Vulnerable Library - Flask-2.2.2-py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt

CVE-2023-30861

Vulnerable Library - Flask-2.2.2-py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ Flask-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.

1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
2. The application sets session.permanent = True
3. The application does not access or modify the session at any point during a request.
4. SESSION_REFRESH_EACH_REQUEST enabled (the default).
5. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Publish Date: 2023-05-02

URL: CVE-2023-30861

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-30861

Release Date: 2023-05-02

Fix Resolution: 2.3.2

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - urllib3-1.26.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/23/fc/8a49991f7905261f9ca9df5aa9b58363c3c821ce3e7f671895442b7100f2/urllib3-1.26.3-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/Pipfile

Path to vulnerable library: /sms/verify-signed-sms/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

CVE-2021-33503

Vulnerable Library - urllib3-1.26.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/23/fc/8a49991f7905261f9ca9df5aa9b58363c3c821ce3e7f671895442b7100f2/urllib3-1.26.3-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/Pipfile

Path to vulnerable library: /sms/verify-signed-sms/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.26.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

⛑️ Automatic Remediation is available for this issue

CVE-2021-28363

Vulnerable Library - urllib3-1.26.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/23/fc/8a49991f7905261f9ca9df5aa9b58363c3c821ce3e7f671895442b7100f2/urllib3-1.26.3-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/Pipfile

Path to vulnerable library: /sms/verify-signed-sms/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.26.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Publish Date: 2021-03-15

URL: CVE-2021-28363

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5phf-pp7p-vc2r

Release Date: 2021-03-15

Fix Resolution: 1.26.4

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - future-0.18.2.tar.gz

Clean single-source support for Python 3 and 2

Library home page: https://files.pythonhosted.org/packages/45/0b/38b06fd9b92dc2b68d58b75f900e97884c45bedd2ff83203d933cf5851c9/future-0.18.2.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

CVE-2022-40899

Vulnerable Library - future-0.18.2.tar.gz

Clean single-source support for Python 3 and 2

Library home page: https://files.pythonhosted.org/packages/45/0b/38b06fd9b92dc2b68d58b75f900e97884c45bedd2ff83203d933cf5851c9/future-0.18.2.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ future-0.18.2.tar.gz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.

Publish Date: 2022-12-23

URL: CVE-2022-40899

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - PyJWT-2.0.1-py3-none-any.whl

JSON Web Token implementation in Python

Library home page: https://files.pythonhosted.org/packages/b4/9b/8850f99027ed029af6828199cc87179eaccbbf1f9e6e373e7f0177d32dad/PyJWT-2.0.1-py3-none-any.whl

Path to dependency file: /jwt/decode-jwt/requirements.txt

Path to vulnerable library: /jwt/decode-jwt/requirements.txt,/jwt/decode-jwt/Pipfile

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

CVE-2022-29217

Vulnerable Library - PyJWT-2.0.1-py3-none-any.whl

JSON Web Token implementation in Python

Library home page: https://files.pythonhosted.org/packages/b4/9b/8850f99027ed029af6828199cc87179eaccbbf1f9e6e373e7f0177d32dad/PyJWT-2.0.1-py3-none-any.whl

Path to dependency file: /jwt/decode-jwt/requirements.txt

Path to vulnerable library: /jwt/decode-jwt/requirements.txt,/jwt/decode-jwt/Pipfile

Dependency Hierarchy:

• ❌ PyJWT-2.0.1-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms() to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms() has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

Publish Date: 2022-05-24

URL: CVE-2022-29217

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217

Release Date: 2022-05-24

Fix Resolution: PyJWT - 2.4.0

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - ecdsa-0.18.0-py2.py3-none-any.whl

ECDSA cryptographic signature library (pure python)

Library home page: https://files.pythonhosted.org/packages/09/d4/4f05f5d16a4863b30ba96c23b23e942da8889abfa1cdbabf2a0df12a4532/ecdsa-0.18.0-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt

CVE-2024-23342

Vulnerable Library - ecdsa-0.18.0-py2.py3-none-any.whl

ECDSA cryptographic signature library (pure python)

Library home page: https://files.pythonhosted.org/packages/09/d4/4f05f5d16a4863b30ba96c23b23e942da8889abfa1cdbabf2a0df12a4532/ecdsa-0.18.0-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ ecdsa-0.18.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The ecdsa PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

Publish Date: 2024-01-23

URL: CVE-2024-23342

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Library - urllib3-1.24.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt,/sms/verify-signed-sms/requirements.txt,/requirements.txt

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

CVE-2021-33503

Vulnerable Library - urllib3-1.24.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt,/sms/verify-signed-sms/requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.24.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

⛑️ Automatic Remediation is available for this issue

CVE-2020-26137

Vulnerable Library - urllib3-1.24.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt,/sms/verify-signed-sms/requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.24.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - cryptography-37.0.2-cp36-abi3-manylinux_2_24_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/55/ba/2268399be15f1542a3bacf6e60fdaf4fea0b18e5190e87b97075e03cb155/cryptography-37.0.2-cp36-abi3-manylinux_2_24_x86_64.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

WS-2022-0365

Vulnerable Library - cryptography-37.0.2-cp36-abi3-manylinux_2_24_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/55/ba/2268399be15f1542a3bacf6e60fdaf4fea0b18e5190e87b97075e03cb155/cryptography-37.0.2-cp36-abi3-manylinux_2_24_x86_64.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile

Dependency Hierarchy:

• ❌ cryptography-37.0.2-cp36-abi3-manylinux_2_24_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-38.0.3 are vulnerable to a number of security issues. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Publish Date: 2022-11-02

URL: WS-2022-0365

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-39hc-v87j-747x

Release Date: 2022-11-02

Fix Resolution: cryptography - 38.0.3

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - Flask-1.0-py2.py3-none-any.whl

Path to dependency file: /number-insight/async-callback/Pipfile

Path to vulnerable library: /number-insight/async-callback/Pipfile

CVE-2023-25577

Vulnerable Libraries - Werkzeug-2.2.2-py3-none-any.whl, Werkzeug-1.0.1-py2.py3-none-any.whl

Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile

Dependency Hierarchy:

• Flask-1.0-py2.py3-none-any.whl (Root Library)
  • ❌ Werkzeug-2.2.2-py3-none-any.whl (Vulnerable Library)

Werkzeug-1.0.1-py2.py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl

Path to dependency file: /number-insight/async-callback/Pipfile

Path to vulnerable library: /number-insight/async-callback/Pipfile

Dependency Hierarchy:

• Flask-1.0-py2.py3-none-any.whl (Root Library)
  • ❌ Werkzeug-1.0.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.

Publish Date: 2023-02-14

URL: CVE-2023-25577

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

CVE-2023-23934

Vulnerable Libraries - Werkzeug-2.2.2-py3-none-any.whl, Werkzeug-1.0.1-py2.py3-none-any.whl

Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile

Dependency Hierarchy:

• Flask-1.0-py2.py3-none-any.whl (Root Library)
  • ❌ Werkzeug-2.2.2-py3-none-any.whl (Vulnerable Library)

Werkzeug-1.0.1-py2.py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl

Path to dependency file: /number-insight/async-callback/Pipfile

Path to vulnerable library: /number-insight/async-callback/Pipfile

Dependency Hierarchy:

• Flask-1.0-py2.py3-none-any.whl (Root Library)
  • ❌ Werkzeug-1.0.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

Publish Date: 2023-02-14

URL: CVE-2023-23934

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

Vulnerable Library - requests-2.20.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

CVE-2021-33503

Vulnerable Library - urllib3-1.24.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• requests-2.20.0-py2.py3-none-any.whl (Root Library)
  • ❌ urllib3-1.24.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

CVE-2020-26137

Vulnerable Library - urllib3-1.24.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• requests-2.20.0-py2.py3-none-any.whl (Root Library)
  • ❌ urllib3-1.24.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

Vulnerable Library - python_jose-3.3.0-py2.py3-none-any.whl

JOSE implementation in Python

Library home page: https://files.pythonhosted.org/packages/bd/2d/e94b2f7bab6773c70efc70a61d66e312e1febccd9e0db6b9e0adf58cbad1/python_jose-3.3.0-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt

CVE-2024-33664

Vulnerable Library - python_jose-3.3.0-py2.py3-none-any.whl

JOSE implementation in Python

Library home page: https://files.pythonhosted.org/packages/bd/2d/e94b2f7bab6773c70efc70a61d66e312e1febccd9e0db6b9e0adf58cbad1/python_jose-3.3.0-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ python_jose-3.3.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.

Publish Date: 2024-04-25

URL: CVE-2024-33664

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

CVE-2024-33663

Vulnerable Library - python_jose-3.3.0-py2.py3-none-any.whl

JOSE implementation in Python

Library home page: https://files.pythonhosted.org/packages/bd/2d/e94b2f7bab6773c70efc70a61d66e312e1febccd9e0db6b9e0adf58cbad1/python_jose-3.3.0-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ python_jose-3.3.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

Publish Date: 2024-04-25

URL: CVE-2024-33663

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Library - python-jose-1.2.0.tar.gz

JOSE implementation in Python

Library home page: https://files.pythonhosted.org/packages/0e/b9/dc9653c51922f4a030e227f456b8ee63565c8005b8d1fbfa2a2500c6ccd7/python-jose-1.2.0.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

CVE-2016-7036

Vulnerable Library - python-jose-1.2.0.tar.gz

JOSE implementation in Python

Library home page: https://files.pythonhosted.org/packages/0e/b9/dc9653c51922f4a030e227f456b8ee63565c8005b8d1fbfa2a2500c6ccd7/python-jose-1.2.0.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ python-jose-1.2.0.tar.gz (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.

Publish Date: 2017-01-23

URL: CVE-2016-7036

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-7036

Release Date: 2017-01-23

Fix Resolution: 1.3.2

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - cryptography-41.0.0-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/92/b6/22b9b21fecfb03a90ce9393053f054b2742b00e704c20a595cf4c15f975e/cryptography-41.0.0-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt,/jwt/decode-jwt/requirements.txt

Found in HEAD commit: ffbf044c787cc8cd35fd1e18e6b692ed0b0f6bbf

CVE-2023-38325

Vulnerable Library - cryptography-41.0.0-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/92/b6/22b9b21fecfb03a90ce9393053f054b2742b00e704c20a595cf4c15f975e/cryptography-41.0.0-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt,/jwt/decode-jwt/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-41.0.0-cp37-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in HEAD commit: ffbf044c787cc8cd35fd1e18e6b692ed0b0f6bbf

Found in base branch: main

Vulnerability Details

The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

Publish Date: 2023-07-14

URL: CVE-2023-38325

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-38325

Release Date: 2023-07-14

Fix Resolution: cryptography - 41.0.2

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - Werkzeug-2.2.3-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile,/number-insight/async-callback/Pipfile

CVE-2023-46136

Vulnerable Library - Werkzeug-2.2.3-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile,/number-insight/async-callback/Pipfile

Dependency Hierarchy:

• ❌ Werkzeug-2.2.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.

Publish Date: 2023-10-25

URL: CVE-2023-46136

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hrfv-mqp8-q5rw

Release Date: 2023-10-25

Fix Resolution: werkzeug - 2.3.8,3.0.1

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

CVE-2024-26130

Vulnerable Library - cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serialize_key_and_certificates is called with both a certificate whose public key did not match the provided private key and an encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...), then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a ValueError is properly raised.

Publish Date: 2024-02-21

URL: CVE-2024-26130

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6vqw-3v5j-54x4

Release Date: 2024-02-21

Fix Resolution: 42.0.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-50782

Vulnerable Library - cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Publish Date: 2024-02-05

URL: CVE-2023-50782

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-3ww4-gg4f-jr7f

Release Date: 2024-02-05

Fix Resolution: 42.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-49083

Vulnerable Library - cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

Publish Date: 2023-11-29

URL: CVE-2023-49083

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-49083

Release Date: 2023-11-29

Fix Resolution: 41.0.6

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - urllib3-1.26.5-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/0c/cd/1e2ec680ec7b09846dc6e605f5a7709dfb9d7128e51a026e7154e18a234e/urllib3-1.26.5-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Found in HEAD commit: 01f46587dd7ad6e0d84f5cab4ed0cfb4ba09883e

CVE-2023-43804

Vulnerable Library - urllib3-1.26.5-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/0c/cd/1e2ec680ec7b09846dc6e605f5a7709dfb9d7128e51a026e7154e18a234e/urllib3-1.26.5-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.26.5-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 01f46587dd7ad6e0d84f5cab4ed0cfb4ba09883e

Found in base branch: main

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Publish Date: 2023-10-04

URL: CVE-2023-43804

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804

Release Date: 2023-10-04

Fix Resolution: 1.26.17

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-45803

Vulnerable Library - urllib3-1.26.5-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/0c/cd/1e2ec680ec7b09846dc6e605f5a7709dfb9d7128e51a026e7154e18a234e/urllib3-1.26.5-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.26.5-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 01f46587dd7ad6e0d84f5cab4ed0cfb4ba09883e

Found in base branch: main

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Publish Date: 2023-10-17

URL: CVE-2023-45803

CVSS 3 Score Details (4.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-g4mx-q9vg-27p4

Release Date: 2023-10-17

Fix Resolution: 2.0.7

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - pycrypto-2.6.1.tar.gz

Cryptographic modules for Python.

Library home page: https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

CVE-2013-7459

Vulnerable Library - pycrypto-2.6.1.tar.gz

Cryptographic modules for Python.

Library home page: https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ pycrypto-2.6.1.tar.gz (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: main

Vulnerability Details

Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.

Publish Date: 2017-02-15

URL: CVE-2013-7459

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-7459

Release Date: 2017-02-15

Fix Resolution: python2-crypto - 2.6.1-5;python-crypto - 2.6.1-5

⛑️ Automatic Remediation is available for this issue

CVE-2018-6594

Vulnerable Library - pycrypto-2.6.1.tar.gz

Cryptographic modules for Python.

Library home page: https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ pycrypto-2.6.1.tar.gz (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: main

Vulnerability Details

lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation.

Publish Date: 2018-02-03

URL: CVE-2018-6594

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-6594

Release Date: 2018-02-03

Fix Resolution: python-crypto - 2.6.1-9

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - Jinja2-3.1.2-py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

CVE-2024-22195

Vulnerable Library - Jinja2-3.1.2-py3-none-any.whl

A very fast and expressive template engine.

Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ Jinja2-3.1.2-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja xmlattr filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

Publish Date: 2024-01-11

URL: CVE-2024-22195

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-h5c8-rqwp-cp95

Release Date: 2024-01-11

Fix Resolution: jinja2 - 3.1.3

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - certifi-2022.9.24-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/1d/38/fa96a426e0c0e68aabc68e896584b83ad1eec779265a028e156ce509630e/certifi-2022.9.24-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt,/requirements.txt

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

CVE-2022-23491

Vulnerable Library - certifi-2022.9.24-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/1d/38/fa96a426e0c0e68aabc68e896584b83ad1eec779265a028e156ce509630e/certifi-2022.9.24-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ certifi-2022.9.24-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: main

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution: certifi - 2022.12.07

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/85/62/48bcebd955945d8da3fe9b84a679dbf4bf179e1ac36e583b7eaa47506758/cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt

CVE-2024-26130

Vulnerable Library - cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/85/62/48bcebd955945d8da3fe9b84a679dbf4bf179e1ac36e583b7eaa47506758/cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serialize_key_and_certificates is called with both a certificate whose public key did not match the provided private key and an encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...), then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a ValueError is properly raised.

Publish Date: 2024-02-21

URL: CVE-2024-26130

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6vqw-3v5j-54x4

Release Date: 2024-02-21

Fix Resolution: cryptography - 42.0.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-50782

Vulnerable Library - cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/85/62/48bcebd955945d8da3fe9b84a679dbf4bf179e1ac36e583b7eaa47506758/cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Publish Date: 2024-02-05

URL: CVE-2023-50782

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-3ww4-gg4f-jr7f

Release Date: 2024-02-05

Fix Resolution: 42.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-49083

Vulnerable Library - cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/85/62/48bcebd955945d8da3fe9b84a679dbf4bf179e1ac36e583b7eaa47506758/cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

Publish Date: 2023-11-29

URL: CVE-2023-49083

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-49083

Release Date: 2023-11-29

Fix Resolution: 41.0.6

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - certifi-2022.12.7-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/71/4c/3db2b8021bd6f2f0ceb0e088d6b2d49147671f25832fb17970e9b583d742/certifi-2022.12.7-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Found in HEAD commit: ffbf044c787cc8cd35fd1e18e6b692ed0b0f6bbf

CVE-2023-37920

Vulnerable Library - certifi-2022.12.7-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/71/4c/3db2b8021bd6f2f0ceb0e088d6b2d49147671f25832fb17970e9b583d742/certifi-2022.12.7-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ certifi-2022.12.7-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: ffbf044c787cc8cd35fd1e18e6b692ed0b0f6bbf

Found in base branch: main

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Publish Date: 2023-07-25

URL: CVE-2023-37920

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xqr8-7jwr-rhp7

Release Date: 2023-07-25

Fix Resolution: certifi - 2023.7.22

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - Werkzeug-1.0.1-py2.py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl

Path to dependency file: /number-insight/async-callback/requirements.txt

Path to vulnerable library: /number-insight/async-callback/requirements.txt,/number-insight/async-callback/requirements.txt,/number-insight/async-callback/Pipfile

CVE-2023-25577

Vulnerable Library - Werkzeug-1.0.1-py2.py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl

Path to dependency file: /number-insight/async-callback/requirements.txt

Path to vulnerable library: /number-insight/async-callback/requirements.txt,/number-insight/async-callback/requirements.txt,/number-insight/async-callback/Pipfile

Dependency Hierarchy:

• ❌ Werkzeug-1.0.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.

Publish Date: 2023-02-14

URL: CVE-2023-25577

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

⛑️ Automatic Remediation is available for this issue

CVE-2023-23934

Vulnerable Library - Werkzeug-1.0.1-py2.py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl

Path to dependency file: /number-insight/async-callback/requirements.txt

Path to vulnerable library: /number-insight/async-callback/requirements.txt,/number-insight/async-callback/requirements.txt,/number-insight/async-callback/Pipfile

Dependency Hierarchy:

• ❌ Werkzeug-1.0.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

Publish Date: 2023-02-14

URL: CVE-2023-23934

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - Flask-2.2.3-py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/95/9c/a3542594ce4973786236a1b7b702b8ca81dbf40ea270f0f96284f0c27348/Flask-2.2.3-py3-none-any.whl

Path to dependency file: /jwt/decode-jwt/requirements.txt

Path to vulnerable library: /jwt/decode-jwt/requirements.txt,/number-insight/async-callback/Pipfile,/number-insight/async-callback/requirements.txt,/jwt/decode-jwt/Pipfile

CVE-2023-30861

Vulnerable Library - Flask-2.2.3-py3-none-any.whl

A simple framework for building complex web applications.

Library home page: https://files.pythonhosted.org/packages/95/9c/a3542594ce4973786236a1b7b702b8ca81dbf40ea270f0f96284f0c27348/Flask-2.2.3-py3-none-any.whl

Path to dependency file: /jwt/decode-jwt/requirements.txt

Path to vulnerable library: /jwt/decode-jwt/requirements.txt,/number-insight/async-callback/Pipfile,/number-insight/async-callback/requirements.txt,/jwt/decode-jwt/Pipfile

Dependency Hierarchy:

• ❌ Flask-2.2.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.

1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
2. The application sets session.permanent = True
3. The application does not access or modify the session at any point during a request.
4. SESSION_REFRESH_EACH_REQUEST enabled (the default).
5. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Publish Date: 2023-05-02

URL: CVE-2023-30861

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-30861

Release Date: 2023-05-02

Fix Resolution: flask - 2.2.5,2.3.2

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt

CVE-2023-25577

Vulnerable Library - Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ Werkzeug-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.

Publish Date: 2023-02-14

URL: CVE-2023-25577

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

⛑️ Automatic Remediation is available for this issue

CVE-2023-23934

Vulnerable Library - Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /jwt/decode-jwt/Pipfile

Path to vulnerable library: /jwt/decode-jwt/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ Werkzeug-2.2.2-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

Publish Date: 2023-02-14

URL: CVE-2023-23934

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - PyYAML-5.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

CVE-2020-1747

Vulnerable Library - PyYAML-5.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ PyYAML-5.1.tar.gz (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

Publish Date: 2020-03-24

URL: CVE-2020-1747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6757-jp84-gxfx

Release Date: 2020-03-24

Fix Resolution: pyyaml - 5.3.1

⛑️ Automatic Remediation is available for this issue

CVE-2020-14343

Vulnerable Library - PyYAML-5.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ PyYAML-5.1.tar.gz (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

Publish Date: 2021-02-09

URL: CVE-2020-14343

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343

Release Date: 2021-02-09

Fix Resolution: PyYAML - 5.4

⛑️ Automatic Remediation is available for this issue

CVE-2019-20477

Vulnerable Library - PyYAML-5.1.tar.gz

YAML parser and emitter for Python

Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/requirements.txt

Dependency Hierarchy:

• ❌ PyYAML-5.1.tar.gz (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: master

Vulnerability Details

PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

Publish Date: 2020-02-19

URL: CVE-2019-20477

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477

Release Date: 2020-02-19

Fix Resolution: 5.2

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/37/19/234484df6fc7bdf4cf81cd4a89f600fce9f8f7a4bc1b307d7abbcd382b64/cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt,/sms/verify-signed-sms/requirements.txt

CVE-2023-0286

Vulnerable Library - cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/37/19/234484df6fc7bdf4cf81cd4a89f600fce9f8f7a4bc1b307d7abbcd382b64/cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Publish Date: 2023-02-08

URL: CVE-2023-0286

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.openssl.org/news/vulnerabilities.html

Release Date: 2023-02-08

Fix Resolution: openssl-3.0.8, OpenSSL_1_1_1t

⛑️ Automatic Remediation is available for this issue

CVE-2023-23931

Vulnerable Library - cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/37/19/234484df6fc7bdf4cf81cd4a89f600fce9f8f7a4bc1b307d7abbcd382b64/cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.

Publish Date: 2023-02-07

URL: CVE-2023-23931

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931

Release Date: 2023-02-07

Fix Resolution: cryptography - 39.0.1

⛑️ Automatic Remediation is available for this issue