevent-22.10.2.tar.gz

Coroutine-based network library

Library home page: https://files.pythonhosted.org/packages/9f/4a/e9e57cb9495f0c7943b1d5965c4bdd0d78bc4a433a7c96ee034b16c01520/gevent-22.10.2.tar.gz

Dependency Hierarchy:

• ❌ gevent-22.10.2.tar.gz (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

An issue in Gevent before version 23.9.0 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.

Publish Date: 2023-09-25

URL: CVE-2023-41419

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-09-25

Fix Resolution: 23.9.0

Vulnerable Library - ipython-7.34.0-py3-none-any.whl

IPython: Productive Interactive Computing

Library home page: https://files.pythonhosted.org/packages/7c/6a/1f1365f4bf9fcb349fcaa5b61edfcefa721aa13ff37c5631296b12fab8e5/ipython-7.34.0-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-24816

Vulnerable Library - ipython-7.34.0-py3-none-any.whl

IPython: Productive Interactive Computing

Library home page: https://files.pythonhosted.org/packages/7c/6a/1f1365f4bf9fcb349fcaa5b61edfcefa721aa13ff37c5631296b12fab8e5/ipython-7.34.0-py3-none-any.whl

Dependency Hierarchy:

• ❌ ipython-7.34.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function IPython.utils.terminal.set_term_title be called on Windows in a Python environment where ctypes is not available. The dependency on ctypes in IPython.utils._process_win32 prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool set_term_title could be called and hence introduce a vulnerability. Should an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. Users of ipython as a library are advised to upgrade. Users unable to upgrade should ensure that any calls to the IPython.utils.terminal.set_term_title function are done with trusted or filtered input.

Publish Date: 2023-02-10

URL: CVE-2023-24816

CVSS 3 Score Details (7.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-24816

Release Date: 2023-02-10

Fix Resolution: 8.10.0

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2022-22817

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

• ❌ Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.

Publish Date: 2022-01-10

URL: CVE-2022-22817

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

CVE-2022-24303

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

• ❌ Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.

Publish Date: 2022-03-28

URL: CVE-2022-24303

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9j59-75qj-795w

Release Date: 2022-03-28

Fix Resolution: Pillow - 9.0.1

CVE-2023-50447

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

• ❌ Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

Publish Date: 2024-01-19

URL: CVE-2023-50447

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1

Release Date: 2024-01-19

Fix Resolution: pillow - 10.2.0

CVE-2023-44271

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

• ❌ Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

Publish Date: 2023-11-03

URL: CVE-2023-44271

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-03

Fix Resolution: Pillow - 10.0.0

WS-2022-0097

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

• ❌ Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.

If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.

Publish Date: 2022-03-11

URL: WS-2022-0097

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-4fx9-vc88-q2xc

Release Date: 2022-03-11

Fix Resolution: Pillow - 9.0.0

CVE-2022-45198

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

• ❌ Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).

Publish Date: 2022-11-14

URL: CVE-2022-45198

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: Pillow - 9.2.0

CVE-2022-45199

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

• ❌ Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.

Publish Date: 2022-11-14

URL: CVE-2022-45199

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: Pillow - 9.3.0

CVE-2022-22815

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

• ❌ Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.

Publish Date: 2022-01-10

URL: CVE-2022-22815

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22815

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

CVE-2022-22816

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

• ❌ Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.

Publish Date: 2022-01-10

URL: CVE-2022-22816

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22816

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

Vulnerable Library - transformers-4.24.0-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a4/df/3248eac2923ceffdf55686ff318e002b558e7c51f6a909dd870cf3185949/transformers-4.24.0-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-6730

Vulnerable Library - transformers-4.24.0-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a4/df/3248eac2923ceffdf55686ff318e002b558e7c51f6a909dd870cf3185949/transformers-4.24.0-py3-none-any.whl

Dependency Hierarchy:

• ❌ transformers-4.24.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Publish Date: 2023-12-19

URL: CVE-2023-6730

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16/

Release Date: 2023-12-19

Fix Resolution: 4.36.0

CVE-2023-7018

Vulnerable Library - transformers-4.24.0-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a4/df/3248eac2923ceffdf55686ff318e002b558e7c51f6a909dd870cf3185949/transformers-4.24.0-py3-none-any.whl

Dependency Hierarchy:

• ❌ transformers-4.24.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Publish Date: 2023-12-20

URL: CVE-2023-7018

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-7018

Release Date: 2023-12-20

Fix Resolution: 4.36.0

CVE-2023-2800

Vulnerable Library - transformers-4.24.0-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a4/df/3248eac2923ceffdf55686ff318e002b558e7c51f6a909dd870cf3185949/transformers-4.24.0-py3-none-any.whl

Dependency Hierarchy:

• ❌ transformers-4.24.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.

Publish Date: 2023-05-18

URL: CVE-2023-2800

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a/

Release Date: 2023-05-18

Fix Resolution: 4.30.1

Vulnerable Library - Jinja2-3.1.2-py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2024-22195

Vulnerable Library - Jinja2-3.1.2-py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl

Dependency Hierarchy:

• ❌ Jinja2-3.1.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja xmlattr filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

Publish Date: 2024-01-11

URL: CVE-2024-22195

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-h5c8-rqwp-cp95

Release Date: 2024-01-11

Fix Resolution: jinja2 - 3.1.3

Vulnerable Library - tornado-6.2-cp37-abi3-macosx_10_9_universal2.whl

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/fb/bd/074254a55bfc82d7a1886abbd803600ef01cbd76ee66bc30307b2724130b/tornado-6.2-cp37-abi3-macosx_10_9_universal2.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-28370

Vulnerable Library - tornado-6.2-cp37-abi3-macosx_10_9_universal2.whl

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/fb/bd/074254a55bfc82d7a1886abbd803600ef01cbd76ee66bc30307b2724130b/tornado-6.2-cp37-abi3-macosx_10_9_universal2.whl

Dependency Hierarchy:

• ❌ tornado-6.2-cp37-abi3-macosx_10_9_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

Publish Date: 2023-05-25

URL: CVE-2023-28370

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2023-05-25

Fix Resolution: 6.3.2

WS-2023-0296

Vulnerable Library - tornado-6.2-cp37-abi3-macosx_10_9_universal2.whl

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Library home page: https://files.pythonhosted.org/packages/fb/bd/074254a55bfc82d7a1886abbd803600ef01cbd76ee66bc30307b2724130b/tornado-6.2-cp37-abi3-macosx_10_9_universal2.whl

Dependency Hierarchy:

• ❌ tornado-6.2-cp37-abi3-macosx_10_9_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Tornado vulnerable to HTTP request smuggling via improper parsing of Content-Length fields and chunk lengths

Publish Date: 2023-08-15

URL: WS-2023-0296

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-qppv-j76h-2rpx

Release Date: 2023-08-15

Fix Resolution: 6.3.3

Vulnerable Library - aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/80/90/e7d60427dfa15b0f3748d6fbb50cc6b0f29112f4f04d8354ac02f65683e1/aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

CVE-2023-37276

Vulnerable Library - aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/80/90/e7d60427dfa15b0f3748d6fbb50cc6b0f29112f4f04d8354ac02f65683e1/aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl

Dependency Hierarchy:

• ❌ aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.

Publish Date: 2023-07-19

URL: CVE-2023-37276

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-45c4-8wx5-qw6w

Release Date: 2023-07-19

Fix Resolution: 3.8.5

CVE-2023-47627

Vulnerable Library - aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/80/90/e7d60427dfa15b0f3748d6fbb50cc6b0f29112f4f04d8354ac02f65683e1/aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl

Dependency Hierarchy:

• ❌ aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit d5c12ba89 which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.

Publish Date: 2023-11-14

URL: CVE-2023-47627

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gfw2-4jvh-wgfg

Release Date: 2023-11-14

Fix Resolution: 3.8.6

CVE-2023-49082

Vulnerable Library - aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/80/90/e7d60427dfa15b0f3748d6fbb50cc6b0f29112f4f04d8354ac02f65683e1/aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl

Dependency Hierarchy:

• ❌ aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

Publish Date: 2023-11-29

URL: CVE-2023-49082

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-qvrw-v9rv-5rjx

Release Date: 2023-11-29

Fix Resolution: 3.9.0

CVE-2023-49081

Vulnerable Library - aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl

Async http client/server framework (asyncio)

Library home page: https://files.pythonhosted.org/packages/80/90/e7d60427dfa15b0f3748d6fbb50cc6b0f29112f4f04d8354ac02f65683e1/aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl

Dependency Hierarchy:

• ❌ aiohttp-3.8.3-cp310-cp310-macosx_10_9_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.

Publish Date: 2023-11-30

URL: CVE-2023-49081

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q3qx-c6g2-7pw2

Release Date: 2023-11-30

Fix Resolution: 3.9.0