vonage / vonage-python-code-snippets Goto Github PK
View Code? Open in Web Editor NEWPython code examples for using Vonage communications APIs
License: MIT License
Python code examples for using Vonage communications APIs
License: MIT License
Hola tengo este error : vonage.errors.AuthenticationError: Authentication failed. Check you're using a valid authentication method.
Linux xubuntu 22.04
Python 3.10
pip3 install vonage
Cuando trato de ejecutar el siguiente codigo :
#################################### Codigo #############################################
import os
from os.path import join, dirname
VONAGE_APPLICATION_ID = "f6e2b6af-2610-408d-99f9-c41e2248e03d"
VONAGE_APPLICATION_PRIVATE_KEY_PATH = "/home/android/Proyectos/Corato_V2/private.key"
TO_NUMBER = **********
FROM_NUMBER = **********
import vonage
client = vonage.Client(
application_id=VONAGE_APPLICATION_ID,
private_key=VONAGE_APPLICATION_PRIVATE_KEY_PATH,
)
client.messages.send_message({
"channel": "whatsapp",
"message_type": "text",
"to": "**********",
"from": "***********",
"text": "This is a WhatsApp text message sent using the Vonage Messages API",
})
-----https://github.com/Vonage/vonage-python-code-snippets/blob/main/messages/whatsapp/send_text.py
$ python3 send_text.py
#######################################################################################
Ya intente con key y secret pero no funciona, que estoy haciendo mal ???
Gracias de antemano.
Stack trace :
Traceback (most recent call last):
File "/home/android/Downloads/ejemplos_vonage/messages/whatsapp/send_text.py", line 23, in
client.messages.send_message(
File "/home/android/Downloads/ejemplos_vonage/env/lib/python3.10/site-packages/vonage/messages.py", line 25, in send_message
return self._client.post(
File "/home/android/Downloads/ejemplos_vonage/env/lib/python3.10/site-packages/vonage/client.py", line 231, in post
return self.parse(
File "/home/android/Downloads/ejemplos_vonage/env/lib/python3.10/site-packages/vonage/client.py", line 277, in parse
raise AuthenticationError("Authentication failed. Check you're using a valid authentication method.")
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/85/62/48bcebd955945d8da3fe9b84a679dbf4bf179e1ac36e583b7eaa47506758/cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt
CVE | Severity | CVSS | Dependency | Type | Fixed in (cryptography version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-26130 | High | 7.5 | cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl | Direct | cryptography - 42.0.4 | ✅ |
CVE-2023-50782 | High | 7.5 | cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl | Direct | 42.0.0 | ✅ |
CVE-2023-49083 | High | 7.5 | cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl | Direct | 41.0.6 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/85/62/48bcebd955945d8da3fe9b84a679dbf4bf179e1ac36e583b7eaa47506758/cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt
Dependency Hierarchy:
Found in base branch: main
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serialize_key_and_certificates
is called with both a certificate whose public key did not match the provided private key and an encryption_algorithm
with hmac_hash
set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)
, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a ValueError
is properly raised.
Publish Date: 2024-02-21
URL: CVE-2024-26130
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6vqw-3v5j-54x4
Release Date: 2024-02-21
Fix Resolution: cryptography - 42.0.4
⛑️ Automatic Remediation will be attempted for this issue.
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/85/62/48bcebd955945d8da3fe9b84a679dbf4bf179e1ac36e583b7eaa47506758/cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt
Dependency Hierarchy:
Found in base branch: main
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Publish Date: 2024-02-05
URL: CVE-2023-50782
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3ww4-gg4f-jr7f
Release Date: 2024-02-05
Fix Resolution: 42.0.0
⛑️ Automatic Remediation will be attempted for this issue.
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/85/62/48bcebd955945d8da3fe9b84a679dbf4bf179e1ac36e583b7eaa47506758/cryptography-41.0.5-cp37-abi3-manylinux_2_28_x86_64.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt
Dependency Hierarchy:
Found in base branch: main
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates
or load_der_pkcs7_certificates
could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
Publish Date: 2023-11-29
URL: CVE-2023-49083
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-49083
Release Date: 2023-11-29
Fix Resolution: 41.0.6
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt
CVE | Severity | CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (requests version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|---|---|
CVE-2024-35195 | Medium | 5.6 | Not Defined | 0.0% | requests-2.31.0-py3-none-any.whl | Direct | requests - 2.32.2 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Requests is a HTTP library. Prior to 2.32.2, when making requests through a Requests Session
, if the first request is made with verify=False
to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify
. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.2.
Publish Date: 2024-05-20
URL: CVE-2024-35195
Exploit Maturity: Not Defined
EPSS: 0.0%
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9wx4-h78v-vm56
Release Date: 2024-05-20
Fix Resolution: requests - 2.32.2
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The way we load .env files requires them to be valid python code, instead of valid .env files. Although there is an overlap in compatibility, these are not the same and so something like python-dotenv should be used for parsing this instead.
I'm not sure running say number-insight from a webpage via the browser makes much sense. Maybe a single command-line endpoint for running the samples?
Needs some thought.
JOSE implementation in Python
Library home page: https://files.pythonhosted.org/packages/bd/2d/e94b2f7bab6773c70efc70a61d66e312e1febccd9e0db6b9e0adf58cbad1/python_jose-3.3.0-py2.py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt
CVE | Severity | CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (python_jose version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|---|---|
CVE-2024-33664 | High | 7.7 | Not Defined | 0.0% | python_jose-3.3.0-py2.py3-none-any.whl | Direct | N/A | ❌ | |
CVE-2024-33663 | High | 7.5 | Not Defined | 0.0% | python_jose-3.3.0-py2.py3-none-any.whl | Direct | N/A | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
JOSE implementation in Python
Library home page: https://files.pythonhosted.org/packages/bd/2d/e94b2f7bab6773c70efc70a61d66e312e1febccd9e0db6b9e0adf58cbad1/python_jose-3.3.0-py2.py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.
Publish Date: 2024-04-25
URL: CVE-2024-33664
Exploit Maturity: Not Defined
EPSS: 0.0%
Base Score Metrics:
JOSE implementation in Python
Library home page: https://files.pythonhosted.org/packages/bd/2d/e94b2f7bab6773c70efc70a61d66e312e1febccd9e0db6b9e0adf58cbad1/python_jose-3.3.0-py2.py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.
Publish Date: 2024-04-25
URL: CVE-2024-33663
Exploit Maturity: Not Defined
EPSS: 0.0%
Base Score Metrics:
A simple framework for building complex web applications.
Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt
CVE | Severity | CVSS | Dependency | Type | Fixed in (Flask version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2023-30861 | High | 7.5 | Flask-2.2.2-py3-none-any.whl | Direct | 2.3.2 | ✅ |
A simple framework for building complex web applications.
Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie
headers, it may send one client's session
cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.
session.permanent = True
SESSION_REFRESH_EACH_REQUEST
enabled (the default).Cache-Control
header to indicate that a page is private or should not be cached.This happens because vulnerable versions of Flask only set the Vary: Cookie
header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.
Publish Date: 2023-05-02
URL: CVE-2023-30861
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30861
Release Date: 2023-05-02
Fix Resolution: 2.3.2
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
There is a bug. More here
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
CVE | Severity | CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (cryptography version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|---|---|
CVE-2024-26130 | High | 7.5 | Not Defined | 0.0% | cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl | Direct | 42.0.4 | ✅ | |
CVE-2023-50782 | High | 7.5 | Not Defined | 0.1% | cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl | Direct | 42.0.0 | ✅ | |
CVE-2023-49083 | High | 7.5 | Not Defined | 0.1% | cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl | Direct | 41.0.6 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in base branch: main
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serialize_key_and_certificates
is called with both a certificate whose public key did not match the provided private key and an encryption_algorithm
with hmac_hash
set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)
, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a ValueError
is properly raised.
Publish Date: 2024-02-21
URL: CVE-2024-26130
Exploit Maturity: Not Defined
EPSS: 0.0%
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6vqw-3v5j-54x4
Release Date: 2024-02-21
Fix Resolution: 42.0.4
⛑️ Automatic Remediation will be attempted for this issue.
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in base branch: main
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Publish Date: 2024-02-05
URL: CVE-2023-50782
Exploit Maturity: Not Defined
EPSS: 0.1%
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3ww4-gg4f-jr7f
Release Date: 2024-02-05
Fix Resolution: 42.0.0
⛑️ Automatic Remediation will be attempted for this issue.
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in base branch: main
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates
or load_der_pkcs7_certificates
could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
Publish Date: 2023-11-29
URL: CVE-2023-49083
Exploit Maturity: Not Defined
EPSS: 0.1%
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-49083
Release Date: 2023-11-29
Fix Resolution: 41.0.6
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/30/6d/6de6be2d02603ab56e72997708809e8a5b0fbfee080735109b40a3564843/Jinja2-3.1.3-py3-none-any.whl
Path to dependency file: /number-insight/async-callback/Pipfile
Path to vulnerable library: /number-insight/async-callback/Pipfile,/jwt/decode-jwt/Pipfile
CVE | Severity | CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (Jinja2 version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|---|---|
CVE-2024-34064 | Medium | 5.4 | Not Defined | 0.0% | Jinja2-3.1.3-py3-none-any.whl | Direct | Jinja2 - 3.1.4 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/30/6d/6de6be2d02603ab56e72997708809e8a5b0fbfee080735109b40a3564843/Jinja2-3.1.3-py3-none-any.whl
Path to dependency file: /number-insight/async-callback/Pipfile
Path to vulnerable library: /number-insight/async-callback/Pipfile,/jwt/decode-jwt/Pipfile
Dependency Hierarchy:
Found in base branch: main
Jinja is an extensible templating engine. The xmlattr
filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /
, >
, or =
, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr
filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe. This vulnerability is fixed in 3.1.4.
Publish Date: 2024-05-06
URL: CVE-2024-34064
Exploit Maturity: Not Defined
EPSS: 0.0%
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h75v-3vvj-5mfj
Release Date: 2024-05-06
Fix Resolution: Jinja2 - 3.1.4
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/55/ba/2268399be15f1542a3bacf6e60fdaf4fea0b18e5190e87b97075e03cb155/cryptography-37.0.2-cp36-abi3-manylinux_2_24_x86_64.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
CVE | Severity | CVSS | Dependency | Type | Fixed in (cryptography version) | Remediation Available |
---|---|---|---|---|---|---|
WS-2022-0365 | High | 9.8 | cryptography-37.0.2-cp36-abi3-manylinux_2_24_x86_64.whl | Direct | cryptography - 38.0.3 | ✅ |
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/55/ba/2268399be15f1542a3bacf6e60fdaf4fea0b18e5190e87b97075e03cb155/cryptography-37.0.2-cp36-abi3-manylinux_2_24_x86_64.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-38.0.3 are vulnerable to a number of security issues. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
Publish Date: 2022-11-02
URL: WS-2022-0365
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-39hc-v87j-747x
Release Date: 2022-11-02
Fix Resolution: cryptography - 38.0.3
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
I've checked an outbound call using the playground, it works fine
In python quick start app, it gives me Authentication error
A simple framework for building complex web applications.
Library home page: https://files.pythonhosted.org/packages/95/9c/a3542594ce4973786236a1b7b702b8ca81dbf40ea270f0f96284f0c27348/Flask-2.2.3-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/requirements.txt
Path to vulnerable library: /jwt/decode-jwt/requirements.txt,/number-insight/async-callback/Pipfile,/number-insight/async-callback/requirements.txt,/jwt/decode-jwt/Pipfile
CVE | Severity | CVSS | Dependency | Type | Fixed in (Flask version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2023-30861 | High | 7.5 | Flask-2.2.3-py3-none-any.whl | Direct | flask - 2.2.5,2.3.2 | ✅ |
A simple framework for building complex web applications.
Library home page: https://files.pythonhosted.org/packages/95/9c/a3542594ce4973786236a1b7b702b8ca81dbf40ea270f0f96284f0c27348/Flask-2.2.3-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/requirements.txt
Path to vulnerable library: /jwt/decode-jwt/requirements.txt,/number-insight/async-callback/Pipfile,/number-insight/async-callback/requirements.txt,/jwt/decode-jwt/Pipfile
Dependency Hierarchy:
Found in base branch: main
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie
headers, it may send one client's session
cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.
session.permanent = True
SESSION_REFRESH_EACH_REQUEST
enabled (the default).Cache-Control
header to indicate that a page is private or should not be cached.This happens because vulnerable versions of Flask only set the Vary: Cookie
header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.
Publish Date: 2023-05-02
URL: CVE-2023-30861
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30861
Release Date: 2023-05-02
Fix Resolution: flask - 2.2.5,2.3.2
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
Clean single-source support for Python 3 and 2
Library home page: https://files.pythonhosted.org/packages/45/0b/38b06fd9b92dc2b68d58b75f900e97884c45bedd2ff83203d933cf5851c9/future-0.18.2.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
CVE | Severity | CVSS | Dependency | Type | Fixed in (future version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-40899 | High | 7.5 | future-0.18.2.tar.gz | Direct | N/A | ❌ |
Clean single-source support for Python 3 and 2
Library home page: https://files.pythonhosted.org/packages/45/0b/38b06fd9b92dc2b68d58b75f900e97884c45bedd2ff83203d933cf5851c9/future-0.18.2.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in base branch: main
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.
Publish Date: 2022-12-23
URL: CVE-2022-40899
Base Score Metrics:
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/37/19/234484df6fc7bdf4cf81cd4a89f600fce9f8f7a4bc1b307d7abbcd382b64/cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt,/sms/verify-signed-sms/requirements.txt
CVE | Severity | CVSS | Dependency | Type | Fixed in (cryptography version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2023-0286 | High | 7.4 | cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl | Direct | openssl-3.0.8, OpenSSL_1_1_1t | ✅ |
CVE-2023-23931 | Medium | 6.5 | cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl | Direct | cryptography - 39.0.1 | ✅ |
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/37/19/234484df6fc7bdf4cf81cd4a89f600fce9f8f7a4bc1b307d7abbcd382b64/cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in base branch: main
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
Publish Date: 2023-02-08
URL: CVE-2023-0286
Base Score Metrics:
Type: Upgrade version
Origin: https://www.openssl.org/news/vulnerabilities.html
Release Date: 2023-02-08
Fix Resolution: openssl-3.0.8, OpenSSL_1_1_1t
⛑️ Automatic Remediation is available for this issue
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/37/19/234484df6fc7bdf4cf81cd4a89f600fce9f8f7a4bc1b307d7abbcd382b64/cryptography-38.0.3-cp36-abi3-manylinux_2_24_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/jwt/decode-jwt/Pipfile,/jwt/decode-jwt/requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in base branch: main
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into
would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes
) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into
was originally introduced in cryptography 1.8.
Publish Date: 2023-02-07
URL: CVE-2023-23931
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931
Release Date: 2023-02-07
Fix Resolution: cryptography - 39.0.1
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
CVE | Severity | CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (Jinja2 version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|---|---|
CVE-2024-22195 | Medium | 6.1 | Not Defined | 0.1% | Jinja2-3.1.2-py3-none-any.whl | Direct | jinja2 - 3.1.3 | ✅ | |
CVE-2024-34064 | Medium | 5.4 | Not Defined | 0.0% | Jinja2-3.1.2-py3-none-any.whl | Direct | Jinja2 - 3.1.4 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja xmlattr
filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.
Publish Date: 2024-01-11
URL: CVE-2024-22195
Exploit Maturity: Not Defined
EPSS: 0.1%
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h5c8-rqwp-cp95
Release Date: 2024-01-11
Fix Resolution: jinja2 - 3.1.3
⛑️ Automatic Remediation will be attempted for this issue.
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/bc/c3/f068337a370801f372f2f8f6bad74a5c140f6fda3d9de154052708dd3c65/Jinja2-3.1.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Jinja is an extensible templating engine. The xmlattr
filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /
, >
, or =
, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr
filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe. This vulnerability is fixed in 3.1.4.
Publish Date: 2024-05-06
URL: CVE-2024-34064
Exploit Maturity: Not Defined
EPSS: 0.0%
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h75v-3vvj-5mfj
Release Date: 2024-05-06
Fix Resolution: Jinja2 - 3.1.4
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
`import os
from os.path import join, dirname
from pprint import pprint
from vonage import *
from dotenv import load_dotenv
dotenv_path = join(dirname(file), "../.env")
load_dotenv(dotenv_path)
VONAGE_APPLICATION_ID = os.environ.get("VONAGE_APPLICATION_ID")
VONAGE_APPLICATION_PRIVATE_KEY_PATH = os.environ.get("VONAGE_APPLICATION_PRIVATE_KEY_PATH")
VONAGE_NUMBER = os.environ.get("VONAGE_NUMBER")
TO_NUMBER = os.environ.get("TO_NUMBER")
client = vonage.Client(
application_id=VONAGE_APPLICATION_ID,
private_key=VONAGE_APPLICATION_PRIVATE_KEY_PATH,
)
voice = vonage.Voice(client)
response = voice.create_call({
'to': [{'type': 'phone', 'number': TO_NUMBER}],
'from': {'type': 'phone', 'number': VONAGE_NUMBER},
'ncco': [{'action': 'talk', 'text': 'This is a text to speech call from Nexmo'}]
})
pprint(response)`
the error im receiving when running this code is :
Exception has occurred: TypeError
Expecting a PEM-formatted key.
File "C:\Users\mikea\Desktop\deleted\lil test\vonage-calls.py", line 25, in
'ncco': [{'action': 'talk', 'text': 'This is a text to speech call from Nexmo'}]
Path to dependency file: /number-insight/async-callback/Pipfile
Path to vulnerable library: /number-insight/async-callback/Pipfile
CVE | Severity | CVSS | Dependency | Type | Fixed in (Flask version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2023-25577 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2023-23934 | Low | 3.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile
Dependency Hierarchy:
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl
Path to dependency file: /number-insight/async-callback/Pipfile
Path to vulnerable library: /number-insight/async-callback/Pipfile
Dependency Hierarchy:
Found in base branch: main
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data
, request.form
, request.files
, or request.get_data(parse_form_data=False)
, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.
Publish Date: 2023-02-14
URL: CVE-2023-25577
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577
Release Date: 2023-02-14
Fix Resolution: Werkzeug - 2.2.3
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile
Dependency Hierarchy:
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl
Path to dependency file: /number-insight/async-callback/Pipfile
Path to vulnerable library: /number-insight/async-callback/Pipfile
Dependency Hierarchy:
Found in base branch: main
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value
instead of key=value
. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad
for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad
as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
Publish Date: 2023-02-14
URL: CVE-2023-23934
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934
Release Date: 2023-02-14
Fix Resolution: Werkzeug - 2.2.3
In the inbound-message.py there is a typo within the code provided. It seems that the print statement has an extra p.
Link to Vonage website documentation: https://developer.vonage.com/en/messages/code-snippets/inbound-message?source=messages&lang=python
Path within github repo: messages/inbound-message.py
/inbound-message.py
def inbound_message():
data = request.get_json()
pprint(data)
return "200"
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt,/sms/verify-signed-sms/requirements.txt,/requirements.txt
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
CVE | Severity | CVSS | Dependency | Type | Fixed in (urllib3 version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33503 | High | 7.5 | urllib3-1.24.3-py2.py3-none-any.whl | Direct | urllib3 - 1.26.5 | ✅ |
CVE-2020-26137 | Medium | 6.5 | urllib3-1.24.3-py2.py3-none-any.whl | Direct | 1.25.9 | ✅ |
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt,/sms/verify-signed-sms/requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
⛑️ Automatic Remediation is available for this issue
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt,/sms/verify-signed-sms/requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/23/fc/8a49991f7905261f9ca9df5aa9b58363c3c821ce3e7f671895442b7100f2/urllib3-1.26.3-py2.py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/Pipfile
Path to vulnerable library: /sms/verify-signed-sms/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33503 | High | 7.5 | urllib3-1.26.3-py2.py3-none-any.whl | Direct | urllib3 - 1.26.5 | ✅ |
CVE-2021-28363 | Medium | 6.5 | urllib3-1.26.3-py2.py3-none-any.whl | Direct | 1.26.4 | ✅ |
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/23/fc/8a49991f7905261f9ca9df5aa9b58363c3c821ce3e7f671895442b7100f2/urllib3-1.26.3-py2.py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/Pipfile
Path to vulnerable library: /sms/verify-signed-sms/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
⛑️ Automatic Remediation is available for this issue
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/23/fc/8a49991f7905261f9ca9df5aa9b58363c3c821ce3e7f671895442b7100f2/urllib3-1.26.3-py2.py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/Pipfile
Path to vulnerable library: /sms/verify-signed-sms/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
Publish Date: 2021-03-15
URL: CVE-2021-28363
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5phf-pp7p-vc2r
Release Date: 2021-03-15
Fix Resolution: 1.26.4
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
This one works fine:
client.send_message({
'from': 'xxxxxx',
'to': 'xxxxxx',
'text': 'A text message sent using the Nexmo SMS API',
})
But when I was trying to run client.get_calls(), I got authentication error.
Whichever solution we choose for running the quickstarts, whether via the browser or the command-line, we should have a better UI for running the code. The supporting code for this should be clearly separated from the quickstart code itself, but also easily understood.
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-1747 | High | 9.8 | PyYAML-5.1.tar.gz | Direct | pyyaml - 5.3.1 | ✅ |
CVE-2020-14343 | High | 9.8 | PyYAML-5.1.tar.gz | Direct | PyYAML - 5.4 | ✅ |
CVE-2019-20477 | High | 9.8 | PyYAML-5.1.tar.gz | Direct | 5.2 | ✅ |
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.
Publish Date: 2020-03-24
URL: CVE-2020-1747
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6757-jp84-gxfx
Release Date: 2020-03-24
Fix Resolution: pyyaml - 5.3.1
⛑️ Automatic Remediation is available for this issue
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Publish Date: 2021-02-09
URL: CVE-2020-14343
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343
Release Date: 2021-02-09
Fix Resolution: PyYAML - 5.4
⛑️ Automatic Remediation is available for this issue
YAML parser and emitter for Python
Library home page: https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
Publish Date: 2020-02-19
URL: CVE-2019-20477
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477
Release Date: 2020-02-19
Fix Resolution: 5.2
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
JSON Web Token implementation in Python
Library home page: https://files.pythonhosted.org/packages/b4/9b/8850f99027ed029af6828199cc87179eaccbbf1f9e6e373e7f0177d32dad/PyJWT-2.0.1-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/requirements.txt
Path to vulnerable library: /jwt/decode-jwt/requirements.txt,/jwt/decode-jwt/Pipfile
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-29217 | High | 7.5 | PyJWT-2.0.1-py3-none-any.whl | Direct | PyJWT - 2.4.0 | ✅ |
JSON Web Token implementation in Python
Library home page: https://files.pythonhosted.org/packages/b4/9b/8850f99027ed029af6828199cc87179eaccbbf1f9e6e373e7f0177d32dad/PyJWT-2.0.1-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/requirements.txt
Path to vulnerable library: /jwt/decode-jwt/requirements.txt,/jwt/decode-jwt/Pipfile
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms()
to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms()
has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
Publish Date: 2022-05-24
URL: CVE-2022-29217
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217
Release Date: 2022-05-24
Fix Resolution: PyJWT - 2.4.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
my Vonage-virtual phone number can receive SMS-text message fom my phone number
(I receive it at AWS API-Gateway endpoint: https://MY-END-POINT.execute-api.us-east-1.amazonaws.com/v1/PROXY
(Please note: PROXY can receive anything after v1/ e.g webhooks/inbound-message or webhooks/inbound-sms
I want to receive Bank 2FA verification code into my AWS API-Gateway endpoint,
HOW CAN I RECEIVE BANK 2FA VERIFICATION CODE sent from my bank, to MY Vonage Virtual mobile number, and then how can I redirect it to my AWS-Gateway-endpoint ?
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile,/number-insight/async-callback/Pipfile
CVE | Severity | CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (Werkzeug version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|---|---|
CVE-2024-34069 | High | 7.5 | Not Defined | 0.0% | Werkzeug-2.2.3-py3-none-any.whl | Direct | Werkzeug - 3.0.3 | ✅ | |
CVE-2023-46136 | High | 7.5 | Not Defined | 0.1% | Werkzeug-2.2.3-py3-none-any.whl | Direct | werkzeug - 2.3.8,3.0.1 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile,/number-insight/async-callback/Pipfile
Dependency Hierarchy:
Found in base branch: main
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.
Publish Date: 2024-05-06
URL: CVE-2024-34069
Exploit Maturity: Not Defined
EPSS: 0.0%
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2g68-c3qc-8985
Release Date: 2024-05-06
Fix Resolution: Werkzeug - 3.0.3
⛑️ Automatic Remediation will be attempted for this issue.
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/f6/f8/9da63c1617ae2a1dec2fbf6412f3a0cfe9d4ce029eccbda6e1e4258ca45f/Werkzeug-2.2.3-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile,/number-insight/async-callback/Pipfile
Dependency Hierarchy:
Found in base branch: main
Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.
Publish Date: 2023-10-25
URL: CVE-2023-46136
Exploit Maturity: Not Defined
EPSS: 0.1%
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hrfv-mqp8-q5rw
Release Date: 2023-10-25
Fix Resolution: werkzeug - 2.3.8,3.0.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt
CVE | Severity | CVSS | Dependency | Type | Fixed in (Werkzeug version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2023-25577 | High | 7.5 | Werkzeug-2.2.2-py3-none-any.whl | Direct | Werkzeug - 2.2.3 | ✅ |
CVE-2023-23934 | Low | 3.5 | Werkzeug-2.2.2-py3-none-any.whl | Direct | Werkzeug - 2.2.3 | ✅ |
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data
, request.form
, request.files
, or request.get_data(parse_form_data=False)
, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.
Publish Date: 2023-02-14
URL: CVE-2023-25577
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577
Release Date: 2023-02-14
Fix Resolution: Werkzeug - 2.2.3
⛑️ Automatic Remediation is available for this issue
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl
Path to dependency file: /jwt/decode-jwt/Pipfile
Path to vulnerable library: /jwt/decode-jwt/Pipfile,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value
instead of key=value
. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad
for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad
as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
Publish Date: 2023-02-14
URL: CVE-2023-23934
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934
Release Date: 2023-02-14
Fix Resolution: Werkzeug - 2.2.3
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
ECDSA cryptographic signature library (pure python)
Library home page: https://files.pythonhosted.org/packages/09/d4/4f05f5d16a4863b30ba96c23b23e942da8889abfa1cdbabf2a0df12a4532/ecdsa-0.18.0-py2.py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt
CVE | Severity | CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (ecdsa version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|---|---|
CVE-2024-23342 | High | 7.4 | Not Defined | 0.1% | ecdsa-0.18.0-py2.py3-none-any.whl | Direct | N/A | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
ECDSA cryptographic signature library (pure python)
Library home page: https://files.pythonhosted.org/packages/09/d4/4f05f5d16a4863b30ba96c23b23e942da8889abfa1cdbabf2a0df12a4532/ecdsa-0.18.0-py2.py3-none-any.whl
Path to dependency file: /sms/verify-signed-sms/requirements.txt
Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
The ecdsa
PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.
Publish Date: 2024-01-23
URL: CVE-2024-23342
Exploit Maturity: Not Defined
EPSS: 0.1%
Base Score Metrics:
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/71/4c/3db2b8021bd6f2f0ceb0e088d6b2d49147671f25832fb17970e9b583d742/certifi-2022.12.7-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Found in HEAD commit: ffbf044c787cc8cd35fd1e18e6b692ed0b0f6bbf
CVE | Severity | CVSS | Dependency | Type | Fixed in (certifi version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-37920 | Critical | 9.8 | certifi-2022.12.7-py3-none-any.whl | Direct | certifi - 2023.7.22 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/71/4c/3db2b8021bd6f2f0ceb0e088d6b2d49147671f25832fb17970e9b583d742/certifi-2022.12.7-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: ffbf044c787cc8cd35fd1e18e6b692ed0b0f6bbf
Found in base branch: main
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
Publish Date: 2023-07-25
URL: CVE-2023-37920
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-xqr8-7jwr-rhp7
Release Date: 2023-07-25
Fix Resolution: certifi - 2023.7.22
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
JOSE implementation in Python
Library home page: https://files.pythonhosted.org/packages/0e/b9/dc9653c51922f4a030e227f456b8ee63565c8005b8d1fbfa2a2500c6ccd7/python-jose-1.2.0.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2016-7036 | High | 9.8 | python-jose-1.2.0.tar.gz | Direct | 1.3.2 | ✅ |
JOSE implementation in Python
Library home page: https://files.pythonhosted.org/packages/0e/b9/dc9653c51922f4a030e227f456b8ee63565c8005b8d1fbfa2a2500c6ccd7/python-jose-1.2.0.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.
Publish Date: 2017-01-23
URL: CVE-2016-7036
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-7036
Release Date: 2017-01-23
Fix Resolution: 1.3.2
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
CVE | Severity | CVSS | Dependency | Type | Fixed in (requests version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33503 | High | 7.5 | urllib3-1.24.3-py2.py3-none-any.whl | Transitive | N/A* | ❌ |
CVE-2020-26137 | Medium | 6.5 | urllib3-1.24.3-py2.py3-none-any.whl | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: master
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/0c/cd/1e2ec680ec7b09846dc6e605f5a7709dfb9d7128e51a026e7154e18a234e/urllib3-1.26.5-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Found in HEAD commit: 01f46587dd7ad6e0d84f5cab4ed0cfb4ba09883e
CVE | Severity | CVSS | Dependency | Type | Fixed in (urllib3 version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-43804 | High | 8.1 | urllib3-1.26.5-py2.py3-none-any.whl | Direct | 1.26.17 | ✅ |
CVE-2023-45803 | Medium | 4.2 | urllib3-1.26.5-py2.py3-none-any.whl | Direct | 2.0.7 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/0c/cd/1e2ec680ec7b09846dc6e605f5a7709dfb9d7128e51a026e7154e18a234e/urllib3-1.26.5-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 01f46587dd7ad6e0d84f5cab4ed0cfb4ba09883e
Found in base branch: main
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie
HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie
header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Publish Date: 2023-10-04
URL: CVE-2023-43804
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804
Release Date: 2023-10-04
Fix Resolution: 1.26.17
⛑️ Automatic Remediation will be attempted for this issue.
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/0c/cd/1e2ec680ec7b09846dc6e605f5a7709dfb9d7128e51a026e7154e18a234e/urllib3-1.26.5-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 01f46587dd7ad6e0d84f5cab4ed0cfb4ba09883e
Found in base branch: main
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST
) to GET
as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False
and disable automatic redirects with redirects=False
and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.
Publish Date: 2023-10-17
URL: CVE-2023-45803
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g4mx-q9vg-27p4
Release Date: 2023-10-17
Fix Resolution: 2.0.7
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl
Path to dependency file: /number-insight/async-callback/requirements.txt
Path to vulnerable library: /number-insight/async-callback/requirements.txt,/number-insight/async-callback/requirements.txt,/number-insight/async-callback/Pipfile
CVE | Severity | CVSS | Dependency | Type | Fixed in (Werkzeug version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2023-25577 | High | 7.5 | Werkzeug-1.0.1-py2.py3-none-any.whl | Direct | Werkzeug - 2.2.3 | ✅ |
CVE-2023-23934 | Low | 3.5 | Werkzeug-1.0.1-py2.py3-none-any.whl | Direct | Werkzeug - 2.2.3 | ✅ |
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl
Path to dependency file: /number-insight/async-callback/requirements.txt
Path to vulnerable library: /number-insight/async-callback/requirements.txt,/number-insight/async-callback/requirements.txt,/number-insight/async-callback/Pipfile
Dependency Hierarchy:
Found in base branch: main
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data
, request.form
, request.files
, or request.get_data(parse_form_data=False)
, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.
Publish Date: 2023-02-14
URL: CVE-2023-25577
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577
Release Date: 2023-02-14
Fix Resolution: Werkzeug - 2.2.3
⛑️ Automatic Remediation is available for this issue
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl
Path to dependency file: /number-insight/async-callback/requirements.txt
Path to vulnerable library: /number-insight/async-callback/requirements.txt,/number-insight/async-callback/requirements.txt,/number-insight/async-callback/Pipfile
Dependency Hierarchy:
Found in base branch: main
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value
instead of key=value
. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad
for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad
as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
Publish Date: 2023-02-14
URL: CVE-2023-23934
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934
Release Date: 2023-02-14
Fix Resolution: Werkzeug - 2.2.3
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/92/b6/22b9b21fecfb03a90ce9393053f054b2742b00e704c20a595cf4c15f975e/cryptography-41.0.0-cp37-abi3-manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt,/jwt/decode-jwt/requirements.txt
Found in HEAD commit: ffbf044c787cc8cd35fd1e18e6b692ed0b0f6bbf
CVE | Severity | CVSS | Dependency | Type | Fixed in (cryptography version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-38325 | High | 7.5 | cryptography-41.0.0-cp37-abi3-manylinux_2_28_x86_64.whl | Direct | cryptography - 41.0.2 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/92/b6/22b9b21fecfb03a90ce9393053f054b2742b00e704c20a595cf4c15f975e/cryptography-41.0.0-cp37-abi3-manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt,/jwt/decode-jwt/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: ffbf044c787cc8cd35fd1e18e6b692ed0b0f6bbf
Found in base branch: main
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
Publish Date: 2023-07-14
URL: CVE-2023-38325
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-38325
Release Date: 2023-07-14
Fix Resolution: cryptography - 41.0.2
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/1d/38/fa96a426e0c0e68aabc68e896584b83ad1eec779265a028e156ce509630e/certifi-2022.9.24-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt,/requirements.txt
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
CVE | Severity | CVSS | Dependency | Type | Fixed in (certifi version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-23491 | High | 7.5 | certifi-2022.9.24-py3-none-any.whl | Direct | certifi - 2022.12.07 | ✅ |
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/1d/38/fa96a426e0c0e68aabc68e896584b83ad1eec779265a028e156ce509630e/certifi-2022.9.24-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt,/sms/verify-signed-sms/requirements.txt,/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: main
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Publish Date: 2022-12-07
URL: CVE-2022-23491
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491
Release Date: 2022-12-07
Fix Resolution: certifi - 2022.12.07
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
Cryptographic modules for Python.
Library home page: https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
CVE | Severity | CVSS | Dependency | Type | Fixed in (pycrypto version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2013-7459 | High | 9.8 | pycrypto-2.6.1.tar.gz | Direct | python2-crypto - 2.6.1-5;python-crypto - 2.6.1-5 | ✅ |
CVE-2018-6594 | High | 7.5 | pycrypto-2.6.1.tar.gz | Direct | python-crypto - 2.6.1-9 | ✅ |
Cryptographic modules for Python.
Library home page: https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: main
Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.
Publish Date: 2017-02-15
URL: CVE-2013-7459
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-7459
Release Date: 2017-02-15
Fix Resolution: python2-crypto - 2.6.1-5;python-crypto - 2.6.1-5
⛑️ Automatic Remediation is available for this issue
Cryptographic modules for Python.
Library home page: https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c
Found in base branch: main
lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation.
Publish Date: 2018-02-03
URL: CVE-2018-6594
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-6594
Release Date: 2018-02-03
Fix Resolution: python-crypto - 2.6.1-9
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
I have following sequence:
following is my piece of code:
def on_final_result(self, text):
if len(api_response["data"]["system_output"])>0:
text_to_speech = api_response["data"]["system_output"] # Receive sentence to speak from my api
file_url = self.pollyaudio(text_to_speech) # this will convert text to speech using polly
response = client.send_audio(os.environ['uuid'], stream_url=[file_url])
if response is not None:
time.sleep(10) # i am trying this but it is not working as expected
command = api_response["data"]["commands"][0]
# End of call command
if command is not None and command['name'] == 'EOC':
client.update_call(os.environ['uuid'], action='hangup')
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.