{ "$meta": { "advisory": "PyUp.io metadata", "timestamp": 1625119202 }, "abracadabra": [ { "advisory": "Abracadabra 0.0.4 updates the notebook dependency to address a security vulnerability.", "cve": null, "id": "pyup.io-39264", "specs": [ "<0.0.4" ], "v": "<0.0.4" } ], "acqusition": [ { "advisory": "acqusition is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", "cve": null, "id": "pyup.io-34978", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "aegea": [ { "advisory": "Aegea 2.2.7 avoids CVE-2018-1000805.", "cve": "CVE-2018-1000805", "id": "pyup.io-37611", "specs": [ "<2.2.7" ], "v": "<2.2.7" } ], "aethos": [ { "advisory": "Aethos 0.3.0.1 hotfixed NLTK package in setup.py and the vulnerable version.", "cve": null, "id": "pyup.io-37721", "specs": [ "<0.3.0.1" ], "v": "<0.3.0.1" } ], "agraph-python": [ { "advisory": "Agraph-python 101.0.1 updates urllib3 from 1.22 to 1.23 and requests from 2.18.4 to 2.20.0 for security reasons.", "cve": null, "id": "pyup.io-38506", "specs": [ "<101.0.1" ], "v": "<101.0.1" }, { "advisory": "Agraph-python before 101.0.3 updates numpy to 1.16.0 and urllib3 to 1.24.2 for security reasons.", "cve": null, "id": "pyup.io-37085", "specs": [ "<101.0.3" ], "v": "<101.0.3" } ], "aiida": [ { "advisory": "Aiida 0.12.3 fixes a security vulnerability by upgrading `paramiko` to `2.4.2`.", "cve": null, "id": "pyup.io-37054", "specs": [ "<0.12.3" ], "v": "<0.12.3" } ], "aiida-core": [ { "advisory": "aiida-core 0.12.3 fixes security vulnerability by upgrading `paramiko` to `2.4.2`", "cve": null, "id": "pyup.io-36956", "specs": [ "<0.12.3" ], "v": "<0.12.3" }, { "advisory": "Aiida-core before 1.6.0 adds security option to toggle POST methods on/off with the 'verdi restapi --posting/--no-posting' options (it is on by default).", "cve": null, "id": "pyup.io-40304", "specs": [ "<1.6.0" ], "v": "<1.6.0" } ], "aioapns": [ { "advisory": "Certificate hostname validation in aioapns version 1.10 was enabled by default for security reasons. It can be turned off by using no_cert_validation option.", "cve": null, "id": "pyup.io-38620", "specs": [ "<1.10" ], "v": "<1.10" } ], "aiocoap": [ { "advisory": "The proxy in aiocoap 0.4a1 only creates log files when explicitly requested (18ddf8c). Also, support for secured protocols has been added.", "cve": null, "id": "pyup.io-37469", "specs": [ "<0.4a1" ], "v": "<0.4a1" } ], "aiocouchdb": [ { "advisory": "aiocouchdb 0.6.0 now correctly set members for database security.", "cve": null, "id": "pyup.io-25612", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "aioftp": [ { "advisory": "The server of aioftp 0.15.0 uses explicit mapping of available commands for security reasons.", "cve": null, "id": "pyup.io-38045", "specs": [ "<0.15.0" ], "v": "<0.15.0" } ], "aiohttp": [ { "advisory": "aiohttp 0.16.3 fixes a StaticRoute vulnerability to directory traversal attacks.", "cve": null, "id": "pyup.io-25613", "specs": [ "<0.16.3" ], "v": "<0.16.3" }, { "advisory": "Aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows \"pip install aiohttp >= 3.7.4\". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications. See CVE-2021-21330.", "cve": "CVE-2021-21330", "id": "pyup.io-39659", "specs": [ "<3.7.4" ], "v": "<3.7.4" } ], "aiohttp-auth-autz": [ { "advisory": "aiohttp-auth-autz before 0.2.0 isn't correctly checking the user_id in acl middleware, leading to a possible permission escalation.", "cve": null, "id": "pyup.io-32971", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "aiohttp-jinja2": [ { "advisory": "Aiohttp-jinja2 1.1.1 bumps minimal supported ``jinja2`` version to 2.10.1 to avoid a security vulnerability problem.", "cve": null, "id": "pyup.io-37095", "specs": [ "<1.1.1" ], "v": "<1.1.1" } ], "aiohttp-swagger": [ { "advisory": "Aiohttp-swagger before 1.0.15 includes a version of js-yaml that's not secure.", "cve": null, "id": "pyup.io-38483", "specs": [ "<1.0.15" ], "v": "<1.0.15" } ], "aioli": [ { "advisory": "aioli 0.16.3 fixes StaticRoute vulnerability to directory traversal attacks.", "cve": null, "id": "pyup.io-37007", "specs": [ "<0.16.3" ], "v": "<0.16.3" } ], "aiootp": [ { "advisory": "Aiootp 0.10.1 reduces the effectiveness of timing analysis of the modular exponentiation in the `Opake` class' verifiers by making the process return values only after discrete intervals of time. Timing attacks on that part of the protocol may still be viable, but should be significantly reduced.", "cve": null, "id": "pyup.io-38491", "specs": [ "<0.10.1" ], "v": "<0.10.1" }, { "advisory": "The `Opake.client` & `Opake.client_registration` methods in aiootp version 0.11.0 take an instantiated client database instead of client credentials which improves security, efficiency & usability. This change reduces the amount of exposure received by user passwords & other credentials. It also simplifies usage of the protocol by only needing to carry around a database instead of a slew of credentials, which is also faster, since the credentials are passed through the cpu & memory hard `passcrypt` function every time to open the database.", "cve": null, "id": "pyup.io-38602", "specs": [ "<0.11.0" ], "v": "<0.11.0" }, { "advisory": "Aiootp 0.13.0 contains a security patch for 'xor' and 'axor' functions which define the one-time-pad cipher (they can leak <1-bit of plaintext).", "cve": null, "id": "pyup.io-39508", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Aiootp 0.17.0 includes a security patch for a critical vulnerability (highly recommended to upgrade). The HMAC verifiers on ciphertexts did not include the 'salt' or 'pid' values when deriving the HMAC. This associated data can therefore be changed to cause a party to decrypt a past ciphertext with a salt or pid of an attacker's choosing.", "cve": null, "id": "pyup.io-39534", "specs": [ "<0.17.0" ], "v": "<0.17.0" }, { "advisory": "Aiootp 0.18.0 includes a few important security patches.", "cve": null, "id": "pyup.io-40254", "specs": [ "<0.18.0" ], "v": "<0.18.0" }, { "advisory": "Aiootp 0.18.1 deprecates and replaces an internal 'kdf' for saving database tags due to a vulnerability.", "cve": null, "id": "pyup.io-40253", "specs": [ "<0.18.1" ], "v": "<0.18.1" }, { "advisory": "Aiootp 0.19.0 includes several important security patches and other improvements.", "cve": null, "id": "pyup.io-40252", "specs": [ "<0.19.0" ], "v": "<0.19.0" }, { "advisory": "Aiootp 0.19.3 removes 'map_encipher', 'map_decipher', 'amap_encipher' and 'amap_decipher' generators from the 'Chunky2048' and 'Comprende' classes due to security reasons.", "cve": null, "id": "pyup.io-40251", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Aiootp 0.2.0 adds ephemeral salts to the ``AsyncDatabase`` & ``Database`` file encryption procedures. This is a major security fix, as re-encryption of files with the same tag in a database with the same open key would use the same streams of key material each time, breaking encryption if two different versions of a tag file's ciphertext stored to disk were available to an adversary. The database methods ``encrypt``, ``decrypt``, ``aencrypt`` & ``adecrypt`` will now produce and decipher true one-time pad ciphertext with these ephemeral salts.", "cve": null, "id": "pyup.io-38250", "specs": [ "<0.2.0" ], "v": "<0.2.0" }, { "advisory": "The ``AsyncDatabase`` & ``Database`` in aiootp version 0.3.0 use the more secure ``afilename`` & ``filename`` methods to derive the hashmap name and encryption streams from a user-defined tag internal to their ``aencrypt`` / ``adecrypt`` / ``encrypt`` / ``decrypt`` methods, as well as, prior to them getting called. This will break past versions of databases' ability to open their files.", "cve": null, "id": "pyup.io-38256", "specs": [ "<0.3.0" ], "v": "<0.3.0" }, { "advisory": "Aiootp 0.6.0 replaces several usages of ``random.randrange`` within ``randoms.py`` to calls to ``secrets.token_bytes`` which is faster & more secure.", "cve": null, "id": "pyup.io-38361", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Aiootp 0.8.0 fixes the test_hmac and atest_hmac functions in the keys & database classes. The new non-constant-time algorithm needs a random salt to be added before doing the secondary hmac to prevent some potential exotic forms of chosen plaintext/ciphertext attacks on the algorithm. The last version of the algorithm should not be used. \r\n\r\nAlso, the 'Keys' & 'AsyncKeys' interfaces were overhauled to remove the persistance of instance salts. They were intended to be updated by users with the 'reset' & 'areset' methods, but that cannot be guaranteed easily through the class, so it is an inappropriate interface since reusing salts for encryption is completely insecure. The instances do still maintain state of their main encryption key, & new stateful methods for key generation, like 'mnemonic' & 'table_key', have been added. The 'state' & 'astate' methods have been removed.", "cve": null, "id": "pyup.io-38381", "specs": [ "<0.8.0" ], "v": "<0.8.0" }, { "advisory": "Aiootp 0.8.1 adds cryptographically secure pseudo-random values as default keys in encryption functions to safeguard against users accidentally encrypting data without specifying a key. This way, such mistakes will produce ciphertext with an unrecoverable key, instead of without a key at all.", "cve": null, "id": "pyup.io-38395", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Aiootp 0.9.0 adds hmac codes to ciphertext for the following functions: 'json_encrypt', 'ajson_encrypt', 'bytes_encrypt', 'abytes_encrypt', 'Database.encrypt' & 'AsyncDatabase.aencrypt'. This change greatly increases the security of ciphertext by ensuring it hasn't been modified or tampered with maliciously. One-time pad ciphertext is maleable, so without hmac validation it can be changed to successfully allow decryption but return the wrong plaintext. These functions are the highest level abstractions of the library for encryption/decryption, which made them excellent targets for this important security update. As well, it isn't easily possible for the library to provide hmac codes for generators that produce ciphertext, because the end of a stream of ciphertext isn't known until after the results have left the scope of library code. So users will need to produce their own hmac codes for generator ciphertext unless we find an elegant solution to this issue. These functions now all return dictionaries with the associated hmac stored in the 'hmac' entry. The bytes functions formerly returned lists, now their ciphertext is available from the '\"ciphertext\"' entry. And, all database files will have an hmac attached to them now. These changes were designed to still be compatible with old ciphertexts but they'll likely be made incompatible by the v0.11.x major release.", "cve": null, "id": "pyup.io-38401", "specs": [ "<0.9.0" ], "v": "<0.9.0" }, { "advisory": "Aiootp 0.9.1 includes two security improvements:\r\n\r\n- Any falsey values for the 'salt' keyword argument in the library's 'keys', 'akeys', 'bytes_keys', 'abytes_keys', 'subkeys', & 'asubkeys' infinite keystream generators, & other functions around the library, will cause them to generate a new cryptographically secure pseudo-random value for the salt. It formerly only did this when 'salt' was 'None'. \r\n\r\n- The 'seeder' & 'aseeder' generators have been updated to introduce 512 new bits of entropy from 'secrets.token_bytes' on every iteration to ensure that the CSPRNG will produce secure outputs even if its internal state is somehow discovered. This also allows for simply calling the CSPRNG is enough, there's no longer a strong reason to pass new entropy into it manually, except to add even more entropy as desired.", "cve": null, "id": "pyup.io-38406", "specs": [ "<0.9.1" ], "v": "<0.9.1" }, { "advisory": "Aiootp 0.9.2 adds 'passcrypt' & 'apasscrypt' instance methods to 'OneTimePad', 'Keys', & 'AsyncKeys' classes. They produce password hashes that are not just secured by the salt & passcrypt algorithm settings, but also by their main symmetric instance keys. This makes passwords infeasible to crack without also compromising the instance's 512-bit key.\r\n\r\nAlso, Aiootp 0.9.2 includes further improvements to the random number generator in 'randoms.py'. This made its internals less sequential and thereby raises the bar of work needed by an attacker to successfully carry out an order prediction attack.", "cve": null, "id": "pyup.io-38409", "specs": [ "<0.9.2" ], "v": "<0.9.2" } ], "aiosolr": [ { "advisory": "Aiosolr 3.3.2 includes various security updates. No details were provided.", "cve": null, "id": "pyup.io-40299", "specs": [ "<3.3.2" ], "v": "<3.3.2" } ], "airtable": [ { "advisory": "Airtable 0.4.4 updates 'request' dependency to 2.79.0 (it removes 'tough-cookie' vulnerability warning).", "cve": null, "id": "pyup.io-39517", "specs": [ "<0.4.4" ], "v": "<0.4.4" } ], "ajsonrpc": [ { "advisory": "Ajsonrpc 1.1.0 ensures server security by having the response manager return a generic ServerError without error details in case of an application exception.", "cve": null, "id": "pyup.io-39665", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "aldryn-django": [ { "advisory": "aldryn-django 1.8.10.1 uses an insecure Django release, 1.8.9.", "cve": null, "id": "pyup.io-25614", "specs": [ "<1.8.10.1" ], "v": "<1.8.10.1" }, { "advisory": "aldryn-django before 1.8.18.1 uses an insecure Django release (Django <1.8.18).", "cve": null, "id": "pyup.io-34512", "specs": [ "<1.8.18.1" ], "v": "<1.8.18.1" } ], "alex-ber-utils": [ { "advisory": "Alex-ber-utils 0.6.3 changed the base docker image version to 0.1.0, because it has fix for a potential security risk: Git was changed not to store credential as plain text, but to keep them in memory for 1 hour, see .", "cve": null, "id": "pyup.io-39148", "specs": [ "<0.6.3" ], "v": "<0.6.3" } ], "alexandra": [ { "advisory": "alexandra 0.4.0 bumps dependency versions to avoid pyOpenSSL vulnerability", "cve": null, "id": "pyup.io-36552", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], "algorithm-toolkit": [ { "advisory": "Algorithm-toolkit 0.1.3beta resolves security issues with internal dependencies Pillow and marked.js.", "cve": null, "id": "pyup.io-39381", "specs": [ "<0.1.3beta" ], "v": "<0.1.3beta" } ], "allennlp": [ { "advisory": "allennlp 0.6.1 upgrades flask to avoid security vulnerability.", "cve": null, "id": "pyup.io-36530", "specs": [ "<0.6.1" ], "v": "<0.6.1" }, { "advisory": "Allennlp 0.9.0 includes a fix for hotflip attacks.", "cve": null, "id": "pyup.io-37901", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "allink-core": [ { "advisory": "Allink-core 2.0.0 fixes various vulnerabilities.", "cve": null, "id": "pyup.io-39104", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "alt-model-checkpoint": [ { "advisory": "alt-model-checkpoint 1.0.1 upgrades dependencies, esp. for requests==2.20.0 security patch", "cve": null, "id": "pyup.io-36628", "specs": [ "<1.0.1" ], "v": "<1.0.1" } ], "ambient-api": [ { "advisory": "ambient-api 1.5.2 updates requirements.txt to use requests>=2.2.0 due to a security vulnerability.", "cve": null, "id": "pyup.io-36594", "specs": [ "<1.5.2" ], "v": "<1.5.2" } ], "ampache": [ { "advisory": "ampache 3.8 fixes an XSS vulnerability - see CVE-2014-8620", "cve": "CVE-2014-8620", "id": "pyup.io-37865", "specs": [ "<3.8.0" ], "v": "<3.8.0" }, { "advisory": "ampache 3.8.2 fixes a potential security vulnerability on smartplaylist search rule and catalog management actions", "cve": null, "id": "pyup.io-37864", "specs": [ "<3.8.2" ], "v": "<3.8.2" }, { "advisory": "ampache 4.0.0:\r\n* Resolves CVE-2019-12385 for the SQL Injection", "cve": "CVE-2019-12385", "id": "pyup.io-37863", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "ampache 4.0.0:\r\n* Resolves CVE-2019-12386 for the persistent XSS\r\n* Resolves NS-18-046 Multiple Reflected Cross-site Scripting Vulnerabilities in Ampache 3.9.0", "cve": "CVE-2019-12386", "id": "pyup.io-39602", "specs": [ "<4.0.0" ], "v": "<4.0.0" } ], "amundsen-frontend": [ { "advisory": "amundsen-frontend 3.0.0 bumps serialize-javascript to a newer version that is more secure.", "cve": null, "id": "pyup.io-39065", "specs": [ "<3.0.0" ], "v": "<3.0.0" } ], "anncolvar": [ { "advisory": "anncolvar 0.4 updates requirements.txt to fix security issues.", "cve": null, "id": "pyup.io-36803", "specs": [ "<0.4" ], "v": "<0.4" } ], "annotator": [ { "advisory": "annotator 0.11.2 fixes a bug that allowed authenticated users to overwrite annotations on which they did not have permissions.", "cve": null, "id": "pyup.io-25615", "specs": [ "<0.11.2" ], "v": "<0.11.2" } ], "ansible": [ { "advisory": "ansible 1.2.3 includes local security fixes for predictable file locations for ControlPersist and retry file paths on shared machines on operating systems without kernel symlink/hardlink protections.", "cve": null, "id": "pyup.io-25616", "specs": [ "<1.2.3" ], "v": "<1.2.3" }, { "advisory": "ansible 1.5.4 includes a security fix for safe_eval, which further hardens the checking of the evaluation function.", "cve": null, "id": "pyup.io-25617", "specs": [ "<1.5.4" ], "v": "<1.5.4" }, { "advisory": "ansible 1.5.5 includes a security fix for vault, to ensure the umask is set to a restrictive mode before creating/editing vault files.", "cve": null, "id": "pyup.io-25618", "specs": [ "<1.5.5" ], "v": "<1.5.5" }, { "advisory": "ansible includes 1.6.4 security updates related to evaluation of untrusted remote inputs.", "cve": null, "id": "pyup.io-25619", "specs": [ "<1.6.4" ], "v": "<1.6.4" }, { "advisory": "ansible 1.6.6 includes security updates to further protect against the incorrect execution of untrusted data.", "cve": null, "id": "pyup.io-25620", "specs": [ "<1.6.6" ], "v": "<1.6.6" }, { "advisory": "ansible 1.6.7 contains two security fixes:\r\n * Strip lookup calls out of inventory variables and clean unsafe data\r\n returned from lookup plugins (CVE-2014-4966)\r\n * Make sure vars don't insert extra parameters into module args and prevent\r\n duplicate params from superseding previous params (CVE-2014-4967)", "cve": "CVE-2014-4967", "id": "pyup.io-25621", "specs": [ "<1.6.7" ], "v": "<1.6.7" }, { "advisory": "ansible 1.7 contains two security fixes:\r\n- Prevent the use of lookups when using legacy \" \" syntax around variables and with_* loops.\r\n - Remove relative paths in TAR-archived file names used by ansible-galaxy.", "cve": null, "id": "pyup.io-25622", "specs": [ "<1.7" ], "v": "<1.7" }, { "advisory": "ansible 1.7.1 contains a security fix to disallow specifying 'args:' as a string, which could allow the insertion of extra module parameters through variables.", "cve": null, "id": "pyup.io-25623", "specs": [ "<1.7.1" ], "v": "<1.7.1" }, { "advisory": "ansible 1.8.3 fixes a security bug related to the default permissions set on a temporary file created when using \"ansible-vault view \".", "cve": null, "id": "pyup.io-25624", "specs": [ "<1.8.3" ], "v": "<1.8.3" }, { "advisory": "Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", "cve": "CVE-2015-3908", "id": "pyup.io-25625", "specs": [ "<1.9.2" ], "v": "<1.9.2" }, { "advisory": "The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.", "cve": "CVE-2016-3096", "id": "pyup.io-25626", "specs": [ "<1.9.6" ], "v": "<1.9.6" }, { "advisory": "The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.", "cve": "CVE-2016-3096", "id": "pyup.io-25627", "specs": [ "<2.0.2" ], "v": "<2.0.2" }, { "advisory": "ansible before 2.2.1 is vulnerable to arbitrary code execution. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server as the user and group Ansible is running as.", "cve": null, "id": "pyup.io-33286", "specs": [ "<2.2.1" ], "v": "<2.2.1" }, { "advisory": "ansible before 2.3.1 is vulnerable to CVE-2017-7481 - data for lookup plugins used as variables was not being correctly marked as \"unsafe\".", "cve": "CVE-2017-7481", "id": "pyup.io-34941", "specs": [ "<2.3.1" ], "v": "<2.3.1" } ], "ansible-runner": [ { "advisory": "ansible-runner 1.3.1 adds fixes to make default file permissions much more secure, upgrading is recommended.", "cve": null, "id": "pyup.io-36995", "specs": [ "<1.3.1" ], "v": "<1.3.1" } ], "ansible-vault": [ { "advisory": "An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.", "cve": "CVE-2017-2809", "id": "pyup.io-35730", "specs": [ "<1.0.5" ], "v": "<1.0.5" } ], "ansigenome": [ { "advisory": "ansigenome before 0.6.0 uses yaml.load instead of yaml.safe_load, allowing a code execution vulnerability.", "cve": null, "id": "pyup.io-34505", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "ansitoimg": [ { "advisory": "Ansitoimg 2021.0.1 updates the 'Pillow' dependency to >= 8.1.1 due to a high severity security vulnerability (CVE-2021-27923).", "cve": "CVE-2021-27923", "id": "pyup.io-40607", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { "advisory": "Ansitoimg 2021.0.1 updates the 'Pillow' dependency to >= 8.1.1 due to a high severity security vulnerability (CVE-2020-35654).", "cve": "CVE-2020-35654", "id": "pyup.io-40609", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { "advisory": "Ansitoimg 2021.0.1 updates the 'Pillow' dependency to >= 8.1.1 due to a high severity security vulnerability (CVE-2020-35653).", "cve": "CVE-2020-35653", "id": "pyup.io-40610", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { "advisory": "Ansitoimg 2021.0.1 updates the 'Pillow' dependency to >= 8.1.1 due to a high severity security vulnerability (CVE-2021-27921).", "cve": "CVE-2021-27921", "id": "pyup.io-40611", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { "advisory": "Ansitoimg 2021.0.1 updates the 'Pillow' dependency to >= 8.1.1 due to a high severity security vulnerability (CVE-2020-35655).", "cve": "CVE-2020-35655", "id": "pyup.io-40613", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { "advisory": "Ansitoimg 2021.0.1 updates the 'Pillow' dependency to >= 8.1.1 due to a high severity security vulnerability (CVE-2021-27922).", "cve": "CVE-2021-27922", "id": "pyup.io-40612", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" } ], "anymotion-sdk": [ { "advisory": "Anymotion-sdk 1.2.5 updates the 'urllib3' dependency and other packages for more security.", "cve": null, "id": "pyup.io-40842", "specs": [ "<1.2.5" ], "v": "<1.2.5" } ], "apache-airflow": [ { "advisory": "apache-airflow 1.10.0 fixes XSS vulnerability in Variable endpoint", "cve": null, "id": "pyup.io-36832", "specs": [ "<1.10.0" ], "v": "<1.10.0" }, { "advisory": "In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. See CVE-2020-17513.", "cve": "CVE-2020-17513", "id": "pyup.io-39282", "specs": [ "<1.10.13" ], "v": "<1.10.13" }, { "advisory": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336). See CVE-2021-28359.", "cve": "CVE-2021-28359", "id": "pyup.io-40341", "specs": [ ">=1.0.0a1,<1.10.15", ">=2.0.0a1,<2.0.2" ], "v": ">=1.0.0a1,<1.10.15,>=2.0.0a1,<2.0.2" } ], "apache-libcloud": [ { "advisory": "Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.", "cve": "CVE-2012-3446", "id": "pyup.io-25628", "specs": [ "<0.11.1" ], "v": "<0.11.1" }, { "advisory": "Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.", "cve": "CVE-2013-6480", "id": "pyup.io-25629", "specs": [ "<0.13.3" ], "v": "<0.13.3" }, { "advisory": "libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack.", "cve": "CVE-2010-4340", "id": "pyup.io-35343", "specs": [ "<0.4.1" ], "v": "<0.4.1" } ], "apache-skywalking": [ { "advisory": "Apache-skywalking 8.0.0 includes:\r\n* Fix SQL Injection vulnerability in H2/MySQL implementation.\r\n* Upgrade Nacos to avoid the FastJson CVE-2017-18349 in high frequency.\r\n* Upgrade jasckson-databind to 2.9.10.", "cve": "CVE-2017-18349", "id": "pyup.io-38630", "specs": [ "<8.0.0" ], "v": "<8.0.0" } ], "apache-superset": [ { "advisory": "Apache-superset 0.11.0 allows for requesting access when denied on a dashboard view (#1192), allows to set static headers as configuration (#1126), and prevents XSS on FAB list views (#1125).", "cve": null, "id": "pyup.io-39495", "specs": [ "<0.11.0" ], "v": "<0.11.0" }, { "advisory": "Apache-superset 0.14.0 improves the security scheme (#1587).", "cve": null, "id": "pyup.io-39494", "specs": [ "<0.14.0" ], "v": "<0.14.0" }, { "advisory": "Apache-superset 0.19.1 prevents XSS markup viz (#3211).", "cve": null, "id": "pyup.io-39491", "specs": [ "<0.19.1" ], "v": "<0.19.1" }, { "advisory": "Apache-superset 0.23.0 adds all derived FAB UserModelView views to admin only (#4180), fixes 4 security vulnerabilities (#4390), and bumps dependencies with security issues (#4427).", "cve": null, "id": "pyup.io-39490", "specs": [ "<0.23.0" ], "v": "<0.23.0" }, { "advisory": "Apache-superset 0.25.0 refactors security code into SupersetSecurityManager (#4565).", "cve": null, "id": "pyup.io-39488", "specs": [ "<0.25.0" ], "v": "<0.25.0" }, { "advisory": "Apache-superset 0.28.0rc5 moves set/merge perm to security manager (#5684).", "cve": null, "id": "pyup.io-39485", "specs": [ "<0.28.0rc5" ], "v": "<0.28.0rc5" }, { "advisory": "Apache-superset 0.29.0rc8 secures unsecured views and prevent regressions (#6553).", "cve": null, "id": "pyup.io-39484", "specs": [ "<0.29.0rc8" ], "v": "<0.29.0rc8" }, { "advisory": "Apache-superset 0.31.0rc1 fixes dependencies with vulnerabilities (#6904).", "cve": null, "id": "pyup.io-39483", "specs": [ "<0.31.0rc1" ], "v": "<0.31.0rc1" }, { "advisory": "Apache-superset 0.32.0rc1 makes it easier to redefine Alpha/Gamma (#7036) - this was a security concern. It also \r\nran 'npm audit fix' to address various vulnerabilities (#7263).", "cve": null, "id": "pyup.io-39482", "specs": [ "<0.32.0rc1" ], "v": "<0.32.0rc1" }, { "advisory": "Apache-superset 0.32.0rc2.dev2 updates merge_perm and fixes the FAB method (#7355). These were both security issues.", "cve": null, "id": "pyup.io-39480", "specs": [ "<0.32.0rc2.dev2" ], "v": "<0.32.0rc2.dev2" }, { "advisory": "Apache-superset 0.33.0rc1 adds Flask-Talisman (#7443) for security reasons.", "cve": null, "id": "pyup.io-39481", "specs": [ "<0.33.0rc1" ], "v": "<0.33.0rc1" }, { "advisory": "Apache-superset 0.34.0 includes various security improvements. It bumps python libs (#7550), it makes security views use superset's list widget (#7724), and it adds docstrings and type hints (#7952).", "cve": null, "id": "pyup.io-39479", "specs": [ "<0.34.0" ], "v": "<0.34.0" }, { "advisory": "Apache-superset 0.35.0 adds security for restricted metrics (#8175).", "cve": null, "id": "pyup.io-39478", "specs": [ "<0.35.0" ], "v": "<0.35.0" }, { "advisory": "Apache-superset 0.35.1 bumps the dompurify version because of a nasty xss bypass (#8498).", "cve": null, "id": "pyup.io-39477", "specs": [ "<0.35.1" ], "v": "<0.35.1" }, { "advisory": "Apache-superset 0.35.2 bumps packages with security vulnerabilities (#8573), and bumps pyarrow to 0.15.1 due to CVE-2019-12408 (#8583).", "cve": "CVE-2019-12408", "id": "pyup.io-39476", "specs": [ "<0.35.2" ], "v": "<0.35.2" }, { "advisory": "Apache-superset 0.36.0 filters out markdown containing XSS (#9163), adds support for row-level security (#8699), and lets admins be able to reset user passwords on AUTH_DB (#9232). It also ran 'npm audit fix' to fix 2 vulnerabilities (#9106).", "cve": null, "id": "pyup.io-39475", "specs": [ "<0.36.0" ], "v": "<0.36.0" }, { "advisory": "Apache-superset 0.37.0 includes various security-related improvements. It fixes regression in #9689 (9705), it fixes can_access with None because it crashed on builtin roles (#10039), it renames schemas_accessible_by_user (#10030), renames access methods (#10031), it updates assert logic (#10034), and it fixes the dbs/clusters perm (#10130).", "cve": null, "id": "pyup.io-39474", "specs": [ "<0.37.0" ], "v": "<0.37.0" }, { "advisory": "Apache-superset 0.37.1 disallows uuid package on jinja1 (#10794). This is a security improvement.", "cve": null, "id": "pyup.io-39473", "specs": [ "<0.37.1" ], "v": "<0.37.1" }, { "advisory": "While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python\u2019s `os` package in the web application process in versions < 0.37.1. It was thus possible for an authenticated user to list and access files, environment variables, and process information. Additionally it was possible to set environment variables for the current process, create and update files in folders writable by the web process, and execute arbitrary programs accessible by the web process. All other operations available to the `os` package in Python were also available, even if not explicitly enumerated in this CVE. See CVE-2020-13948.", "cve": "CVE-2020-13948", "id": "pyup.io-38793", "specs": [ "<0.37.1" ], "v": "<0.37.1" }, { "advisory": "Apache-superset 0.9.1 improved its security: Gamma role sees only its objects, and only owners and Admins can alter objects.", "cve": null, "id": "pyup.io-38193", "specs": [ "<0.9.1" ], "v": "<0.9.1" } ], "apidev-coop": [ { "advisory": "apidev-coop is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", "cve": null, "id": "pyup.io-34979", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "appdaemon": [ { "advisory": "Appdaemon 3.0.4 uses yaml.Safeloader to work around a known security issue with PyYaml.", "cve": null, "id": "pyup.io-37096", "specs": [ "<3.0.4" ], "v": "<3.0.4" } ], "appdaemontestframework": [ { "advisory": "appdaemontestframework 2.0.1 updates dependencies to prevent security vulnerabilities", "cve": null, "id": "pyup.io-37908", "specs": [ "<2.0.1" ], "v": "<2.0.1" }, { "advisory": "appdaemontestframework 2.3.3 update dependencies to fix security vulnerability", "cve": null, "id": "pyup.io-37907", "specs": [ "<2.3.3" ], "v": "<2.3.3" } ], "apphelpers": [ { "advisory": "To secure the API access, apphelpers 0.9.2 adds the new options `groups_forbidden` and `groups_required`.", "cve": null, "id": "pyup.io-37151", "specs": [ "<0.9.2" ], "v": "<0.9.2" } ], "appwrite": [ { "advisory": "Appwrite 0.4.0:\r\n* Includes a PHP-FPM security patch fix (https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest) - Upgraded PHP version to 7.3.12 [Major]\r\n* Removes executable permission from avatars files [Minor]\r\n* Updates SDK Generator Twig dependency with security issue: https://www.exploit-db.com/exploits/44102 [Minor]", "cve": null, "id": "pyup.io-37717", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], "archi": [ { "advisory": "Archi 0.2.2 is bundled with libarchive 3.4.2. However, libarchive before version 3.4.3 is known to not be secure. See: .", "cve": null, "id": "pyup.io-37702", "specs": [ "<=0.2.2" ], "v": "<=0.2.2" } ], "archmage": [ { "advisory": "Directory traversal vulnerability in arCHMage 0.2.4 allows remote attackers to write to arbitrary files via a .. (dot dot) in a CHM file.", "cve": "CVE-2015-1589", "id": "pyup.io-25630", "specs": [ "<0.3.1" ], "v": "<0.3.1" } ], "asciidoc": [ { "advisory": "Asciidoc 8.6.6 removes the use of 'eval()' on untrusted input to disallow malicious code execution.", "cve": null, "id": "pyup.io-39514", "specs": [ "<8.6.6" ], "v": "<8.6.6" } ], "asgi-csrf": [ { "advisory": "Cookie values in asgi-csrf 0.3 are now signed to prevent subdomain attacks. See also: .", "cve": null, "id": "pyup.io-38376", "specs": [ "<0.3" ], "v": "<0.3" } ], "aspen": [ { "advisory": "aspen 0.39 fixes two security bugs related to CRLF injection - https://github.com/gratipay/security-qf35us/issues/1", "cve": null, "id": "pyup.io-36873", "specs": [ "<0.39" ], "v": "<0.39" }, { "advisory": "aspen 0.42 protects against URL redirection attacks (#471)", "cve": null, "id": "pyup.io-36872", "specs": [ "<0.42" ], "v": "<0.42" } ], "astropy": [ { "advisory": "astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", "cve": null, "id": "pyup.io-35810", "specs": [ "<3.0.1" ], "v": "<3.0.1" } ], "async-search-client": [ { "advisory": "Async-search-client 0.5.1 updates the 'pydantic' dependency from 1.8.1 to 1.8.2 to fix a security vulnerability.", "cve": null, "id": "pyup.io-40437", "specs": [ "<0.5.1" ], "v": "<0.5.1" } ], "asyncssh": [ { "advisory": "Asyncssh 2.5.0 added a configurable maximum line length when the editor is in use to avoid potential denial-of-service attacks.", "cve": null, "id": "pyup.io-39350", "specs": [ "<2.5.0" ], "v": "<2.5.0" } ], "att-iot-gateway": [ { "advisory": "Att-iot-gateway before 0.4.0 uses a insecure HTTP connection.", "cve": null, "id": "pyup.io-34257", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], "auditree-framework": [ { "advisory": "Auditree-framework 1.19.0 fixes minor security issues found by the 'bandit'.", "cve": null, "id": "pyup.io-40445", "specs": [ "<1.19.0" ], "v": "<1.19.0" } ], "authbwc": [ { "advisory": "authbwc 0.1.4 fixes an issue with the way the HTTP session user permissions were loaded. This vulnerability made it possible for a user to gain the permissions of the user logged in previously. The user would have had to be sharing the same http session for this access to have been gained.", "cve": null, "id": "pyup.io-25631", "specs": [ "<0.1.4" ], "v": "<0.1.4" }, { "advisory": "authbwc before 0.3.1 has a vulnerability in the password reset process that allowed users to log in when inactive.", "cve": null, "id": "pyup.io-34836", "specs": [ "<0.3.1" ], "v": "<0.3.1" } ], "auto-surprise": [ { "advisory": "Auto-surprise 0.1.7 includes bot security version updates.", "cve": null, "id": "pyup.io-40146", "specs": [ "<0.1.7" ], "v": "<0.1.7" } ], "autobahn": [ { "advisory": "In autobahn before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.", "cve": null, "id": "pyup.io-25632", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "autobahn 0.6.4 fixes a security issue related to a WAMP-CRA timing attack very, very unlikely to be exploitable.", "cve": null, "id": "pyup.io-25633", "specs": [ "<0.6.4" ], "v": "<0.6.4" }, { "advisory": "Autobahn|Python before 20.12.3 allows redirect header injection. See CVE-2020-35678.", "cve": "CVE-2020-35678", "id": "pyup.io-39363", "specs": [ "<20.12.3" ], "v": "<20.12.3" } ], "avocado-framework": [ { "advisory": "avocado-framework 0.17.0 fixes a temporary dir issue, that had potential security implications.", "cve": null, "id": "pyup.io-34679", "specs": [ "<0.17.0" ], "v": "<0.17.0" } ], "awkward": [ { "advisory": "Awkward 0.10.1 closes a security hole and backward incompatibility in `awkward.persist.whitelist` handling.", "cve": null, "id": "pyup.io-37154", "specs": [ "<0.10.1" ], "v": "<0.10.1" } ], "aws-parallelcluster": [ { "advisory": "Aws-parallelcluster 2.4.0 removes AWS credentials from the ``parallelcluster`` config file for a better security posture. Credentials can now be set up following the canonical procedure used for the aws cli.", "cve": null, "id": "pyup.io-37211", "specs": [ "<2.4.0" ], "v": "<2.4.0" } ], "awscli": [ { "advisory": "awscli 1.11.83 fixes a possible security issue where files could be downloaded to a directory outside the destination directory if the key contained relative paths when downloading files recursively.", "cve": null, "id": "pyup.io-34627", "specs": [ "<1.11.83" ], "v": "<1.11.83" } ], "backend.ai": [ { "advisory": "Backend.ai 19.03.0b1 supports running multiple managers on the same host by randomizing internal IPC socket addresses. This also improves the security a little.", "cve": null, "id": "pyup.io-39087", "specs": [ "<19.03.0b1" ], "v": "<19.03.0b1" }, { "advisory": "Backend.ai 19.03.0rc1 supports authentication with etcd and Redis for better security.", "cve": null, "id": "pyup.io-39086", "specs": [ "<19.03.0rc1" ], "v": "<19.03.0rc1" }, { "advisory": "Backend.ai 19.09.0rc4 includes image import. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon. Importing as service-port only image support will be added in future releases. Additionally, it includes a privilege escalation fix because domain-admins could run sessions on behalf of super-admins in the same domain.", "cve": null, "id": "pyup.io-38675", "specs": [ "<19.09.0rc4" ], "v": "<19.09.0rc4" } ], "backend.ai-manager": [ { "advisory": "Backend.ai-manager 19.09.0rc4 fixes privilege escalation because domain-admins could run sessions on behalf of super-admins in the same domain. It also introduces Image import (171) - currently this is limited to import Python-based kernels only. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon. Importing as service-port only image support will be added in future releases.", "cve": null, "id": "pyup.io-37531", "specs": [ "<19.09.0rc4" ], "v": "<19.09.0rc4" } ], "bakercm": [ { "advisory": "bakercm 0.4.4 updates pythoncryptodome after security issue #16", "cve": null, "id": "pyup.io-36651", "specs": [ "<0.4.4" ], "v": "<0.4.4" } ], "barman": [ { "advisory": "Barman 2.11 removes the strict superuser requirement for PG 10+. As of PostgreSQL 10 it is possible to execute \r\nbackups without superuser privileges, which is actually the recommended method for security reasons. Non-superuser backups need to grant some privileges to the user used by Barman to connect to PostgreSQL, as documented in the 21-preliminary_steps.en.md section.\r\n\r\nIt also ensures each postgres connection has an empty search_path. This is the only safe option when there is no information about how secure the search path is on the target database. This is done by appending \"options=-csearch_path=\" to any conninfo string.", "cve": null, "id": "pyup.io-38502", "specs": [ "<2.11" ], "v": "<2.11" } ], "baseplate": [ { "advisory": "Baseplate 0.19.0 includes support for fetching secrets in a secure, auditable, manner from Hashicorp Vault. A sidecar daemon manages the infrastructure-level authentication with Vault and fetches secrets to a file on disk. Helpers in Baseplate then allow your application to fetch these secrets efficiently from the sidecar daemon with some helpful conventions for versioning/key rotation. This is now the right way to get secret tokens into your application going forward. See: .", "cve": null, "id": "pyup.io-38349", "specs": [ "<0.19.0" ], "v": "<0.19.0" }, { "advisory": "Authentication tokens in baseplate 0.22.0 provided by the authentication service can now be automatically propagated between services when making Thrift calls. This allows internal services to securely and accurately understand on whose behalf a given request is being made so they can decide if the requester is authorized for a particular action. The context is passed implicitly, in request headers, so no extra parameters need be added to service IDLs. Baseplate provides APIs for validating and accessing the tokens from within request context and will automatically pass upstream credentials to downstream services without extra work.", "cve": null, "id": "pyup.io-38348", "specs": [ "<0.22.0" ], "v": "<0.22.0" }, { "advisory": "Baseplate 0.24.0 includes a EdgeRequestContext/AuthenticationToken unification. This isn't a new addition, but a **breaking** rework of authentication context in Baseplate. Authentication token propagation and access is now fully integrated into the edge request context. Authentication tokens are propagated inside the edge context header and the API for applications built on Baseplate is unified. See below for details on how to use this.", "cve": null, "id": "pyup.io-38347", "specs": [ "<0.24.0" ], "v": "<0.24.0" }, { "advisory": "Services often need to securely store username/password pairs. Baseplate 0.30.0 has a convention for doing so called a credential secret. In addition, the sqlalchemy integration now uses this new credential type and you can expect other integrations to do so in the future. See also: .", "cve": null, "id": "pyup.io-38346", "specs": [ "<0.30.0" ], "v": "<0.30.0" } ], "basketball-reference-web-scraper": [ { "advisory": "Basketball-reference-web-scraper 4.2.2 includes upgrades the `urllib3` library to `1.25.2` due to a security vulnerability with versions less than `1.24.2`.", "cve": null, "id": "pyup.io-37123", "specs": [ "<4.2.2" ], "v": "<4.2.2" }, { "advisory": "Basketball-reference-web-scraper 4.2.3 updates urllib3 to 1.24.3 to avoid a security vulnerability. This also fulfills the requirement to update the `requests` version.", "cve": null, "id": "pyup.io-37195", "specs": [ "<4.2.3" ], "v": "<4.2.3" } ], "bbcode": [ { "advisory": "bbcode 1.0.9 escapes quotes correctly to prevent XSS", "cve": null, "id": "pyup.io-25634", "specs": [ "<1.0.9" ], "v": "<1.0.9" } ], "beaker": [ { "advisory": "beaker 0.9.4 fixes security issue with Beaker not properly removing directory escaping characters from the session ID when un-signed sessions are used.", "cve": null, "id": "pyup.io-25635", "specs": [ "<0.9.4" ], "v": "<0.9.4" }, { "advisory": "Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.", "cve": "CVE-2012-3458", "id": "pyup.io-25636", "specs": [ "<1.6.4" ], "v": "<1.6.4" }, { "advisory": "The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.", "cve": "CVE-2013-7489", "id": "pyup.io-38464", "specs": [ "<=1.11.0" ], "v": "<=1.11.0" } ], "benchexec": [ { "advisory": "Benchexec 2.2 fixes two security issues:\r\n- Since BenchExec 2.1, the setup of the container for the tool-info module (which was added in BenchExec 1.20) could silently fail, for example if user namespaces are disabled on the system. In this case the tool-info module would be executed outside of the container. Run execution was not affected.\r\n- The kernel offers a keyring feature for storage of keys related to features like Kerberos and ecryptfs. Before Linux 5.2, there existed one keyring per user, and BenchExec did not prevent access from the tool inside the container to the kernel keyring of the user who started BenchExec. Now such accesses are forbidden (on all kernel versions) using seccomp (http://man7.org/linux/man-pages/man2/seccomp.2.html) if libseccomp2 (https://github.com/seccomp/libseccomp) is installed, which should be the case on any standard distribution. Note that seccomp filters do have a slight performance impact and could prevent some binaries on exotic architectures from working. In such a case please file a bug report (https://github.com/sosy-lab/benchexec/issues/new).", "cve": null, "id": "pyup.io-37510", "specs": [ "<2.2" ], "v": "<2.2" } ], "bepasty": [ { "advisory": "bepasty 0.3.0 contains two security fixes: \r\n- When showing potentially dangerous text/* types, force the\r\n content-type to be text/plain and also turn the browser's sniffer off.\r\n- Prevent disclosure of locked item's metadata", "cve": null, "id": "pyup.io-25637", "specs": [ "<0.3.0" ], "v": "<0.3.0" }, { "advisory": "Bepasty 0.6.0 invalidates old client-side cookies if PERMISSIONS in config are changed. This is a security fix.", "cve": null, "id": "pyup.io-39120", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "berglas": [ { "advisory": "Berglas 0.2.0 no longer trusts the environment variables.", "cve": null, "id": "pyup.io-37340", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "bigchaindb": [ { "advisory": "Bigchaindb 2.2.2 updates several dependencies, including Flask, which had a vulnerability.", "cve": null, "id": "pyup.io-38832", "specs": [ "<2.2.2" ], "v": "<2.2.2" } ], "bigchaindb-driver": [ { "advisory": "Bigchaindb-driver before 0.5.2 used an not secure version of `cryptoconditions`. See: CVE-2018-10903.", "cve": "CVE-2018-10903", "id": "pyup.io-36427", "specs": [ "<0.5.2" ], "v": "<0.5.2" } ], "bigdl": [ { "advisory": "Bigdl 0.8.0 fixes the scala compiler security issue in 2.10 & 2.11", "cve": null, "id": "pyup.io-37576", "specs": [ "<0.8.0" ], "v": "<0.8.0" } ], "bincrafters-envy": [ { "advisory": "bincrafters-envy 0.1.3 updates the request module", "cve": null, "id": "pyup.io-36732", "specs": [ "<0.1.3" ], "v": "<0.1.3" } ], "birdhousebuilder-recipe-nginx": [ { "advisory": "birdhousebuilder-recipe-nginx 0.1.5 disables the use of SSLv3 (poodle attack).", "cve": null, "id": "pyup.io-36135", "specs": [ "<0.1.5" ], "v": "<0.1.5" } ], "birdhousebuilder.recipe.nginx": [ { "advisory": "birdhousebuilder.recipe.nginx 0.1.5 disabled SSLv3 due to the poodle attack.", "cve": null, "id": "pyup.io-25638", "specs": [ "<0.1.5" ], "v": "<0.1.5" } ], "bise.theme": [ { "advisory": "bise.theme 2.4 fixes a potential XSS issue with catalogue search.", "cve": null, "id": "pyup.io-25639", "specs": [ "<2.4" ], "v": "<2.4" } ], "bitbot": [ { "advisory": "For security reasons, REST API only listens on localhost in Bitbot 1.12.0.", "cve": null, "id": "pyup.io-37551", "specs": [ "<1.12.0" ], "v": "<1.12.0" } ], "bjoern": [ { "advisory": "bjoern before 1.4.2 uses a insecure Django release which is vulnerable to CVE-2015-0219, see https://www.djangoproject.com/weblog/2015/jan/13/security/.", "cve": "CVE-2015-0219", "id": "pyup.io-25640", "specs": [ "<1.4.2" ], "v": "<1.4.2" } ], "blackduck": [ { "advisory": "Synopsys hub-rest-api-python (aka blackduck on PyPI) version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases. See CVE-2020-27589.", "cve": "CVE-2020-27589", "id": "pyup.io-39070", "specs": [ ">=0.0.25,<=0.0.52" ], "v": ">=0.0.25,<=0.0.52" } ], "blask": [ { "advisory": "Blask 0.2.2 fixes some vulnerabilities. See: .", "cve": null, "id": "pyup.io-39028", "specs": [ "<0.2.2" ], "v": "<0.2.2" } ], "blazar": [ { "advisory": "An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under (because the Python eval function is used). This may result in Horizon host unauthorized access and further compromise of the Horizon service. All setups using the Horizon dashboard with the blazar-dashboard plugin are affected. See: CVE-2020-26943.", "cve": "CVE-2020-26943", "id": "pyup.io-38884", "specs": [ "<1.3.1" ], "v": "<1.3.1" } ], "bleach": [ { "advisory": "bleach 2.1 converts control characters (backspace particularly) to \"?\" preventing malicious copy-and-paste situations.", "cve": null, "id": "pyup.io-34965", "specs": [ "<2.1" ], "v": "<2.1" }, { "advisory": "Calls to `bleach.clean` allowing `noscript` and one or more of the raw text tags (`title`, `textarea`, `script`, `style`, `noembed`, `noframes`, `iframe`, and `xmp`) in bleach before version 3.1.1 were vulnerable to a mutation XSS.\r\n\r\nAlso, the `bleach.clean` behavior parsing `noscript` tags in bleach before version 3.1.1 did not match browser behavior.\r\n\r\nThis security issue was confirmed in Bleach versions v2.1.4, v3.0.2, and v3.1.0. Earlier versions are probably affected too.", "cve": null, "id": "pyup.io-38546", "specs": [ "<3.1.1" ], "v": "<3.1.1" }, { "advisory": "The ``bleach.clean`` behavior parsing ``noscript`` tags did not match browser behavior in Bleach versions v2.1.4, v3.0.2, and v3.1.0 (and probably earlier versions too). \r\n\r\nCalls to ``bleach.clean`` allowing ``noscript`` and one or more of the raw text tags (``title``, ``textarea``, ``script``, ``style``, ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable to a mutation XSS.\r\n\r\nSee: https://bugzilla.mozilla.org/show_bug.cgi?id=1615315", "cve": null, "id": "pyup.io-37910", "specs": [ "<=3.1.0" ], "v": "<=3.1.0" }, { "advisory": "The ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags in Bleach versions <= 3.1.1 did not match browser behavior and could result in a mutation XSS.\r\n\r\nCalls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.\r\n\r\nThis security issue was confirmed in Bleach version v3.1.1. Earlier versions are likely affected too.", "cve": null, "id": "pyup.io-38076", "specs": [ "<=3.1.1" ], "v": "<=3.1.1" }, { "advisory": "The ``bleach.clean`` behavior parsing style attributes in bleach before 3.1.4 could result in a regular expression denial of service (ReDoS). Calls to ``bleach.clean`` with an allowed tag with an allowed ``style`` attribute were vulnerable to ReDoS. For example, ``bleach.clean(..., attributes={'a': ['style']})``. This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar regular expression and should be considered vulnerable too.", "cve": null, "id": "pyup.io-38107", "specs": [ "<=3.1.3" ], "v": "<=3.1.3" }, { "advisory": "bleach 2.1.3 fixes a security issue. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.", "cve": "CVE-2018-7753", "id": "pyup.io-35792", "specs": [ ">=2.1,<2.1.3" ], "v": ">=2.1,<2.1.3" } ], "bleach-extras": [ { "advisory": "Bleach-extras 0.0.4 requires bleach version 3.2.1 to deal with security issues.", "cve": null, "id": "pyup.io-38875", "specs": [ "<0.0.4" ], "v": "<0.0.4" } ], "blinkpy": [ { "advisory": "blinkpy 0.10.2 sets minimum required version of the requests library to 2.20.0 due to vulnerability in earlier releases.", "cve": null, "id": "pyup.io-36596", "specs": [ "<0.10.2" ], "v": "<0.10.2" } ], "block-io": [ { "advisory": "block-io 1.1.7 includes a fix for CVE-2013-7459 - https://security-tracker.debian.org/tracker/CVE-2013-7459", "cve": "CVE-2013-7459", "id": "pyup.io-36442", "specs": [ "<1.1.7" ], "v": "<1.1.7" }, { "advisory": "Block-io 1.1.9 includes a fix for Requests vulnerability. See CVE-2018-18074.", "cve": "CVE-2018-18074", "id": "pyup.io-36712", "specs": [ "<1.1.9" ], "v": "<1.1.9" } ], "bodhi": [ { "advisory": "Bodhi 2.2.0 addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is\r\nwarped to make it more difficult to solve through automation.\r\n\r\n- https://github.com/fedora-infra/bodhi/pull/857\r\n- https://github.com/fedora-infra/bodhi/commit/f0122855", "cve": "CVE-2016-1000008", "id": "pyup.io-34274", "specs": [ "<2.2.0" ], "v": "<2.2.0" }, { "advisory": "In bodhi before 2.9.1 it is possible to inject JavaScript into Bodhi's web interface through Bugzilla ticket subjects.", "cve": null, "id": "pyup.io-35208", "specs": [ "<2.9.1" ], "v": "<2.9.1" } ], "bodhi-server": [ { "advisory": "Bodhi-server 2.2.0 addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is warped to make it more difficult to solve through automation.\r\n\r\nSee: https://github.com/fedora-infra/bodhi/pull/857\r\nAnd: https://github.com/fedora-infra/bodhi/commit/f0122855", "cve": "CVE-2016-1000008", "id": "pyup.io-34241", "specs": [ "<2.2.0" ], "v": "<2.2.0" } ], "bok-choy": [ { "advisory": "bok-choy 0.5.1 contains a fix to XSS vulnerability in the auditing feature.", "cve": null, "id": "pyup.io-25641", "specs": [ "<0.5.1" ], "v": "<0.5.1" } ], "bokeh": [ { "advisory": "Bokeh before 1.0.4 used a Pyyaml version that was vulnerable to CVE-2017-18342.", "cve": "CVE-2017-18342", "id": "pyup.io-36780", "specs": [ "<1.0.4" ], "v": "<1.0.4" }, { "advisory": "Bokeh before 1.1.0 includes a handlebars security vulnerability [components: bokehjs & build]. NPM won't install.", "cve": null, "id": "pyup.io-37031", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Bokeh 1.2.0 fixes a security vulnerabilities reported by npm audit.", "cve": null, "id": "pyup.io-37170", "specs": [ "<1.2.0" ], "v": "<1.2.0" } ], "boss-cli": [ { "advisory": "Boss-cli 1.0.0-alpha.20 fixes a CVE-2018-18074 vulnerability due to an issue with the `Requests` package.", "cve": "CVE-2018-18074", "id": "pyup.io-38521", "specs": [ "<1.0.0a20" ], "v": "<1.0.0a20" }, { "advisory": "boss-cli 1.0.0alpha.18 fixes CVE-2018-7750 security vulnerability - https://github.com/kabirbaidhya/boss/pull/126", "cve": "CVE-2018-7750", "id": "pyup.io-36543", "specs": [ "<1.0.0alpha.18" ], "v": "<1.0.0alpha.18" }, { "advisory": "Boss-cli 1.0.0alpha.20 fixes CVE-2018-18074 vulnerability due to `requests`.", "cve": "CVE-2018-18074", "id": "pyup.io-36595", "specs": [ "<1.0.0alpha.20" ], "v": "<1.0.0alpha.20" }, { "advisory": "Boss-cli 1.0.0beta.6 uses yaml.FullLoader for loading yaml config and upgrades the dependency pyyaml (CVE-2017-18342).", "cve": "CVE-2017-18342", "id": "pyup.io-37129", "specs": [ "<1.0.0beta.6" ], "v": "<1.0.0beta.6" } ], "bottle": [ { "advisory": "redirect() in bottle.py in bottle 0.12.10 doesn't filter a \"\\r\\n\" sequence, which leads to a CRLF attack, as demonstrated by a redirect(\"233\\r\\nSet-Cookie: name=salt\") call.", "cve": "CVE-2016-9964", "id": "pyup.io-25642", "specs": [ "<0.12.10" ], "v": "<0.12.10" }, { "advisory": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. See CVE-2020-28473.", "cve": "CVE-2020-28473", "id": "pyup.io-39461", "specs": [ "<0.12.19" ], "v": "<0.12.19" }, { "advisory": "Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.", "cve": "CVE-2014-3137", "id": "pyup.io-35548", "specs": [ ">=0.10,<0.10.12", ">=0.11,<0.11.7", ">=0.12,<0.12.6" ], "v": ">=0.10,<0.10.12,>=0.11,<0.11.7,>=0.12,<0.12.6" } ], "boussole": [ { "advisory": "Boussole 1.5.0 fixes the PyYAML 'load()' deprecation warning. For a recent security issue, PyYAML has introduced a change to its ``load()`` method to be more safe. Boussole now uses the full loader mode so it does not trigger a warning anymore.", "cve": null, "id": "pyup.io-37147", "specs": [ "<1.5.0" ], "v": "<1.5.0" } ], "brasil.gov.portal": [ { "advisory": "brasil.gov.portal before 1.5.1 uses Plone <4.3.15 which is vulnerable to several XSS and redirect flaws, and a sandbox escape.", "cve": null, "id": "pyup.io-35086", "specs": [ "<1.5.1" ], "v": "<1.5.1" } ], "bsblan": [ { "advisory": "Bsblan 0.27 sets the DEFAULT_FLAG in config to read-only for added level of security.", "cve": null, "id": "pyup.io-37697", "specs": [ "<0.27" ], "v": "<0.27" } ], "buildbot": [ { "advisory": "Buildbot before 1.3.0 did not use ``hmac.compare_digest()`` in GitHub hooks.", "cve": null, "id": "pyup.io-36320", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { "advisory": "Buildbot 1.8.2 fixes a vulnerability in OAuth where user-submitted authorization tokens are used for authentication. See: .", "cve": null, "id": "pyup.io-37161", "specs": [ "<1.8.2" ], "v": "<1.8.2" }, { "advisory": "buildbot 2.0.0 fixes CRLF injection vulnerability with validating user provided redirect parameters (https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code)", "cve": null, "id": "pyup.io-36865", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Buildbot 2.3.1 fixes a vulnerability in OAuth where a user-submitted authorization token was used for authentication. See: .", "cve": null, "id": "pyup.io-37160", "specs": [ "<2.3.1" ], "v": "<2.3.1" } ], "byarse": [ { "advisory": "Byarse 1.1.0 introduces 'Safe mode', which can be enabled to prevent unpickling Pickle type during deserialization. This prevents a big security vulnerability.", "cve": null, "id": "pyup.io-38754", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "bzip": [ { "advisory": "bzip is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", "cve": null, "id": "pyup.io-34980", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "cabot": [ { "advisory": "In September 2020 it was reported that all versions of the cabot package are vulnerable to Cross-site Scripting (XSS) via the Endpoint column. The latest release of cabot at that date was version 0.11.7.", "cve": "CVE-2020-7734", "id": "pyup.io-38806", "specs": [ "<=0.11.7" ], "v": "<=0.11.7" } ], "cacophonyapi": [ { "advisory": "Cacophonyapi 4.13.0 addresses a security vulnerability. No details were given.", "cve": null, "id": "pyup.io-39127", "specs": [ "<4.13.0" ], "v": "<4.13.0" }, { "advisory": "Cacophonyapi 4.6.0 addresses a security vulnerability in eslint-utils.", "cve": null, "id": "pyup.io-39128", "specs": [ "<4.6.0" ], "v": "<4.6.0" } ], "cairosvg": [ { "advisory": "cairosvg 1.0.21 is a security update. CairoSVG was vulnerable to XML eXternal Entity (XXE) attacks, this release fixes this vulnerability by not resolving the XML entities anymore. The ``--unsafe`` option has been added to force the resolution of XML entities. Obviously, this option is not safe and should only be used with trusted SVG files.", "cve": null, "id": "pyup.io-25643", "specs": [ "<1.0.21" ], "v": "<1.0.21" }, { "advisory": "When processing SVG files, cairosvg before 2.5.1 was using two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provided a malicious SVG, it could make CairoSVG get stuck processing the file for a very long time.", "cve": null, "id": "pyup.io-39404", "specs": [ "<2.5.1" ], "v": "<2.5.1" }, { "advisory": "CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information. See CVE-2021-21236.", "cve": "CVE-2021-21236", "id": "pyup.io-39419", "specs": [ "<2.5.1" ], "v": "<2.5.1" } ], "calcipy": [ { "advisory": "Calcipy 2021.0.2.0 adding security check task.", "cve": null, "id": "pyup.io-40621", "specs": [ "<2021.0.2.0" ], "v": "<2021.0.2.0" } ], "calcwave": [ { "advisory": "Calcwave 1.2.6 updates limits for modules and functions available to 'eval()' in the interpreter. This greatly improves the security and reduces the risk of accidentally calling the 'Python' function that damages your computer.", "cve": null, "id": "pyup.io-40507", "specs": [ "<1.2.6" ], "v": "<1.2.6" } ], "callisto-core": [ { "advisory": "Callisto-core 0.27.9 includes some not further specified security updates.", "cve": null, "id": "pyup.io-37355", "specs": [ "<0.27.9" ], "v": "<0.27.9" } ], "candig-server": [ { "advisory": "Candig-server 0.9.0 has enhanced security through a refined data access control mechanism.", "cve": null, "id": "pyup.io-37219", "specs": [ "<0.9.0" ], "v": "<0.9.0" }, { "advisory": "candig-server 0.9.2 changes: Jinja2 package has been updated to resolve security vulnerability issues.", "cve": null, "id": "pyup.io-37218", "specs": [ "<0.9.2" ], "v": "<0.9.2" }, { "advisory": "Candig-server 1.0.2 updates WerkZeug to 0.15.5 to resolve its security vulnerabilities.", "cve": null, "id": "pyup.io-37467", "specs": [ "<1.0.2" ], "v": "<1.0.2" }, { "advisory": "Candig-server 1.4.0 includes some upgraded third-party libraries, improving security.", "cve": null, "id": "pyup.io-39169", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "cartridge-braintree": [ { "advisory": "Cartridge-braintree 1.2.2 sets minimum Django version to 1.11.29 and maximum version to 1.12 to fix security vulnerabilities.", "cve": null, "id": "pyup.io-40229", "specs": [ "<1.2.2" ], "v": "<1.2.2" } ], "cbapi": [ { "advisory": "The underlying CbAPI connection class erroneously disabled hostname validation by default. This does *not* affect code that uses CbAPI through the public interfaces documented here; it only affects code that accesses the new ``CbAPISessionAdapter`` class directly. This class was introduced in version 1.3.3. Regardless, it is strongly recommended that all users currently using 1.3.3 upgrade to 1.3.4.", "cve": null, "id": "pyup.io-34933", "specs": [ ">=1.3.3,<1.3.4" ], "v": ">=1.3.3,<1.3.4" } ], "ccf": [ { "advisory": "Ccf 0.7 fixes a vulnerability to a possible replay attack.", "cve": null, "id": "pyup.io-38641", "specs": [ "<0.7" ], "v": "<0.7" } ], "celery": [ { "advisory": "Insecure default configuration The default accept_content setting was set to allow deserialization of pickled messages in Celery 4.0.0. The insecure default has been fixed in 4.0.1, and you can also configure the 4.0.0 version to explicitly only allow json serialized messages.", "cve": null, "id": "pyup.io-25646", "specs": [ ">=4.0,<4.0.1" ], "v": ">=4.0,<4.0.1" } ], "cellxgene": [ { "advisory": "Cellxgene 0.12.0 has Python and Javascript package updates, for both security and performance.", "cve": null, "id": "pyup.io-37801", "specs": [ "<0.12.0" ], "v": "<0.12.0" }, { "advisory": "Cellxgene 0.16.0 removed the `client` package that introduced security vulnerabilities.", "cve": null, "id": "pyup.io-38696", "specs": [ "<0.16.0" ], "v": "<0.16.0" } ], "centrifuge": [ { "advisory": "centrifuge 0.3.8 includes a security fix! Please, upgrade to this version or disable access to `/dumps` location.", "cve": null, "id": "pyup.io-25647", "specs": [ "<0.3.8" ], "v": "<0.3.8" } ], "certbot": [ { "advisory": "Certbot before 0.34.0 does not print warnings when run as root with insecure file system permissions.", "cve": null, "id": "pyup.io-38484", "specs": [ "<0.34.0" ], "v": "<0.34.0" }, { "advisory": "Certbot through 0.34.0 does not configure the web server so that all requests redirect to secure HTTPS access.", "cve": null, "id": "pyup.io-37112", "specs": [ "<=0.34.0" ], "v": "<=0.34.0" } ], "cerulean": [ { "advisory": "cerulean 0.3.4 - Directory permissions when using mkdir(). This is a security issue, and you\r\n should upgrade as soon as possible.", "cve": null, "id": "pyup.io-36796", "specs": [ "<0.3.4" ], "v": "<0.3.4" } ], "cffconvert": [ { "advisory": "cffconvert 1.0.3 updates requests from 2.18.4 to 2.20.0 (security bugfix)", "cve": null, "id": "pyup.io-36623", "specs": [ "<1.0.3" ], "v": "<1.0.3" } ], "cfscrape": [ { "advisory": "An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed in 1.8.0.", "cve": "CVE-2017-7235", "id": "pyup.io-35741", "specs": [ ">=1.6.6,<1.7.1" ], "v": ">=1.6.6,<1.7.1" }, { "advisory": "Please upgrade to 1.8.0 immediately.\r\n\r\nVersions 1.6.6 to 1.7.1 are vulnerable to code execution. If you are running a vulnerable version, a malicious website owner could craft a page which executes arbitrary Python code on the machine that runs this script. This can only occur if the website that the user attempts to scrape has specifically prepared a page to exploit vulnerable versions of cfscrape.", "cve": null, "id": "pyup.io-34275", "specs": [ ">=1.6.6,<=1.8" ], "v": ">=1.6.6,<=1.8" } ], "cfstacks": [ { "advisory": "Cfstacks 0.4.4 upgrades PyAML to 4.2b1 (or later) to fix a security vulnerability.", "cve": null, "id": "pyup.io-38388", "specs": [ "<0.4.4" ], "v": "<0.4.4" } ], "cg": [ { "advisory": "Cg 18.11.3 upgrades the insecure cryptography dependency.", "cve": null, "id": "pyup.io-39614", "specs": [ "<18.11.3" ], "v": "<18.11.3" } ], "chanjo-report": [ { "advisory": "chanjo-report 2.4.0 removes a link to the \"index\" page from the report (security).", "cve": null, "id": "pyup.io-25648", "specs": [ "<2.4.0" ], "v": "<2.4.0" } ], "channels": [ { "advisory": "Channels 3.0.3 includes a fix for CVE-2020-35681. See also: .", "cve": "CVE-2020-35681", "id": "pyup.io-39368", "specs": [ ">=3.0.0,<3.0.3" ], "v": ">=3.0.0,<3.0.3" } ], "chaosloader": [ { "advisory": "Chaosloader 1.0.0 adds secure encrypted password to travis.yml.", "cve": null, "id": "pyup.io-37048", "specs": [ "<1.0.0" ], "v": "<1.0.0" } ], "charm-tools": [ { "advisory": "Charm-tools 2.6.0 addresses security alerts from GitHub (#484).", "cve": null, "id": "pyup.io-37201", "specs": [ "<2.6.0" ], "v": "<2.6.0" } ], "charmhelpers": [ { "advisory": "Charmhelpers 0.19.13 updates Keystone expectations to meet security guide (299).", "cve": null, "id": "pyup.io-37032", "specs": [ "<0.19.13" ], "v": "<0.19.13" } ], "chartify": [ { "advisory": "Chartify 2.7.0 bumps the base Pillow dependency to avoid a version that's not secure.", "cve": null, "id": "pyup.io-38345", "specs": [ "<2.7.0" ], "v": "<2.7.0" } ], "chatbot-ner": [ { "advisory": "For security reasons, chatbot-ner 0.5.8 updates requirements and adds a new version of Django upgrade.", "cve": null, "id": "pyup.io-38516", "specs": [ "<0.5.8" ], "v": "<0.5.8" }, { "advisory": "For security reasons, chatbot-ner 0.6.0 updates requirements and adds a new version of Django upgrade.", "cve": null, "id": "pyup.io-38515", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "cheetah": [ { "advisory": "cheetah 0.9.17rc1 removeS the use of temp files for handling imports with dynamic compilation. This removes a whole slew of issues, including a temp file security issue.", "cve": null, "id": "pyup.io-25649", "specs": [ "<0.9.17rc1" ], "v": "<0.9.17rc1" } ], "cheetah3": [ { "advisory": "Cheetah3 version 3.2.2 replaces the outdated and insecure ``mktemp`` with ``mkstemp``.", "cve": null, "id": "pyup.io-37134", "specs": [ "<3.2.2" ], "v": "<3.2.2" } ], "cheroot": [ { "advisory": "Cheroot 6.3.2 introduces a HTTP 400 response to a malicious 'Content-Length' in the request headers.", "cve": null, "id": "pyup.io-39125", "specs": [ "<6.3.2" ], "v": "<6.3.2" } ], "cherrymusic": [ { "advisory": "Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the \"value\" parameter to \"download.\"", "cve": "CVE-2015-8309", "id": "pyup.io-25650", "specs": [ "<0.36.0" ], "v": "<0.36.0" } ], "chia-blockchain": [ { "advisory": "Consideration of the new consensus algorithm in chia-blockchain version 1.0beta19 resulted in a much higher security level against all attacks.", "cve": null, "id": "pyup.io-39444", "specs": [ "<1.0b19" ], "v": "<1.0b19" }, { "advisory": "Chia-blockchain 1.0beta10 includes various vulnerability fixes.", "cve": null, "id": "pyup.io-38700", "specs": [ "<1.0beta10" ], "v": "<1.0beta10" }, { "advisory": "Node peers in chia-blockchain 1.0beta14 are gossiped between nodes with logic to keep connected nodes on disparate internet networks to partially protect from eclipse attacks.", "cve": null, "id": "pyup.io-38844", "specs": [ "<1.0beta14" ], "v": "<1.0beta14" }, { "advisory": "Chia-blockchain 1.0beta8 removes the ability to pass in sk_seed to plotting. This increases security.", "cve": null, "id": "pyup.io-38582", "specs": [ "<1.0beta8" ], "v": "<1.0beta8" }, { "advisory": "The Windows BLS Signature library in chia-blockchain 1.0beta9 uses libsodium for additional security. Additionally, this version includes various fixes for various node dependency security vulnerabilities.", "cve": null, "id": "pyup.io-38629", "specs": [ "<1.0beta9" ], "v": "<1.0beta9" }, { "advisory": "Chia-blockchain 1.0rc5 updates the 'aiohttp' dependency to 3.7.4 to address a low severity [security issue] (CVE-2021-21330).", "cve": "CVE-2021-21330", "id": "pyup.io-39672", "specs": [ "<1.0rc5" ], "v": "<1.0rc5" }, { "advisory": "Chia-blockchain 1.0rc6 improves defense against many DDoS attacks by rate limiting for the full node. It also changes 'chia keys add' command to take secret words a prompt on the command line or stdin instead of command line arguments.", "cve": null, "id": "pyup.io-39703", "specs": [ "<1.0rc6" ], "v": "<1.0rc6" } ], "chiavdf": [ { "advisory": "Chiavdf 1.0 includes a fix to prevent potential grinding attacks.", "cve": null, "id": "pyup.io-39691", "specs": [ "<1.0" ], "v": "<1.0" } ], "cinder": [ { "advisory": "An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the 'connection_info' element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint. Source: OpenStack project. See: CVE-2020-10755.", "cve": "CVE-2020-10755", "id": "pyup.io-38408", "specs": [ "<14.1.0", ">=15.0.0.0rc1,<15.2.0", ">=16.0.0.0b1,<16.1.0" ], "v": "<14.1.0,>=15.0.0.0rc1,<15.2.0,>=16.0.0.0b1,<16.1.0" }, { "advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.", "cve": "CVE-2013-1068", "id": "pyup.io-25651", "specs": [ "<2013.2.3" ], "v": "<2013.2.3" } ], "cipher.googlepam": [ { "advisory": "In cipher.googlepam before 1.5.1 do not use the same cache key for all users. Previously when one user logged in successfully, others could not log in using their own passwords -- but the first user could now use her password to log in as anyone else.", "cve": null, "id": "pyup.io-25652", "specs": [ "<1.5.1" ], "v": "<1.5.1" } ], "circup": [ { "advisory": "Circup 0.0.6 includes an unspecified security fix.", "cve": null, "id": "pyup.io-37936", "specs": [ "<0.0.6" ], "v": "<0.0.6" } ], "ck": [ { "advisory": "Ck 1.7.1 fixes a server vulnerability (action with ; can run various CMD commands).", "cve": null, "id": "pyup.io-40221", "specs": [ "<1.7.1" ], "v": "<1.7.1" } ], "ckan": [ { "advisory": "ckan 1.5.1 fixes a security issue affecting CKAN v1.5 and before.", "cve": null, "id": "pyup.io-34556", "specs": [ "<1.5.1" ], "v": "<1.5.1" }, { "advisory": "ckan 1.8.1 fixes possible XSS vulnerability on html input.", "cve": null, "id": "pyup.io-34558", "specs": [ "<1.8.1" ], "v": "<1.8.1" }, { "advisory": "Ckan 2.6.9 fixes a code injection issue in the autocomplete module. See .", "cve": null, "id": "pyup.io-39613", "specs": [ "<2.6.9" ], "v": "<2.6.9" } ], "clam": [ { "advisory": "clam 0.9.10 contains security fixes, better protection against possible code injection.", "cve": null, "id": "pyup.io-25653", "specs": [ "<0.9.10" ], "v": "<0.9.10" }, { "advisory": "clam 0.9.11 contains unknown security fixes in dispatcher.", "cve": null, "id": "pyup.io-25654", "specs": [ "<0.9.11" ], "v": "<0.9.11" } ], "clearsilver": [ { "advisory": "Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.", "cve": "CVE-2011-4357", "id": "pyup.io-25655", "specs": [ "<0.10.5" ], "v": "<0.10.5" } ], "client-sdk-python": [ { "advisory": "Client-sdk-python 4.7.0 upgrades eth-hash to 0.2.0 with pycryptodome 3.6.6 which resolves a vulnerability.", "cve": null, "id": "pyup.io-37584", "specs": [ "<4.7.0" ], "v": "<4.7.0" } ], "clipster-desktop": [ { "advisory": "Clipster-desktop 0.3.0 includes various improvements to make the host more secure:\r\n* All clips are encrypted locally in the client before transmission to the server. \r\n* Server host can't decrypt clips: it never learns the users' password.\r\n* Password is not stored in cleartext anymore. Instead password hash is used.", "cve": null, "id": "pyup.io-39388", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "cliquery": [ { "advisory": "Cliquery 1.10.0 updates the 'lxml' dependency from 4.6.2 to 4.6.3 to fix a security vulnerability.", "cve": null, "id": "pyup.io-40090", "specs": [ "<1.10.0" ], "v": "<1.10.0" }, { "advisory": "Cliquery 1.9.3 updates the 'lxml' dependency from 4.3.0 to 4.6.2. This is a security patch.", "cve": null, "id": "pyup.io-39423", "specs": [ "<1.9.3" ], "v": "<1.9.3" } ], "cloudinary": [ { "advisory": "cloudinary before 1.0.21 is vulnerable to an XSS attack on cloudinary_cors.html.", "cve": null, "id": "pyup.io-34603", "specs": [ "<1.0.21" ], "v": "<1.0.21" } ], "cloudmarker": [ { "advisory": "Cloudmarker 0.0.5 adds the `FirewallRuleEvent` plugin to detect insecure firewall rules.", "cve": null, "id": "pyup.io-37138", "specs": [ "<0.0.5" ], "v": "<0.0.5" } ], "cmdlr": [ { "advisory": "cmdlr 4.1.0 resists malicious js attack in `run_in_nodejs`", "cve": null, "id": "pyup.io-36854", "specs": [ "<4.1.0" ], "v": "<4.1.0" } ], "cmsplugin-filer": [ { "advisory": "cmsplugin-filer 1.0.0 contains an unknown XSS fix.", "cve": null, "id": "pyup.io-25656", "specs": [ "<1.0.0" ], "v": "<1.0.0" } ], "cnx-publishing": [ { "advisory": "Cnx-publishing 0.17.6 bumps urllib3 for a security fix.", "cve": null, "id": "pyup.io-38128", "specs": [ "<0.17.6" ], "v": "<0.17.6" } ], "cobbler": [ { "advisory": "Cobbler has local privilege escalation via the use of insecure location for PYTHON_EGG_CACHE. No information was provided about fixes or affected versions. See: CVE-2011-4954.", "cve": "CVE-2011-4954", "id": "pyup.io-37739", "specs": [ ">0" ], "v": ">0" } ], "cockroachdb": [ { "advisory": "cockroachdb 0.3.2 updated urllib3 to remove security vulnerability.", "cve": null, "id": "pyup.io-37264", "specs": [ "<0.3.2" ], "v": "<0.3.2" } ], "codalab": [ { "advisory": "codalab before 0.2.33 was using a version of gunicorn that had security vulnerabilities.", "cve": null, "id": "pyup.io-36386", "specs": [ "<0.2.33" ], "v": "<0.2.33" }, { "advisory": "Codalab 0.5.12 fixes a vulnerability. No description of the vulnerability was included.", "cve": null, "id": "pyup.io-38927", "specs": [ "<0.5.12" ], "v": "<0.5.12" }, { "advisory": "Codalab 0.5.33 includes a fix for some front-end vulnerabilities (with `npm audit fix`).", "cve": null, "id": "pyup.io-39434", "specs": [ "<0.5.33" ], "v": "<0.5.33" } ], "codecov": [ { "advisory": "Codecov 2.0.16 fixes a reported command injection vulnerability.", "cve": null, "id": "pyup.io-37934", "specs": [ "<2.0.16" ], "v": "<2.0.16" }, { "advisory": "Codecov 2.0.17 fixes a reported command injection vulnerability.", "cve": null, "id": "pyup.io-38075", "specs": [ "<2.0.17" ], "v": "<2.0.17" } ], "codeforcesapipy": [ { "advisory": "Codeforcesapipy 2.0.8 updates the 'lxml' dependency to 4.6.3 to resolve security issues.", "cve": null, "id": "pyup.io-40099", "specs": [ "<2.0.8" ], "v": "<2.0.8" } ], "coinbasepro": [ { "advisory": "coinbasepro 0.1.0 updates requests version to >=2.20.0 to address security vulnerability.", "cve": null, "id": "pyup.io-36975", "specs": [ "<0.1.0" ], "v": "<0.1.0" } ], "coincurve": [ { "advisory": "coincurve before 8.0.0 does not support the new GitHub and PyPI security requirements. \r\nBinary wheels on macOS for Python 3.5 now uses Homebrew Python for compilation due to new security requirements.", "cve": null, "id": "pyup.io-36299", "specs": [ "<8.0.0" ], "v": "<8.0.0" } ], "coinstac": [ { "advisory": "Coinstac 5.2.1 includes various security fixes and package updates.", "cve": null, "id": "pyup.io-40091", "specs": [ "<5.2.1" ], "v": "<5.2.1" } ], "colander": [ { "advisory": "colander 1.7.0 - The URL validator regex has been updated to no longer be vulnerable to a\r\n catastrophic backtracking that would have led to an infinite loop.", "cve": null, "id": "pyup.io-36856", "specs": [ "<1.7.0" ], "v": "<1.7.0" } ], "collective-contact-core": [ { "advisory": "collective-contact-core before 1.10", "cve": null, "id": "pyup.io-36089", "specs": [ "<1.10" ], "v": "<1.10" } ], "collective-noticeboard": [ { "advisory": "collective-noticeboard before 0.7.1 has a security issue, anonymous users could modify notes positions.", "cve": null, "id": "pyup.io-35879", "specs": [ "<0.7.1" ], "v": "<0.7.1" } ], "collective.contact.core": [ { "advisory": "collective.contact.core 1.10 fixes a security issue related to AddContact.", "cve": null, "id": "pyup.io-25657", "specs": [ "<1.10" ], "v": "<1.10" } ], "collective.documentviewer": [ { "advisory": "collective.documentviewer 1.5.1 fixes a security issue on file resources.", "cve": null, "id": "pyup.io-25658", "specs": [ "<1.5.1" ], "v": "<1.5.1" } ], "collective.easyform": [ { "advisory": "The modeleditor in collective.easyform 3.0.5 no longer resolves entities, and it removes processing instructions. This increases the security.", "cve": null, "id": "pyup.io-39144", "specs": [ "<3.0.5" ], "v": "<3.0.5" } ], "collective.js.datatables": [ { "advisory": "collective.js.datatables 4.1.1 updates Datatables to 1.10.11, due to a XSS vulnerability in 1.10.4.", "cve": null, "id": "pyup.io-25659", "specs": [ "<4.1.1" ], "v": "<4.1.1" } ], "collective.noticeboard": [ { "advisory": "collective.noticeboard 0.7.1 fixes a security issue, anonymous users could modify notes positions.", "cve": null, "id": "pyup.io-25660", "specs": [ "<0.7.1" ], "v": "<0.7.1" } ], "collective.portlet.twitter": [ { "advisory": "collective.portlet.twitter 1.0b3 fixes a potential XSS (arbitrary injection) issue by escaping and quoting all attributes being set on the rendered portlet.", "cve": null, "id": "pyup.io-25661", "specs": [ "<1.0b3" ], "v": "<1.0b3" } ], "collective.tablepage": [ { "advisory": "collective.tablepage 0.3 fixes a security problem: data inside text cells were transformed to HTML without any check.", "cve": null, "id": "pyup.io-25664", "specs": [ "<0.3" ], "v": "<0.3" } ], "collective.xmpp.chat": [ { "advisory": "collective.xmpp.chat 0.3.1 updates convers.js to 0.6.3 which includes an important security fix.", "cve": null, "id": "pyup.io-25666", "specs": [ "<0.3.1" ], "v": "<0.3.1" } ], "collins-client": [ { "advisory": "Collins 2.1.0 has a very important security patch.\r\n\r\nCollins has a feature that allows you to [encrypt certain attributes](http://tumblr.github.io/collins/configuration.htmlfeatures) on every asset. It also had a permission that restricted which users could read those encrypted tags. It did NOT have a permission that restricted which users could modify encrypted tags.\r\n\r\n*It is strongly recommended that you upgrade to collins 2.1.0 if you are using the encrypted tags feature, as well as rotate any values stored in encrypted tags.*\r\n\r\nThe severity of this vulnerability depends heavily upon how you use collins in your infrastructure. If you do not use the encrypted tags feature, you are not vulnerable to this problem. If you do use the encrypted tags feature, you will need to explore your automation and consider how vulnerable you are.\r\n\r\nIf, for example, your infrastructure has automation that regularly sets the root password on servers to match a value that is in collins, an attacker without the ability to read the current password could set it to a value that they know, wait for the automation to change the password, and then gain root on a server.\r\n\r\nThis change is backwards compatible with collins v2.0.0, though once you upgrade it will stop any writes to encrypted tags by users that have not been granted `feature.canWriteEncryptedTags` permission. We have also renamed `feature.canSeePasswords` to `feature.canSeeEncryptedTags`, but collins will continue to respect the value of `feature.canSeePasswords` if `feature.canSeeEncryptedTags` is not set. Once `feature.canSeeEncryptedTags` is set, collins will ignore the value of `feature.canSeePasswords`.", "cve": null, "id": "pyup.io-25667", "specs": [ "<2.1.0" ], "v": "<2.1.0" } ], "colonyscanalyser": [ { "advisory": "Colonyscanalyser 0.2.0 adds snyk security checks for dependencies.", "cve": null, "id": "pyup.io-37635", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "compliance-trestle": [ { "advisory": "Compliance-trestle 0.15.0 upgrades the 'pydantic' to 1.8.2 for an security issue.", "cve": null, "id": "pyup.io-40566", "specs": [ "<0.15.0" ], "v": "<0.15.0" } ], "concrete-datastore": [ { "advisory": "Concrete-datastore 1.22.0 adds useful checks to the url_format to avoid template injections.", "cve": null, "id": "pyup.io-39449", "specs": [ "<1.22.0" ], "v": "<1.22.0" }, { "advisory": "Concrete-datastore 1.23.0 adds checks on the url_format for reset password view to avoid template injections.", "cve": null, "id": "pyup.io-39709", "specs": [ "<1.23.0" ], "v": "<1.23.0" } ], "conference-scheduler-cli": [ { "advisory": "In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.", "cve": "CVE-2018-14572", "id": "pyup.io-36425", "specs": [ "<=0.10.1" ], "v": "<=0.10.1" } ], "confidant": [ { "advisory": "Confidant 1.1.13 includes a security fix. It was discovered when adding tests after a refactor of some of the KMS authentication code that confidant wasn't properly checking the expiration of KMS auth tokens. If tokens were able to be exfiltrated from a service, they could be used indefinitely. Also, any tokens that are expired will now correctly fail to authenticate.", "cve": null, "id": "pyup.io-26670", "specs": [ "<1.1.13" ], "v": "<1.1.13" }, { "advisory": "confidant 1.1.14 contains a security fix: While preparing for the 1.1 stable release Lyft found a KMS authentication vulnerability in the unreleased 1.1 branch while performing an audit of the code. The vulnerability was introduced while adding the scoped auth key feature (for limiting authentication keys and services to specific AWS accounts), where the key was not properly checked after decryption. This check is an additional verification to add additional safety on-top of the IAM policy of your KMS keys. If IAM policy allows users to use KMS keys without limits on encryption context, a KMS key that wasn't intended to be used for auth, could be used for auth.", "cve": null, "id": "pyup.io-25668", "specs": [ "<1.1.14" ], "v": "<1.1.14" }, { "advisory": "Confidant v1.10.0 upgrades gevent and greenlet to address CVE-2016-5180 and gevent/gevent#477.", "cve": "CVE-2016-5180", "id": "pyup.io-38504", "specs": [ "<1.10.0" ], "v": "<1.10.0" }, { "advisory": "Confidant 1.6.0 updates python-saml to address CVE-2016-1000252.", "cve": "CVE-2016-1000252", "id": "pyup.io-38505", "specs": [ "<1.6.0" ], "v": "<1.6.0" }, { "advisory": "In confidant 5.0.0, requirements have been updated to resolve some reported security vulnerabilities in a few of the frozen requirements. A library affecting user sessions was upgraded which will cause users to be logged out after upgrade, which means if you're doing a rolling upgrade, that during the upgrade, you may have users that seemingly randomly get logged out. After a finished upgrade, users should only be logged out once, if they're currently logged in.", "cve": null, "id": "pyup.io-37471", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "Confidant 6.3.0 adds support for keeping track of when credentials should be rotated. It therefore adds three new fields to the Credential model, two of which improve the security (`last_decrypted_date` and `last_rotation_date`). The former explicitly stores when someone viewed a credential. Certain credentials can potentially be highly vulnerable and could benefit from being rotated the moment the credential pair is viewed. The latter stores when a credential was last rotated. Some credentials might need to periodically be rotated for security purposes.", "cve": null, "id": "pyup.io-38560", "specs": [ "<6.3.0" ], "v": "<6.3.0" } ], "confidence": [ { "advisory": "confidence before 0.4 has a security vulnerability from using ``yaml.load``. \r\nconfidence >=0.4 now uses ``yaml.safe_load``", "cve": null, "id": "pyup.io-36308", "specs": [ "<0.4" ], "v": "<0.4" } ], "confire": [ { "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from \"~/.confire.yaml\" using the yaml.load function, a YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.", "cve": "CVE-2017-16763", "id": "pyup.io-35721", "specs": [ "<=0.2.0" ], "v": "<=0.2.0" } ], "confluent-kafka": [ { "advisory": "Confluent-kafka 1.1.0 securely clears the private key data from memory after last use.", "cve": null, "id": "pyup.io-37508", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Confluent-kafka 1.3.0 upgrades builtin lz4 to 1.9.2. See https://github.com/edenhill/librdkafka/issues/2598 and CVE-2019-17543.", "cve": "CVE-2019-17543", "id": "pyup.io-38072", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { "advisory": "Confluent-kafka 1.4.0 includes two security issues in the SASL SCRAM protocol handler:\r\n * The client nonce, which is expected to be a random string, was a static string.\r\n * If `sasl.username` and `sasl.password` contained characters that needed escaping, a buffer overflow and heap corruption would occur. This was protected, but too late, by an assertion.", "cve": null, "id": "pyup.io-38165", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "conn-check": [ { "advisory": "conn-check 1.0.18 ensures pyOpenSSL is always used instead of the ssl modules, see https://urllib3.readthedocs.org/en/latest/security.htmlpyopenssl.", "cve": null, "id": "pyup.io-25669", "specs": [ "<1.0.18" ], "v": "<1.0.18" } ], "container-service-extension": [ { "advisory": "container-service-extension 1.2.5 adds K8s vulnerability patching", "cve": null, "id": "pyup.io-36876", "specs": [ "<1.2.5" ], "v": "<1.2.5" }, { "advisory": "Container-service-extension 2.5.0b1 updates the hardcoded_password_string: false positives and test environment password strings marked not vulnerable.", "cve": null, "id": "pyup.io-37529", "specs": [ "<2.5.0b1" ], "v": "<2.5.0b1" } ], "contentful": [ { "advisory": "contentful 1.11.3 updates `requests` version due to a vulnerability found in versions `2.19` and below", "cve": null, "id": "pyup.io-36633", "specs": [ "<1.11.3" ], "v": "<1.11.3" }, { "advisory": "Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py.", "cve": "CVE-2020-13258", "id": "pyup.io-38314", "specs": [ "<=1.12.3" ], "v": "<=1.12.3" } ], "contentful-management": [ { "advisory": "contentful-management 2.5.0 updates `requests` version due to a vulnerability found in versions `2.19` and below.", "cve": null, "id": "pyup.io-36599", "specs": [ "<2.5.0" ], "v": "<2.5.0" } ], "contestms": [ { "advisory": "contestms 1.2.0 fixes several security bugs around an unsafe use of isolate. These won't be backported to 1.1, so make sure you update.", "cve": null, "id": "pyup.io-34249", "specs": [ "<1.2.0" ], "v": "<1.2.0" } ], "cookie-manager": [ { "advisory": "Cookie-manager 1.0.3 bumps dependency versions to fix a security issue.", "cve": null, "id": "pyup.io-38106", "specs": [ "<1.0.3" ], "v": "<1.0.3" }, { "advisory": "Cookie-manager 1.1.0 bumps Bleach to patch a vulnerability.", "cve": null, "id": "pyup.io-38153", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Cookie-manager 1.2.1 fixes a security vulnerability discovered and patched in a dependency. See Bleach 3.3.0 for further details.", "cve": null, "id": "pyup.io-40165", "specs": [ "<1.2.1" ], "v": "<1.2.1" } ], "cookiecutter": [ { "advisory": "Cookiecutter 0.1.0 fixes insecure gitlab_token retrieval - see: https://github.com/NathanUrwin/cookiecutter-git/issues/6", "cve": null, "id": "pyup.io-34683", "specs": [ "<0.1.0" ], "v": "<0.1.0" }, { "advisory": "Cookiecutter 0.3.1 updates Pillow version to 3.2.0 (security fix).", "cve": null, "id": "pyup.io-27445", "specs": [ "<0.3.1" ], "v": "<0.3.1" }, { "advisory": "Cookiecutter 1.1.0 sets explicitly the list of allowed hosts for security reasons.", "cve": null, "id": "pyup.io-37672", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "coordination-network-toolkit": [ { "advisory": "Coordination-network-toolkit 1.0.2 includes a security patch to the 'urllib3' among other dependency updates.", "cve": null, "id": "pyup.io-40624", "specs": [ "<1.0.2" ], "v": "<1.0.2" } ], "cortex": [ { "advisory": "cortex before 0.32.0", "cve": null, "id": "pyup.io-40128", "specs": [ "<0.32.0" ], "v": "<0.32.0" } ], "cosmos-wfm": [ { "advisory": "cosmos-wfm before 2.1.1 is vulnerable to an attack where malicious hackers can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).", "cve": null, "id": "pyup.io-34181", "specs": [ "<2.1.1" ], "v": "<2.1.1" } ], "coveralls": [ { "advisory": "coveralls 0.1.1 removes repo_token from verbose output for security reasons.", "cve": null, "id": "pyup.io-25671", "specs": [ "<0.1.1" ], "v": "<0.1.1" } ], "cplay-ng": [ { "advisory": "cplay-ng 1.50 fixes insecure /tmp handling.", "cve": null, "id": "pyup.io-25672", "specs": [ "<1.50" ], "v": "<1.50" } ], "crate-docs-theme": [ { "advisory": "Crate-docs-theme 0.13.0 updates/removes Bootstrap and jQuery packages (nine vulnerabilities detected).", "cve": null, "id": "pyup.io-39529", "specs": [ "<0.13.0" ], "v": "<0.13.0" } ], "creavel": [ { "advisory": "creavel before 0.11.0 has a unspecified security issue and is vulnerable via unknown vectors.", "cve": null, "id": "pyup.io-25673", "specs": [ "<0.11.0" ], "v": "<0.11.0" }, { "advisory": "creavel 0.14.0 fixes jinja2 security by using SandboxedEnvironment.", "cve": null, "id": "pyup.io-25674", "specs": [ "<0.14.0" ], "v": "<0.14.0" } ], "credstash": [ { "advisory": "credstash 1.16.0 updates to pyyaml>=4.2b1 due to security vulnerability in older versions", "cve": null, "id": "pyup.io-37852", "specs": [ "<1.16.0" ], "v": "<1.16.0" } ], "creopyson": [ { "advisory": "Creopyson 0.4.2 modifies the pipenv config for the bleach security alert.", "cve": null, "id": "pyup.io-37964", "specs": [ "<0.4.2" ], "v": "<0.4.2" } ], "cromwell-tools": [ { "advisory": "cromwell-tools 1.0.0 updates requests to avoid security issues.", "cve": null, "id": "pyup.io-36659", "specs": [ "<1.0.0" ], "v": "<1.0.0" } ], "crossbar": [ { "advisory": "In crossbar before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.", "cve": null, "id": "pyup.io-25675", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "crossbar 0.6.4 fixes a WAMP-CRA timing attack very, very unlikely to be exploitable.", "cve": null, "id": "pyup.io-25676", "specs": [ "<0.6.4" ], "v": "<0.6.4" }, { "advisory": "Crossbar 20.12.3 fixes a dependency on Autobahn v20.12.3, which in turn fixes a potential security issue when enabling the Web status page ('enable_webstatus') on WebSocket-WAMP listening transports.", "cve": null, "id": "pyup.io-39329", "specs": [ "<20.12.3" ], "v": "<20.12.3" } ], "crypt": [ { "advisory": "crypt is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", "cve": null, "id": "pyup.io-34981", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "cryptacular": [ { "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.", "cve": null, "id": "pyup.io-25677", "specs": [ "<1.2" ], "v": "<1.2" } ], "crypto-candlesticks": [ { "advisory": "Crypto-candlesticks 0.1.5 fixes a vulnerability in the 'jinja2' dependency.", "cve": null, "id": "pyup.io-39697", "specs": [ "<0.1.5" ], "v": "<0.1.5" } ], "cryptography": [ { "advisory": "cryptography 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.", "cve": null, "id": "pyup.io-25678", "specs": [ "<0.9.1" ], "v": "<0.9.1" }, { "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.", "cve": null, "id": "pyup.io-25679", "specs": [ "<1.0.2" ], "v": "<1.0.2" }, { "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.", "cve": "CVE-2016-9243", "id": "pyup.io-25680", "specs": [ "<1.5.3" ], "v": "<1.5.3" }, { "advisory": "Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.", "cve": null, "id": "pyup.io-39252", "specs": [ "<3.3" ], "v": "<3.3" }, { "advisory": "In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. See CVE-2020-36242.", "cve": "CVE-2020-36242", "id": "pyup.io-39606", "specs": [ "<3.3.2" ], "v": "<3.3.2" }, { "advisory": "Cryptography 3.2 was released with the warning that its maintainers became aware of a Bleichenbacher vulnerability that they were only partly able to mitigate. See: CVE-2020-25659.", "cve": "CVE-2020-25659", "id": "pyup.io-38932", "specs": [ "<=3.2" ], "v": "<=3.2" }, { "advisory": "python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.", "cve": "CVE-2018-10903", "id": "pyup.io-36351", "specs": [ ">=1.9.0,<2.3" ], "v": ">=1.9.0,<2.3" } ], "cryptography-vectors": [ { "advisory": "cryptography-vectors 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.", "cve": null, "id": "pyup.io-25681", "specs": [ "<0.9.1" ], "v": "<0.9.1" }, { "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.", "cve": null, "id": "pyup.io-25682", "specs": [ "<1.0.2" ], "v": "<1.0.2" }, { "advisory": "HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.", "cve": "CVE-2016-9243", "id": "pyup.io-25683", "specs": [ "<1.5.3" ], "v": "<1.5.3" } ], "cssutils": [ { "advisory": "In cssutils before 0.9.6a2 comments added by ``cssutils.resolveImports`` only use the import rules' href and not the absolute href of the referenced sheets anymore (might have been a possible security hole when showing a full local path to a sheet in a combined but not minified sheet)", "cve": null, "id": "pyup.io-25684", "specs": [ "<0.9.6a2" ], "v": "<0.9.6a2" } ], "cstar": [ { "advisory": "Cstar 0.5.0 fixes a security problem in a dependency (spotify). See: .", "cve": null, "id": "pyup.io-39224", "specs": [ "<0.5.0" ], "v": "<0.5.0" } ], "cumin": [ { "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Cumin before r5238 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) widgets or (2) pages.", "cve": "CVE-2012-1575", "id": "pyup.io-35357", "specs": [ "=0.56.1, to avoid a security vulnerability.", "cve": null, "id": "pyup.io-40620", "specs": [ "<0.4.1" ], "v": "<0.4.1" } ], "datasette-css-properties": [ { "advisory": "Datasette-css-properties 0.2 makes the '.css' pages send the 'x-content-type-options: nosniff' header to protect against browsers incorrectly rendering the CSS as HTML which could be an XSS security hole.", "cve": null, "id": "pyup.io-39422", "specs": [ "<0.2" ], "v": "<0.2" } ], "datasette-graphql": [ { "advisory": "Satasette-graphql before 1.2 included a plugin that could expose schema details of databases that should not be visible, though not their actual row content. See: .", "cve": null, "id": "pyup.io-39174", "specs": [ "<1.2" ], "v": "<1.2" } ], "datasette-indieauth": [ { "advisory": "Datasette-indieauth before 1.1 trusts the \"me\" field returned by the authorization server without verifying it.", "cve": null, "id": "pyup.io-39164", "specs": [ "<1.1" ], "v": "<1.1" } ], "datasette-insert": [ { "advisory": "Datasette-insert 0.6 is locked down by default. This plugin no longer defaults to allowing all, reducing the risk that someone may deploy it without sufficient security.", "cve": null, "id": "pyup.io-38644", "specs": [ "<0.6" ], "v": "<0.6" } ], "datasette-seaborn": [ { "advisory": "The maintainers or the datasette-seaborn package acknowledge that version 0.1a0 is buggy and probably not secure.", "cve": null, "id": "pyup.io-38782", "specs": [ "==0.1a0" ], "v": "==0.1a0" } ], "dateable-chronos": [ { "advisory": "dateable-chronos before 0.7.2 fixed a XSS vulnerability in the get_view_day method.", "cve": null, "id": "pyup.io-35988", "specs": [ "<0.7.2" ], "v": "<0.7.2" } ], "dateable.chronos": [ { "advisory": "dateable.chronos 0.7.2 fixes a XSS vulnerability in the get_view_day method.", "cve": null, "id": "pyup.io-25685", "specs": [ "<0.7.2" ], "v": "<0.7.2" } ], "datera-cinder": [ { "advisory": "Datera-cinder 2018.10.30.0 updates the required requests version to >=2.20.0 because of a security vulnerability in <=2.19.X.", "cve": null, "id": "pyup.io-37204", "specs": [ "<2018.10.30.0" ], "v": "<2018.10.30.0" } ], "dawgie": [ { "advisory": "Dawgie 1.2.3 includes a vulnerability fix.", "cve": null, "id": "pyup.io-40122", "specs": [ "<1.2.3" ], "v": "<1.2.3" }, { "advisory": "Dawgie 1.2.9 adds clean methods to limit malicious code.", "cve": null, "id": "pyup.io-40121", "specs": [ "<1.2.9" ], "v": "<1.2.9" } ], "ddtrace": [ { "advisory": "ddtrace 0.11.0 removes the `sql.query` tag from SQL spans, so that the content is properly obfuscated in the Agent. This security fix is required to prevent wrong data collection of reported SQL queries. This issue impacts only MySQL integrations and NOT `psycopg2` or `sqlalchemy` while using the PostgreSQL driver.", "cve": null, "id": "pyup.io-35790", "specs": [ "<0.11.0" ], "v": "<0.11.0" } ], "debianized-jupyterhub": [ { "advisory": "debianized-jupyterhub 0.9.51 updates to release 0.9.5 + NB 5.7.7 (fix for Open Redirect vulnerability)", "cve": null, "id": "pyup.io-37002", "specs": [ "<0.9.51" ], "v": "<0.9.51" } ], "debops": [ { "advisory": "Debops 0.8.0 installs upstream NodeSource APT packages by default. This is due to `no security support in Debian Stable`__, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.", "cve": null, "id": "pyup.io-36371", "specs": [ "<0.8.0" ], "v": "<0.8.0" }, { "advisory": "Debops 1.0.0:\r\n\r\n- The :command:`lxc-prepare-ssh` script will read the public SSH keys from specific files (``root`` key file, and the ``$SUDO_USER`` key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container's ``root`` account.\r\n\r\n- The :command:`lxc-new-unprivileged` script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via :command:`sudo`. The default LXC configuration file used by the script can be configured in :file:`/etc/lxc/lxc.conf` configuration file.\r\n\r\n- (:ref:`debops.php` role) New APT signing keys` have been created for his Debian APT repository with PHP packages, due to security concerns. The :ref:`debops.php` role will remove the old APT GPG key and add the new one automatically. See: .", "cve": null, "id": "pyup.io-37159", "specs": [ "<1.0.0" ], "v": "<1.0.0" }, { "advisory": "The :command:`lxc-prepare-ssh` script in debops 1.1.0 will no longer install SSH keys from the LXC host ``root`` account on the LXC container ``root`` account. This can cause confusion and unintended security breaches when other services (for example backup scripts or remote command execution tools) install their own SSH keys on the LXC host and they are subsequently copied inside of the LXC containers created on that host.", "cve": null, "id": "pyup.io-37404", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "In debops 1.2.0:\r\n- The use of the ``params`` option in the ``ldap_attrs`` and ``ldap_entry`` Ansible modules is deprecated due to their insecure nature.\r\n- The CVE-2019-11043 vulnerability has been mitigated in the :command:`nginx` ``php`` and ``php5`` configuration templates. The mitigation is based on the `suggested workaround`__ from the PHP Bug Tracker.\r\n- A security patch for the CVE-2019-11043 vulnerability has been applied in the Nextcloud configuration for the :ref:`debops.nginx` role. The patch is based on the `fix suggested by upstream`.", "cve": "CVE-2019-11043", "id": "pyup.io-37733", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { "advisory": "Debops 1.7.0 includes a change in its RoundCube configuration. RoundCube will use the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.", "cve": null, "id": "pyup.io-37732", "specs": [ "<1.7.0" ], "v": "<1.7.0" }, { "advisory": "RoundCube in debops 2.0.0 uses the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.", "cve": null, "id": "pyup.io-26403", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "decaptcha": [ { "advisory": "decaptcha 1.0.0 includes a patch for security vulnerability: pin pillow>=6.2.0", "cve": null, "id": "pyup.io-37892", "specs": [ "<1.0.0" ], "v": "<1.0.0" }, { "advisory": "decaptcha 1.0.1 includes a patch for security vulnerability: tensorflow==1.15.0", "cve": null, "id": "pyup.io-37891", "specs": [ "<1.0.1" ], "v": "<1.0.1" } ], "deeposlandia": [ { "advisory": "Deeposlandia 0.6 updates its dependencies, especially `Tensorflow`, due to vulnerability issues.", "cve": null, "id": "pyup.io-38133", "specs": [ "<0.6" ], "v": "<0.6" }, { "advisory": "Deeposlandia 0.6.2 updates pillow to 7.1.1 to fix a moderate-severity vulnerability in pillow <6.2.2.", "cve": null, "id": "pyup.io-38285", "specs": [ "<0.6.2" ], "v": "<0.6.2" } ], "definitions": [ { "advisory": "There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution.", "cve": "CVE-2018-20325", "id": "pyup.io-36752", "specs": [ "<=0.2.0" ], "v": "<=0.2.0" } ], "defusedexpat": [ { "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", "cve": "CVE-2013-1664", "id": "pyup.io-33054", "specs": [ "<0.3" ], "v": "<0.3" }, { "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", "cve": "CVE-2013-1665", "id": "pyup.io-33055", "specs": [ "<0.3" ], "v": "<0.3" } ], "defusedxml": [ { "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", "cve": "CVE-2013-1664", "id": "pyup.io-33056", "specs": [ "<0.4" ], "v": "<0.4" }, { "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", "cve": "CVE-2013-1665", "id": "pyup.io-33057", "specs": [ "<0.4" ], "v": "<0.4" } ], "deis": [ { "advisory": "The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the \"POODLE\" issue.", "cve": "CVE-2014-3566", "id": "pyup.io-25691", "specs": [ "<1.3.1" ], "v": "<1.3.1" } ], "deltachat": [ { "advisory": "Deltachat 1.0.0b17 fixes SQL/injection malformed Chat-Group-Name breakage.", "cve": null, "id": "pyup.io-40086", "specs": [ "<1.0.0b17" ], "v": "<1.0.0b17" }, { "advisory": "deltachat 1.0.0beta.2 has several security fixes", "cve": null, "id": "pyup.io-37922", "specs": [ "<1.0.0beta.2" ], "v": "<1.0.0beta.2" }, { "advisory": "Deltachat 1.51.0 improves and harden secure join feature.", "cve": null, "id": "pyup.io-40084", "specs": [ "<1.51.0" ], "v": "<1.51.0" } ], "deluge": [ { "advisory": "Deluge 2.0.0 updates SSL/TLS Protocol parameters for better security.", "cve": null, "id": "pyup.io-37155", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "descarteslabs": [ { "advisory": "Descarteslabs 1.8.1 upgrades the 'requests' dependency (>=2.25.1, <3) to fix an security issue.", "cve": null, "id": "pyup.io-40827", "specs": [ "<1.8.1" ], "v": "<1.8.1" } ], "destringcare": [ { "advisory": "destringcare 0.0.4 change: Removed `pycrypto` due to security issue", "cve": null, "id": "pyup.io-37228", "specs": [ "<0.0.4" ], "v": "<0.0.4" } ], "determined": [ { "advisory": "Determined 0.12.12rc0 upgrades lodash to fix a vulnerability.", "cve": null, "id": "pyup.io-38656", "specs": [ "<0.12.12rc0" ], "v": "<0.12.12rc0" }, { "advisory": "Determined 0.12.7 resolves new node security vulnerabilities (fd34fec) and updates link to support secure blank targets (d1146d3).", "cve": null, "id": "pyup.io-38415", "specs": [ "<0.12.7" ], "v": "<0.12.7" }, { "advisory": "Determined 0.14.0 updates the 'storybook' dependency to resolve a GitHub security vulnerability for 'highlight.js'.", "cve": null, "id": "pyup.io-39625", "specs": [ "<0.14.0" ], "v": "<0.14.0" }, { "advisory": "Determined 0.16.0.dev0 upgrades the 'ws' dependency to patch a security vulnerability.", "cve": null, "id": "pyup.io-40670", "specs": [ "<0.16.0.dev0" ], "v": "<0.16.0.dev0" } ], "diffpriv": [ { "advisory": "Diffpriv 1.0.0rc1 includes a security fix: with the 'diff' and 'enc' modules, parameters were stored in Python memory, and never removed. This commit deletes these parameters and helps prevent attackers from gaining access to these parameters, which can help them gain access to the original text and/or data.", "cve": null, "id": "pyup.io-40539", "specs": [ "<1.0.0rc1" ], "v": "<1.0.0rc1" } ], "digitalmarketplace-utils": [ { "advisory": "Digitalmarketplace-utils versions before v22.0.0 included vulnerabilities where untrusted input might result in susceptibility to a cross-site scripting (XSS) exploit.", "cve": null, "id": "pyup.io-39653", "specs": [ "<22.0.0" ], "v": "<22.0.0" } ], "dirac": [ { "advisory": "dirac 2.1 updates OpenSSL to avoid CVE-2021-3449 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449", "cve": null, "id": "pyup.io-40206", "specs": [ "<2.1" ], "v": "<2.1" } ], "directory-client-core": [ { "advisory": "Directory-client-core 5.1.1 upgrades a vulnerable Django version to Django 1.11.22.", "cve": null, "id": "pyup.io-38689", "specs": [ "<5.1.1" ], "v": "<5.1.1" } ], "directory-components": [ { "advisory": "Directory-components 25.0.1 includes an update to fix the lodash vulnerability.", "cve": null, "id": "pyup.io-37298", "specs": [ "<25.0.1" ], "v": "<25.0.1" }, { "advisory": "The `django_language` and `country` cookies in directory-components 33.0.0 set as secure and http-only.", "cve": null, "id": "pyup.io-37475", "specs": [ "<33.0.0" ], "v": "<33.0.0" } ], "dirsearch": [ { "advisory": "Dirsearch 0.4.2 fixes a CSV Injection vulnerability. See also: .", "cve": null, "id": "pyup.io-40799", "specs": [ "<0.4.2" ], "v": "<0.4.2" } ], "discogs-client": [ { "advisory": "discogs-client 2.2.2 updates dependencies to resolve security vulnerabilities", "cve": null, "id": "pyup.io-36787", "specs": [ "<2.2.2" ], "v": "<2.2.2" } ], "discord-ext-slash": [ { "advisory": "For some extra security, Discord-ext-slash 0.2.3 looks up commands by both their name and guild ID if their command ID fails to return any results (it returns a warning with 'SlashWarning' both times, and returns an error if still no command is found.)", "cve": null, "id": "pyup.io-39641", "specs": [ "<0.2.3" ], "v": "<0.2.3" } ], "discordpie": [ { "advisory": "Discordpie 0.5.1 includes a security patch. No details are given.", "cve": null, "id": "pyup.io-38343", "specs": [ "<0.5.1" ], "v": "<0.5.1" } ], "dispatch": [ { "advisory": "Dispatch 1.3.16 updates the 'Django' dependency version for security reasons.", "cve": null, "id": "pyup.io-40402", "specs": [ "<1.3.16" ], "v": "<1.3.16" } ], "djangae": [ { "advisory": "djangae before 0.9.4 uses Django 1.7 which is no longer supported (EOL, with known security issues).", "cve": null, "id": "pyup.io-25693", "specs": [ "<0.9.4" ], "v": "<0.9.4" } ], "django": [ { "advisory": "The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected \"static media files,\" which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.", "cve": "CVE-2009-2659", "id": "pyup.io-25694", "specs": [ "<1.0" ], "v": "<1.0" }, { "advisory": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.", "cve": "CVE-2009-3695", "id": "pyup.io-25695", "specs": [ "<1.0.4", ">=1.1,<1.1.1" ], "v": "<1.0.4,>=1.1,<1.1.1" }, { "advisory": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.", "cve": "CVE-2010-4535", "id": "pyup.io-33059", "specs": [ "<1.1.3", ">=1.2,<1.2.4" ], "v": "<1.1.3,>=1.2,<1.2.4" }, { "advisory": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.", "cve": "CVE-2010-4534", "id": "pyup.io-33058", "specs": [ "<1.1.3", ">=1.2,<1.2.4" ], "v": "<1.1.3,>=1.2,<1.2.4" }, { "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.", "cve": "CVE-2011-0697", "id": "pyup.io-33061", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447.", "cve": "CVE-2011-0696", "id": "pyup.io-33060", "specs": [ "<1.1.4", ">=1.2,<1.2.5" ], "v": "<1.1.4,>=1.2,<1.2.5" }, { "advisory": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.", "cve": "CVE-2011-0698", "id": "pyup.io-33062", "specs": [ "<1.1.4", ">=1.2,<1.2.5" ], "v": "<1.1.4,>=1.2,<1.2.5" }, { "advisory": "django 1.11.18 fixes a security issue in 1.11.17 (CVE-2019-3498) where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.", "cve": "CVE-2019-3498", "id": "pyup.io-36771", "specs": [ "<1.11.18,>=1.11.17" ], "v": "<1.11.18,>=1.11.17" }, { "advisory": "Django 1.11.x before 1.11.19 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", "cve": "CVE-2019-6975", "id": "pyup.io-36885", "specs": [ "<1.11.19,>=1.11.0" ], "v": "<1.11.19,>=1.11.0" }, { "advisory": "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.", "cve": "CVE-2019-12781", "id": "pyup.io-37261", "specs": [ "<1.11.22,>1.11", "<2.1.10,>2.1", "<2.2.3,>2.2" ], "v": "<1.11.22,>1.11,<2.1.10,>2.1,<2.2.3,>2.2" }, { "advisory": "Django 1.11.22 fixes a security issue in 1.11.21.", "cve": null, "id": "pyup.io-37259", "specs": [ "<1.11.22,>1.11.21" ], "v": "<1.11.22,>1.11.21" }, { "advisory": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) See CVE-2019-19844.", "cve": "CVE-2019-19844", "id": "pyup.io-37771", "specs": [ "<1.11.27", ">=2.0a1,<2.2.9", ">=3.0a1,<3.0.1" ], "v": "<1.11.27,>=2.0a1,<2.2.9,>=3.0a1,<3.0.1" }, { "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.", "cve": "CVE-2010-3082", "id": "pyup.io-25701", "specs": [ "<1.2.2" ], "v": "<1.2.2" }, { "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.", "cve": "CVE-2011-4138", "id": "pyup.io-33065", "specs": [ "<1.2.7", ">=1.3,<1.3.1" ], "v": "<1.2.7,>=1.3,<1.3.1" }, { "advisory": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.", "cve": "CVE-2011-4140", "id": "pyup.io-33066", "specs": [ "<1.2.7", ">=1.3,<1.3.1" ], "v": "<1.2.7,>=1.3,<1.3.1" }, { "advisory": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.", "cve": "CVE-2011-4136", "id": "pyup.io-33063", "specs": [ "<1.2.7", ">=1.3,<1.3.1" ], "v": "<1.2.7,>=1.3,<1.3.1" }, { "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.", "cve": "CVE-2011-4137", "id": "pyup.io-33064", "specs": [ "<1.2.7", ">=1.3,<1.3.1" ], "v": "<1.2.7,>=1.3,<1.3.1" }, { "advisory": "The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.", "cve": "CVE-2012-3442", "id": "pyup.io-33067", "specs": [ "<1.3.2", ">=1.4,<1.4.1" ], "v": "<1.3.2,>=1.4,<1.4.1" }, { "advisory": "The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.", "cve": "CVE-2012-3443", "id": "pyup.io-33068", "specs": [ "<1.3.2", ">=1.4,<1.4.1" ], "v": "<1.3.2,>=1.4,<1.4.1" }, { "advisory": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.", "cve": "CVE-2012-3444", "id": "pyup.io-33069", "specs": [ "<1.3.2", ">=1.4,<1.4.1" ], "v": "<1.3.2,>=1.4,<1.4.1" }, { "advisory": "The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.", "cve": "CVE-2012-4520", "id": "pyup.io-25709", "specs": [ "<1.3.4", ">=1.4,<1.4.2" ], "v": "<1.3.4,>=1.4,<1.4.2" }, { "advisory": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.", "cve": "CVE-2015-0220", "id": "pyup.io-33071", "specs": [ "<1.4.18", ">=1.6,<1.6.10", ">=1.7,<1.7.3" ], "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3" }, { "advisory": "The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.", "cve": "CVE-2015-0221", "id": "pyup.io-33072", "specs": [ "<1.4.18", ">=1.6,<1.6.10", ">=1.7,<1.7.3" ], "v": "<1.4.18,>=1.6,<1.6.10,>=1.7,<1.7.3" }, { "advisory": "Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.", "cve": "CVE-2015-0219", "id": "pyup.io-33070", "specs": [ "<1.4.18", ">=1.7,<1.7.3", ">=1.6,<1.6.10" ], "v": "<1.4.18,>=1.7,<1.7.3,>=1.6,<1.6.10" }, { "advisory": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.", "cve": "CVE-2016-2512", "id": "pyup.io-33073", "specs": [ "<1.8.10", ">=1.9,<1.9.3" ], "v": "<1.8.10,>=1.9,<1.9.3" }, { "advisory": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.", "cve": "CVE-2016-2513", "id": "pyup.io-33074", "specs": [ "<1.8.10", ">=1.9,<1.9.3" ], "v": "<1.8.10,>=1.9,<1.9.3" }, { "advisory": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.", "cve": "CVE-2018-16984", "id": "pyup.io-36522", "specs": [ "<2.1.2,>=2.1" ], "v": "<2.1.2,>=2.1" }, { "advisory": "django before 2.1.2 fixes a security bug in 2.1.x. \r\nIf an admin user has the change permission to the user model, only part of the\r\npassword hash is displayed in the change form. Admin users with the view (but\r\nnot change) permission to the user model were displayed the entire hash.", "cve": "CVE-2018-16984", "id": "pyup.io-36517", "specs": [ "<2.1.2,>=2.1.0" ], "v": "<2.1.2,>=2.1.0" }, { "advisory": "django 2.1.5 fixes a security issue in 2.1.4 (CVE-2019-3498) where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.", "cve": "CVE-2019-3498", "id": "pyup.io-36769", "specs": [ "<2.1.5,>=2.1.4" ], "v": "<2.1.5,>=2.1.4" }, { "advisory": "Django 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", "cve": "CVE-2019-6975", "id": "pyup.io-36883", "specs": [ "<2.1.6,>=2.1.0" ], "v": "<2.1.6,>=2.1.0" }, { "advisory": "django 1.11.15 fixes a phishing security issue in 1.11.14 if the :class:`~django.middleware.common.CommonMiddleware` and the :setting:`APPEND_SLASH` setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash. See: CVE-2018-14574.", "cve": "CVE-2018-14574", "id": "pyup.io-36359", "specs": [ "==1.11.14" ], "v": "==1.11.14" }, { "advisory": "Django 1.11.21 fixes a security issue in 1.11.20: CVE-2019-12308 (AdminURLFieldWidget XSS).", "cve": "CVE-2019-12308", "id": "pyup.io-37186", "specs": [ "==1.11.20" ], "v": "==1.11.20" }, { "advisory": "Django 1.11.23 fixes CVE-2019-14235 in 1.11.22.", "cve": "CVE-2019-14235", "id": "pyup.io-39599", "specs": [ "==1.11.22" ], "v": "==1.11.22" }, { "advisory": "Django 1.11.23 fixes CVE-2019-14233 in 1.11.22.", "cve": "CVE-2019-14233", "id": "pyup.io-39601", "specs": [ "==1.11.22" ], "v": "==1.11.22" }, { "advisory": "Django 1.11.23 fixes CVE-2019-14234 in 1.11.22.", "cve": "CVE-2019-14234", "id": "pyup.io-39600", "specs": [ "==1.11.22" ], "v": "==1.11.22" }, { "advisory": "Django 1.11.23 fixes the following security issue in 1.11.22: CVE-2019-14232.", "cve": "CVE-2019-14232", "id": "pyup.io-37326", "specs": [ "==1.11.22" ], "v": "==1.11.22" }, { "advisory": "Django 1.11.27 fixes CVE-2019-19844 in 1.11.26: potential account hijack via password reset form.", "cve": "CVE-2019-19844", "id": "pyup.io-37663", "specs": [ "==1.11.26" ], "v": "==1.11.26" }, { "advisory": "Django 1.11.28 fixes a security issue in 1.11.27. Potential SQL injection via `StringAgg(delimiter)`. See: CVE-2020-7471.", "cve": "CVE-2020-7471", "id": "pyup.io-37817", "specs": [ "==1.11.27" ], "v": "==1.11.27" }, { "advisory": "django 2.0.8 fixes a security issue and several bugs in 2.0.7 if the :class:`~django.middleware.common.CommonMiddleware` and the\r\n:setting:`APPEND_SLASH` setting are both enabled, and if the project has a\r\nURL pattern that accepts any path ending in a slash. See: CVE-2018-14574.", "cve": "CVE-2018-14574", "id": "pyup.io-36358", "specs": [ "==2.0.7" ], "v": "==2.0.7" }, { "advisory": "django 2.0.10 fixes a security issue - CVE-2019-3498 - where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.", "cve": "CVE-2019-3498", "id": "pyup.io-36770", "specs": [ "==2.0.9" ], "v": "==2.0.9" }, { "advisory": "Django 2.1.11 fixes a security issue in 2.1.10:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``", "cve": "CVE-2019-14232", "id": "pyup.io-37325", "specs": [ "==2.1.10" ], "v": "==2.1.10" }, { "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``", "cve": "CVE-2019-14233", "id": "pyup.io-39598", "specs": [ "==2.1.10" ], "v": "==2.1.10" }, { "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", "cve": "CVE-2019-14235", "id": "pyup.io-39596", "specs": [ "==2.1.10" ], "v": "==2.1.10" }, { "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``", "cve": "CVE-2019-14234", "id": "pyup.io-39597", "specs": [ "==2.1.10" ], "v": "==2.1.10" }, { "advisory": "Django 2.1.15 fixes CVE-2019-19118 in 2.1.14: Privilege escalation in the Django admin.", "cve": "CVE-2019-19118", "id": "pyup.io-37657", "specs": [ "==2.1.14" ], "v": "==2.1.14" }, { "advisory": "Django 2.1.9 fixes security issues in 2.1.8: CVE-2019-12308 (AdminURLFieldWidget XSS).", "cve": "CVE-2019-12308", "id": "pyup.io-37185", "specs": [ "==2.1.8" ], "v": "==2.1.8" }, { "advisory": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", "cve": "CVE-2019-11358", "id": "pyup.io-39595", "specs": [ "==2.1.8" ], "v": "==2.1.8" }, { "advisory": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.", "cve": "CVE-2020-9402", "id": "pyup.io-37258", "specs": [ "==2.1.9" ], "v": "==2.1.9" }, { "advisory": "Django 2.2.2 fixes security issues in 2.2.1: CVE-2019-12308 (AdminURLFieldWidget XSS).", "cve": "CVE-2019-12308", "id": "pyup.io-37184", "specs": [ "==2.2.1" ], "v": "==2.2.1" }, { "advisory": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", "cve": "CVE-2019-11358", "id": "pyup.io-39594", "specs": [ "==2.2.1" ], "v": "==2.2.1" }, { "advisory": "Django 2.2.18 fixes a security issue with severity \"low\" in 2.2.17 (CVE-2021-3281).", "cve": "CVE-2021-3281", "id": "pyup.io-39523", "specs": [ "==2.2.17" ], "v": "==2.2.17" }, { "advisory": "Django 2.2.18 is vulnerable to CVE-2021-23336: Web cache poisoning via 'django.utils.http.limited_parse_qsl()'. Django contains a copy of :func:'urllib.parse.parse_qsl' which was added to backport some security fixes. A further security fix has been issued recently such that 'parse_qsl()' no longer allows using ';' as a query parameter separator by default. Django now includes this fix. See :bpo:'42967' for further details.", "cve": "CVE-2021-23336", "id": "pyup.io-39646", "specs": [ "==2.2.18" ], "v": "==2.2.18" }, { "advisory": "Django 2.2.3 fixes CVE-2019-12781 in 2.2.2: incorrect HTTP detection with reverse-proxy connecting via HTTPS.", "cve": "CVE-2019-12781", "id": "pyup.io-37324", "specs": [ "==2.2.2" ], "v": "==2.2.2" }, { "advisory": "Django 2.2.24 fixes security issue in 2.2.23 (CVE-2021-33203).", "cve": null, "id": "pyup.io-40586", "specs": [ "==2.2.23" ], "v": "==2.2.23" }, { "advisory": "Django 2.2.24 fixes security issue in 2.2.23 (CVE-2021-33571).", "cve": null, "id": "pyup.io-40597", "specs": [ "==2.2.23" ], "v": "==2.2.23" }, { "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``", "cve": "CVE-2019-14233", "id": "pyup.io-39593", "specs": [ "==2.2.3" ], "v": "==2.2.3" }, { "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``", "cve": "CVE-2019-14234", "id": "pyup.io-39592", "specs": [ "==2.2.3" ], "v": "==2.2.3" }, { "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", "cve": "CVE-2019-14235", "id": "pyup.io-39591", "specs": [ "==2.2.3" ], "v": "==2.2.3" }, { "advisory": "Django 2.2.4 fixes a security issue in 2.2.3:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``", "cve": "CVE-2019-14232", "id": "pyup.io-37323", "specs": [ "==2.2.3" ], "v": "==2.2.3" }, { "advisory": "Django 2.2.8 fixes CVE-2019-19118 in 2.2.7: Privilege escalation in the Django admin.", "cve": "CVE-2019-19118", "id": "pyup.io-37656", "specs": [ "==2.2.7" ], "v": "==2.2.7" }, { "advisory": "Django 2.2.9 fixes CVE-2019-19844 in 2.2.8: potential account hijack via password reset form.", "cve": "CVE-2019-19844", "id": "pyup.io-37662", "specs": [ "==2.2.8" ], "v": "==2.2.8" }, { "advisory": "Django 2.2.10 fixes a security issue in 2.2.9. Potential SQL injection via `StringAgg(delimiter)`. See CVE-2020-7471.", "cve": "CVE-2020-7471", "id": "pyup.io-37816", "specs": [ "==2.2.9" ], "v": "==2.2.9" }, { "advisory": "Django 3.0.1 fixes CVE-2019-19844 in 3.0: potential account hijack via password reset form.", "cve": "CVE-2019-19844", "id": "pyup.io-37661", "specs": [ "==3.0" ], "v": "==3.0" }, { "advisory": "Django 3.0.12 fixes a security issue with severity \"low\" in 3.0.11 (CVE-2021-3281).", "cve": "CVE-2021-3281", "id": "pyup.io-39522", "specs": [ "==3.0.11" ], "v": "==3.0.11" }, { "advisory": "Django 3.0.12 is vulnerable to CVE-2021-23336: Web cache poisoning via 'django.utils.http.limited_parse_qsl()'. Django contains a copy of :func:'urllib.parse.parse_qsl' which was added to backport some security fixes. A further security fix has been issued recently such that 'parse_qsl()' no longer allows using ';' as a query parameter separator by default. Django now includes this fix. See :bpo:'42967' for further details.", "cve": "CVE-2021-23336", "id": "pyup.io-39645", "specs": [ "==3.0.12" ], "v": "==3.0.12" }, { "advisory": "Django 3.0.3 fixes a security issue and several bugs in 3.0.2. Potential SQL injection via `StringAgg(delimiter)`. See: CVE-2020-7471.", "cve": "CVE-2020-7471", "id": "pyup.io-37815", "specs": [ "==3.0.2" ], "v": "==3.0.2" }, { "advisory": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.", "cve": "CVE-2020-9402", "id": "pyup.io-27043", "specs": [ "==3.0.3" ], "v": "==3.0.3" }, { "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33571).", "cve": null, "id": "pyup.io-40598", "specs": [ "==3.1.11" ], "v": "==3.1.11" }, { "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33203).", "cve": null, "id": "pyup.io-40585", "specs": [ "==3.1.11" ], "v": "==3.1.11" }, { "advisory": "Django 3.1.6 fixes a security issue with severity \"low\" and a bug in 3.1.5 (CVE-2021-3281).", "cve": "CVE-2021-3281", "id": "pyup.io-39521", "specs": [ "==3.1.5" ], "v": "==3.1.5" }, { "advisory": "Django 3.1.6 is vulnerable to CVE-2021-23336: Web cache poisoning via 'django.utils.http.limited_parse_qsl()'. Django contains a copy of :func:'urllib.parse.parse_qsl' which was added to backport some security fixes. A further security fix has been issued recently such that 'parse_qsl()' no longer allows using ';' as a query parameter separator by default. Django now includes this fix. See :bpo:'42967' for further details.", "cve": "CVE-2021-23336", "id": "pyup.io-39644", "specs": [ "==3.1.6" ], "v": "==3.1.6" }, { "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-33203).", "cve": null, "id": "pyup.io-40584", "specs": [ "==3.2.3" ], "v": "==3.2.3" }, { "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-3357).", "cve": null, "id": "pyup.io-40599", "specs": [ "==3.2.3" ], "v": "==3.2.3" }, { "advisory": "Django 1.10.3 fixes two security issues and several bugs in 1.10.2.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================", "cve": null, "id": "pyup.io-25722", "specs": [ ">=1.10,<1.10.3" ], "v": ">=1.10,<1.10.3" }, { "advisory": "CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs\r\n============================================================================================\r\n\r\nDjango relies on user input in some cases (e.g.\r\n:func:`django.contrib.auth.views.login` and :doc:`i18n `)\r\nto redirect the user to an \"on success\" URL. The security check for these\r\nredirects (namely ``django.utils.http.is_safe_url()``) considered some numeric\r\nURLs (e.g. ``http:999999999``) \"safe\" when they shouldn't be.\r\n\r\nAlso, if a developer relies on ``is_safe_url()`` to provide safe redirect\r\ntargets and puts such a URL into a link, they could suffer from an XSS attack.\r\n\r\nCVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``\r\n=============================================================================\r\n\r\nA maliciously crafted URL to a Django site using the\r\n:func:`~django.views.static.serve` view could redirect to any other domain. The\r\nview no longer does any redirects as they don't provide any known, useful\r\nfunctionality.\r\n\r\nNote, however, that this view has always carried a warning that it is not\r\nhardened for production use and should be used only as a development aid.", "cve": "CVE-2017-7233", "id": "pyup.io-33300", "specs": [ ">=1.10,<1.10.7" ], "v": ">=1.10,<1.10.7" }, { "advisory": "Django 1.10.8 fixes a security issue in 1.10.7. In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with 'DEBUG = True' (which makes this page accessible) in your production settings. See also: CVE-2017-12794, described as \"Possible XSS in traceback section of technical 500 debug page\".", "cve": "CVE-2017-12794", "id": "pyup.io-34918", "specs": [ ">=1.10.7,<1.10.8" ], "v": ">=1.10.7,<1.10.8" }, { "advisory": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.", "cve": "CVE-2020-7471", "id": "pyup.io-37970", "specs": [ ">=1.11,<1.11.28", ">=2.2,<2.2.10", ">=3.0,<3.0.3" ], "v": ">=1.11,<1.11.28,>=2.2,<2.2.10,>=3.0,<3.0.3" }, { "advisory": "Django 1.11.5 fixes a security issue and several bugs in 1.11.4.\r\n\r\nCVE-2017-12794: Possible XSS in traceback section of technical 500 debug page\r\n=============================================================================\r\n\r\nIn older versions, HTML autoescaping was disabled in a portion of the template\r\nfor the technical 500 debug page. Given the right circumstances, this allowed\r\na cross-site scripting attack. This vulnerability shouldn't affect most\r\nproduction sites since you shouldn't run with ``DEBUG = True`` (which makes\r\nthis page accessible) in your production settings.", "cve": "CVE-2017-12794", "id": "pyup.io-34917", "specs": [ ">=1.11,<1.11.5" ], "v": ">=1.11,<1.11.5" }, { "advisory": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.", "cve": "CVE-2019-12308", "id": "pyup.io-37191", "specs": [ ">=1.11.0,<1.11.21", ">=2.1,<2.1.9", ">=2.2,<2.2.2" ], "v": ">=1.11.0,<1.11.21,>=2.1,<2.1.9,>=2.2,<2.2.2" }, { "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", "cve": "CVE-2019-14232", "id": "pyup.io-37329", "specs": [ ">=1.11.0,<1.11.23", ">=2.1.0,<2.1.11", ">=2.2.0,<2.2.4" ], "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" }, { "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.", "cve": "CVE-2019-14234", "id": "pyup.io-37357", "specs": [ ">=1.11.0,<1.11.23", ">=2.1.0,<2.1.11", ">=2.2.0,<2.2.4" ], "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" }, { "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.", "cve": "CVE-2019-14233", "id": "pyup.io-37330", "specs": [ ">=1.11.0,<1.11.23", ">=2.1.0,<2.1.11", ">=2.2.0,<2.2.4" ], "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" }, { "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.", "cve": "CVE-2019-14235", "id": "pyup.io-37331", "specs": [ ">=1.11.0,<1.11.23", ">=2.1.0,<2.1.11", ">=2.2.0,<2.2.4" ], "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" }, { "advisory": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. See: CVE-2020-9402.", "cve": "CVE-2020-9402", "id": "pyup.io-38010", "specs": [ ">=1.11.0,<1.11.29", ">=2.2.0,<2.2.11", ">=3.0.0,<3.0.4" ], "v": ">=1.11.0,<1.11.29,>=2.2.0,<2.2.11,>=3.0.0,<3.0.4" }, { "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.", "cve": "CVE-2018-6188", "id": "pyup.io-35174", "specs": [ ">=1.11.8,<1.11.10" ], "v": ">=1.11.8,<1.11.10" }, { "advisory": "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. A remote user can redirect the target user's browser to an arbitrary site.", "cve": "CVE-2018-14574", "id": "pyup.io-36368", "specs": [ ">=1.11a1,<1.11.15", ">=2.0a1,<2.0.8" ], "v": ">=1.11a1,<1.11.15,>=2.0a1,<2.0.8" }, { "advisory": "The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.", "cve": "CVE-2013-0305", "id": "pyup.io-33111", "specs": [ ">=1.3,<1.3.6", ">=1.4,<1.4.4", ">=1.5,<1.5.1" ], "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1" }, { "advisory": "The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.", "cve": "CVE-2013-0306", "id": "pyup.io-33112", "specs": [ ">=1.3,<1.3.6", ">=1.4,<1.4.4", ">=1.5,<1.5.1" ], "v": ">=1.3,<1.3.6,>=1.4,<1.4.4,>=1.5,<1.5.1" }, { "advisory": "The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.", "cve": "CVE-2015-5964", "id": "pyup.io-25728", "specs": [ ">=1.4,<1.4.22", ">=1.7,<1.7.10" ], "v": ">=1.4,<1.4.22,>=1.7,<1.7.10" }, { "advisory": "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.", "cve": "CVE-2015-5963", "id": "pyup.io-25727", "specs": [ ">=1.4,<1.4.22", ">=1.7,<1.7.10", ">=1.8,<1.8.4" ], "v": ">=1.4,<1.4.22,>=1.7,<1.7.10,>=1.8,<1.8.4" }, { "advisory": "The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.", "cve": "CVE-2013-1443", "id": "pyup.io-25729", "specs": [ ">=1.6,<1.6-beta-4", ">=1.4,<1.4.8", ">=1.5,<1.5.4" ], "v": ">=1.6,<1.6-beta-4,>=1.4,<1.4.8,>=1.5,<1.5.4" }, { "advisory": "ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.", "cve": "CVE-2015-0222", "id": "pyup.io-25730", "specs": [ ">=1.7,<1.7.3", ">=1.6,<1.6.10" ], "v": ">=1.7,<1.7.3,>=1.6,<1.6.10" }, { "advisory": "The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.", "cve": "CVE-2015-2316", "id": "pyup.io-25731", "specs": [ ">=1.7,<1.7.7", ">=1.6,<1.6.11", ">=1.8a1,<1.8c1" ], "v": ">=1.7,<1.7.7,>=1.6,<1.6.11,>=1.8a1,<1.8c1" }, { "advisory": "The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.", "cve": "CVE-2015-5143", "id": "pyup.io-25725", "specs": [ ">=1.7,<1.7.9", ">=1.5,<1.7", ">=1.4,<1.4.21" ], "v": ">=1.7,<1.7.9,>=1.5,<1.7,>=1.4,<1.4.21" }, { "advisory": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.", "cve": "CVE-2016-9014", "id": "pyup.io-33075", "specs": [ ">=1.8,<1.8.16", ">=1.9,<1.9.11", ">=1.10,<1.10.3" ], "v": ">=1.8,<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3" }, { "advisory": "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.", "cve": "CVE-2016-9013", "id": "pyup.io-33076", "specs": [ ">=1.8,<1.8.16", ">=1.9,<1.9.11", ">=1.10,<1.10.3" ], "v": ">=1.8,<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3" }, { "advisory": "Django 1.8.18 fixes two security issues in 1.8.17.\r\n\r\nCVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs\r\n============================================================================================\r\n\r\nDjango relies on user input in some cases (e.g.\r\n:func:`django.contrib.auth.views.login` and :doc:`i18n `)\r\nto redirect the user to an \"on success\" URL. The security check for these\r\nredirects (namely ``django.utils.http.is_safe_url()``) considered some numeric\r\nURLs (e.g. ``http:999999999``) \"safe\" when they shouldn't be.\r\n\r\nAlso, if a developer relies on ``is_safe_url()`` to provide safe redirect\r\ntargets and puts such a URL into a link, they could suffer from an XSS attack.\r\n\r\nCVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``\r\n=============================================================================\r\n\r\nA maliciously crafted URL to a Django site using the\r\n:func:`~django.views.static.serve` view could redirect to any other domain. The\r\nview no longer does any redirects as they don't provide any known, useful\r\nfunctionality.\r\n\r\nNote, however, that this view has always carried a warning that it is not\r\nhardened for production use and should be used only as a development aid.", "cve": "CVE-2017-7233", "id": "pyup.io-33301", "specs": [ ">=1.8,<1.8.18" ], "v": ">=1.8,<1.8.18" }, { "advisory": "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.", "cve": "CVE-2015-3982", "id": "pyup.io-25732", "specs": [ ">=1.8,<1.8.2" ], "v": ">=1.8,<1.8.2" }, { "advisory": "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.", "cve": "CVE-2015-5145", "id": "pyup.io-25733", "specs": [ ">=1.8,<1.8.3" ], "v": ">=1.8,<1.8.3" }, { "advisory": "Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.", "cve": "CVE-2015-5144", "id": "pyup.io-25726", "specs": [ ">=1.8,<1.8.3", ">=1.7,<1.7.9", ">=1.5,<1.6", ">=1.4,<1.4.21" ], "v": ">=1.8,<1.8.3,>=1.7,<1.7.9,>=1.5,<1.6,>=1.4,<1.4.21" }, { "advisory": "The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.", "cve": "CVE-2015-8213", "id": "pyup.io-25714", "specs": [ ">=1.8,<1.8.7", "<1.7.11", ">=1.9,<1.9rc2" ], "v": ">=1.8,<1.8.7,<1.7.11,>=1.9,<1.9rc2" }, { "advisory": "Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.", "cve": "CVE-2015-2241", "id": "pyup.io-25715", "specs": [ ">=1.8,<1.8b2", "<1.7.6" ], "v": ">=1.8,<1.8b2,<1.7.6" }, { "advisory": "The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \\x08javascript: URL.", "cve": "CVE-2015-2317", "id": "pyup.io-25713", "specs": [ ">=1.8,<1.8c1", "<1.4.20", ">=1.5,<1.6", ">=1.6,<1.6.11", ">=1.7,<1.7.7" ], "v": ">=1.8,<1.8c1,<1.4.20,>=1.5,<1.6,>=1.6,<1.6.11,>=1.7,<1.7.7" }, { "advisory": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.", "cve": "CVE-2016-7401", "id": "pyup.io-25718", "specs": [ ">=1.9,<1.9.10", "<1.8.15" ], "v": ">=1.9,<1.9.10,<1.8.15" }, { "advisory": "Django 1.9.11 fixes two security issues in 1.9.10.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================", "cve": null, "id": "pyup.io-25734", "specs": [ ">=1.9,<1.9.11" ], "v": ">=1.9,<1.9.11" }, { "advisory": "Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final\r\nrelease of the 1.9.x series.\r\n\r\nCVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs\r\n============================================================================================\r\n\r\nDjango relies on user input in some cases (e.g.\r\n:func:`django.contrib.auth.views.login` and :doc:`i18n `)\r\nto redirect the user to an \"on success\" URL. The security check for these\r\nredirects (namely ``django.utils.http.is_safe_url()``) considered some numeric\r\nURLs (e.g. ``http:999999999``) \"safe\" when they shouldn't be.\r\n\r\nAlso, if a developer relies on ``is_safe_url()`` to provide safe redirect\r\ntargets and puts such a URL into a link, they could suffer from an XSS attack.\r\n\r\nCVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``\r\n=============================================================================\r\n\r\nA maliciously crafted URL to a Django site using the\r\n:func:`~django.views.static.serve` view could redirect to any other domain. The\r\nview no longer does any redirects as they don't provide any known, useful\r\nfunctionality.\r\n\r\nNote, however, that this view has always carried a warning that it is not\r\nhardened for production use and should be used only as a development aid.", "cve": "CVE-2017-7233", "id": "pyup.io-33302", "specs": [ ">=1.9,<1.9.13" ], "v": ">=1.9,<1.9.13" }, { "advisory": "Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the \"Save as New\" option when editing objects and leveraging the \"change\" permission.", "cve": "CVE-2016-2048", "id": "pyup.io-25735", "specs": [ ">=1.9,<1.9.2" ], "v": ">=1.9,<1.9.2" }, { "advisory": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.", "cve": "CVE-2016-6186", "id": "pyup.io-25721", "specs": [ ">=1.9,<1.9.8", "==1.8.14", ">=1.10,<1.10rc1" ], "v": ">=1.9,<1.9.8,==1.8.14,>=1.10,<1.10rc1" }, { "advisory": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.", "cve": "CVE-2021-33203", "id": "pyup.io-40637", "specs": [ ">=2.0.0a1,<2.2.24", ">=3.0.0a1,<3.1.12", ">=3.2.0a1,<3.2.4" ], "v": ">=2.0.0a1,<2.2.24,>=3.0.0a1,<3.1.12,>=3.2.0a1,<3.2.4" }, { "advisory": "Django 2.0.x before 2.0.11 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", "cve": "CVE-2019-6975", "id": "pyup.io-36884", "specs": [ ">=2.0a1,<2.0.11" ], "v": ">=2.0a1,<2.0.11" }, { "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.", "cve": "CVE-2018-6188", "id": "pyup.io-35173", "specs": [ ">=2.0a1,<2.0.2", "==1.11.8", "==1.11.9" ], "v": ">=2.0a1,<2.0.2,==1.11.8,==1.11.9" }, { "advisory": "If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were\r\npassed the ``html=True`` argument, they were extremely slow to evaluate certain\r\ninputs due to a catastrophic backtracking vulnerability in a regular\r\nexpression. The ``chars()`` and ``words()`` methods are used to implement the\r\n``truncatechars_html`` and ``truncatewords_html`` template filters, which were\r\nthus vulnerable.", "cve": "CVE-2018-7537", "id": "pyup.io-35796", "specs": [ ">=2.0a1,<2.0.3", ">=1.8a1 ,<1.8.19", ">=1.11a1,<1.11.11" ], "v": ">=2.0a1,<2.0.3,>=1.8a1 ,<1.8.19,>=1.11a1,<1.11.11" }, { "advisory": "The ``django.utils.html.urlize()`` function was extremely slow to evaluate\r\ncertain inputs due to a catastrophic backtracking vulnerability in a regular\r\nexpression. The ``urlize()`` function is used to implement the ``urlize`` and\r\n``urlizetrunc`` template filters, which were thus vulnerable.\r\n\r\nThe problematic regular expression is replaced with parsing logic that behaves\r\nsimilarly.", "cve": "CVE-2018-7536", "id": "pyup.io-35797", "specs": [ ">=2.0a1,<2.0.3", ">=1.8a1 ,<1.8.19", ">=1.11a1,<1.11.11" ], "v": ">=2.0a1,<2.0.3,>=1.8a1 ,<1.8.19,>=1.11a1,<1.11.11" }, { "advisory": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) See: CVE-2019-19118.", "cve": "CVE-2019-19118", "id": "pyup.io-37766", "specs": [ ">=2.1,<2.1.15", ">=2.2,<2.2.8" ], "v": ">=2.1,<2.1.15,>=2.2,<2.2.8" }, { "advisory": "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments. See CVE-2021-3281.", "cve": "CVE-2021-3281", "id": "pyup.io-39526", "specs": [ ">=2.2,<2.2.18", ">=3.1,<3.1.6", ">=3.0,<3.0.12" ], "v": ">=2.2,<2.2.18,>=3.1,<3.1.6,>=3.0,<3.0.12" }, { "advisory": "In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.", "cve": "CVE-2021-31542", "id": "pyup.io-40404", "specs": [ ">=2.2,<2.2.21", ">=3.1a1,<3.1.9", ">=3.2,<3.2.1" ], "v": ">=2.2,<2.2.21,>=3.1a1,<3.1.9,>=3.2,<3.2.1" }, { "advisory": "In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .", "cve": "CVE-2021-33571", "id": "pyup.io-40638", "specs": [ ">=2.2.0a1,<2.2.24", ">=3.0.0a1,<3.1.12", ">=3.2.0a1,<3.2.4" ], "v": ">=2.2.0a1,<2.2.24,>=3.0.0a1,<3.1.12,>=3.2.0a1,<3.2.4" }, { "advisory": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.", "cve": "CVE-2021-28658", "id": "pyup.io-40163", "specs": [ ">=2.2a1,<2.2.20", ">=3.0a1,<3.0.14", ">=3.1a1,<3.1.8" ], "v": ">=2.2a1,<2.2.20,>=3.0a1,<3.0.14,>=3.1a1,<3.1.8" }, { "advisory": "CVE-2020-13254: Potential data leakage via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.\r\n\r\nAdditionally, Django 2.2.13 and 3.0.7 upgrade the version of jQuery used by the admin to 3.5.1 for security reasons.", "cve": "CVE-2020-13254", "id": "pyup.io-38373", "specs": [ ">=3.0a1,<3.0.7", ">=2.2a1,<2.2.13" ], "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13" }, { "advisory": "CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.\r\n\r\nAdditionally, Django 2.2.13 and 3.0.7 upgrade the version of jQuery used by the admin to 3.5.1 for security reasons.", "cve": "CVE-2020-13596", "id": "pyup.io-38372", "specs": [ ">=3.0a1,<3.0.7", ">=2.2a1,<2.2.13" ], "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13" }, { "advisory": "In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.", "cve": "CVE-2021-32052", "id": "pyup.io-40414", "specs": [ ">=3.1a1,<3.1.10", ">=2.2a1,<2.2.22", ">=3.2a1,<3.2.2" ], "v": ">=3.1a1,<3.1.10,>=2.2a1,<2.2.22,>=3.2a1,<3.2.2" } ], "django-access-tokens": [ { "advisory": "django-access-tokens 0.9.2 fixes scoping of permissions where the token provides a smaller subset of the required permissions. As an extreme case, an access token granting no permissions could be used to access any permissions on the site.", "cve": null, "id": "pyup.io-25736", "specs": [ "<0.9.2" ], "v": "<0.9.2" } ], "django-access-tokens-py3": [ { "advisory": "Fixing scoping of permissions where the token provides a\r\nsmaller subset of the required permissions. As an extreme case, an access token\r\ngranting no permissions could be used to access any permissions on the site.", "cve": null, "id": "pyup.io-34892", "specs": [ "<0.9.2" ], "v": "<0.9.2" } ], "django-afip": [ { "advisory": "Django-afip 7.1.1 overrides the TLS configuration for AFIP's servers (and only those). They have worsened their security configuration, and it's now seen as insecure by default on many environments.", "cve": null, "id": "pyup.io-38705", "specs": [ "<7.1.1" ], "v": "<7.1.1" } ], "django-airplane": [ { "advisory": "django-airplane 0.3 updates minimum django to secure 2.0.2.", "cve": null, "id": "pyup.io-36587", "specs": [ "<0.3" ], "v": "<0.3" } ], "django-allauth": [ { "advisory": "django-allauth before 0.28.0 previous versions contained a vulnerability allowing an attacker to alter the provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the larger ``SOCIALACCOUNT_PROVIDERS`` setting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings.", "cve": null, "id": "pyup.io-25737", "specs": [ "<0.28.0" ], "v": "<0.28.0" }, { "advisory": "On django-allauth before 0.34.0 the \"Set Password\" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.", "cve": null, "id": "pyup.io-35034", "specs": [ "<0.34.0" ], "v": "<0.34.0" }, { "advisory": "Django-allauth 0.41.0 conforms to the general Django 3.0.1, 2.2.9, and 1.11.27 security release. See CVE-2019-19844 and .", "cve": "CVE-2019-19844", "id": "pyup.io-37664", "specs": [ "<0.41.0" ], "v": "<0.41.0" } ], "django-allauth-underground": [ { "advisory": "django-allauth-underground before 0.28.0 contained a vulnerability allowing an attacker to alter the\r\n provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the\r\n larger ``SOCIALACCOUNT_PROVIDERS`` setting).", "cve": null, "id": "pyup.io-36394", "specs": [ "<0.28.0" ], "v": "<0.28.0" } ], "django-anonymizer": [ { "advisory": "Changed 'Anonymizer.attributes' to require every field to be listed. This is deal with the common security problem when a model is updated, but the Anonymizer is not updated.", "cve": null, "id": "pyup.io-25738", "specs": [ "<0.4" ], "v": "<0.4" } ], "django-anonymizer-compat": [ { "advisory": "Changed 'Anonymizer.attributes' to require every field to be listed. This is deal with the common security problem when a model is updated, but the Anonymizer is not updated.", "cve": null, "id": "pyup.io-25739", "specs": [ "<0.4" ], "v": "<0.4" } ], "django-anymail": [ { "advisory": "In django-anymail before 1.4 the webhook validation was vulnerable to a timing attack. An attacker could have used this to obtain the WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to the app.", "cve": "CVE-2018-6596", "id": "pyup.io-35178", "specs": [ "<1.4" ], "v": "<1.4" }, { "advisory": "In django-anymail v0.2\u2013v1.3 the WEBHOOK_AUTHORIZATION key might get leaked if DEBUG=True since it isn\u2019t sanitized properly.", "cve": null, "id": "pyup.io-35198", "specs": [ ">=0.2,<1.4" ], "v": ">=0.2,<1.4" } ], "django-autocomplete-light": [ { "advisory": "django-autocomplete-light before 2.3.0 when updating the queryset from outside the autocomplete class may lead to a security problem, ie. if you don't replicate filters you apply manually on the autocomplete object choices into choices_for_request() then a malicious user could see choices which they shouldn't by querying the autocomplete directly.", "cve": null, "id": "pyup.io-25740", "specs": [ "<2.3.0" ], "v": "<2.3.0" } ], "django-awl": [ { "advisory": "django-awl 0.22.2 updates minimum library requirements for django 2.0.2 and 2.1.2 to reflect\r\nsecurity updates.", "cve": null, "id": "pyup.io-36588", "specs": [ "<0.22.2" ], "v": "<0.22.2" }, { "advisory": "Django-awl 1.0 updates the minimum library requirements for django 2.0.2 and 2.1.2 to reflect security updates.", "cve": null, "id": "pyup.io-38139", "specs": [ "<1.0" ], "v": "<1.0" } ], "django-basic-auth-ip-whitelist": [ { "advisory": "Django-basic-auth-ip-whitelist 0.3.4 fixes a potential timing attack if basic authentication is enabled.", "cve": null, "id": "pyup.io-38438", "specs": [ "<0.3.4" ], "v": "<0.3.4" }, { "advisory": "In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings. See: CVE-2020-4071.", "cve": "CVE-2020-4071", "id": "pyup.io-38443", "specs": [ "<0.3.4" ], "v": "<0.3.4" } ], "django-basicauth": [ { "advisory": "django-basicauth before 0.4.2 is vulnerable to undisclosed timing attacks.", "cve": null, "id": "pyup.io-35076", "specs": [ "<0.4.2" ], "v": "<0.4.2" } ], "django-bootstrap4": [ { "advisory": "Django-bootstrap4 2.3.0 updates the Sphinx dependency because of security update.", "cve": null, "id": "pyup.io-38870", "specs": [ "<2.3.0" ], "v": "<2.3.0" } ], "django-ca": [ { "advisory": "django-ca 1.10.0 stores CA private keys in the more secure PKCS8 format.", "cve": null, "id": "pyup.io-37015", "specs": [ "<1.10.0" ], "v": "<1.10.0" }, { "advisory": "Django-ca 1.17.0 secures CSRF and session cookies using Djangos `SESSION_COOKIE_SECURE`, `CSRF_COOKIE_HTTPONLY` and `CSRF_COOKIE_SECURE` settings. It also adds several security related headers to the admin interface (CSP, etc).", "cve": null, "id": "pyup.io-39375", "specs": [ "<1.17.0" ], "v": "<1.17.0" }, { "advisory": "django-ca before 1.9.0 did not properly escape x509 extensions, allowing for potential injection attacks.", "cve": null, "id": "pyup.io-36405", "specs": [ "<1.9.0" ], "v": "<1.9.0" } ], "django-celery-results": [ { "advisory": "Django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. See CVE-2020-17495.", "cve": "CVE-2020-17495", "id": "pyup.io-38678", "specs": [ "<=1.2.1" ], "v": "<=1.2.1" } ], "django-cms": [ { "advisory": "django-cms 2.1.3 fixes a serious security issue in PlaceholderAdmin", "cve": null, "id": "pyup.io-25741", "specs": [ "<2.1.3" ], "v": "<2.1.3" }, { "advisory": "django-cms before 2.1.4 fixes a XSS issue in Text Plugins.", "cve": null, "id": "pyup.io-25742", "specs": [ "<2.1.4" ], "v": "<2.1.4" }, { "advisory": "django-cms 3.0.14 fixes an issue where privileged users could be tricked into performing actions without their knowledge via a CSRF vulnerability", "cve": null, "id": "pyup.io-25743", "specs": [ "<3.0.14" ], "v": "<3.0.14" }, { "advisory": "Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors.", "cve": "CVE-2015-5081", "id": "pyup.io-35628", "specs": [ "<3.0.14", ">3.1,<3.1.1" ], "v": "<3.0.14,>3.1,<3.1.1" }, { "advisory": "django-cms 3.2.4 addresses security vulnerabilities in the `render_model` template tag that could lead to escalation of privileges or other security issues. It also addresses a security vulnerability in the cms' usage of the messages framework. Furthermore it fixes security vulnerabilities in custom FormFields that could lead to escalation of privileges or other security issue", "cve": null, "id": "pyup.io-25746", "specs": [ "<3.2.4" ], "v": "<3.2.4" }, { "advisory": "django-cms 3.4.3 fixes a security vulnerability in the page redirect field which allowed users to insert JavaScript code and a vulnerability where the next parameter for the toolbar login was not sanitised and could point to another domain.", "cve": null, "id": "pyup.io-34226", "specs": [ "<3.4.3" ], "v": "<3.4.3" }, { "advisory": "Django-cms 3.4.7 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", "cve": null, "id": "pyup.io-38791", "specs": [ ">=3.4.0,<3.4.7" ], "v": ">=3.4.0,<3.4.7" }, { "advisory": "Django-cms 3.5.4 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", "cve": null, "id": "pyup.io-38790", "specs": [ ">=3.5.0,<3.5.4" ], "v": ">=3.5.0,<3.5.4" }, { "advisory": "django-cms before 3.6.1\r\nDjango-cms 3.6.1 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", "cve": null, "id": "pyup.io-38789", "specs": [ ">=3.6.0,<3.6.1" ], "v": ">=3.6.0,<3.6.1" }, { "advisory": "Django-cms 3.7.4 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", "cve": null, "id": "pyup.io-38788", "specs": [ ">=3.7.0,<3.7.4" ], "v": ">=3.7.0,<3.7.4" } ], "django-cms-patched": [ { "advisory": "django-cms-patched before 3.0.17 has security vulnerabilities in the `render_model` template tag that could\r\n lead to escalation of privileges or other security issues.", "cve": null, "id": "pyup.io-34123", "specs": [ "<3.0.17" ], "v": "<3.0.17" }, { "advisory": "django-cms-patched 3.4.3 fixes a security vulnerability in the page redirect field which allowed users to insert JavaScript code.", "cve": null, "id": "pyup.io-34121", "specs": [ "<3.4.3" ], "v": "<3.4.3" } ], "django-cors-headers": [ { "advisory": "In django-cors-headers version 3.0.0, ``CORS_ORIGIN_WHITELIST`` requires URI schemes, and optionally ports. This is part of the CORS specification (Section 3.2 ) that was not implemented in this library, except from with the ``CORS_ORIGIN_REGEX_WHITELIST`` setting. It fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure ``http://`` Origins to a secure ``https://`` site.\r\n\r\nYou will need to update your whitelist to include schemes, for example from this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['example.com']\r\n\r\nto this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['https://example.com']", "cve": null, "id": "pyup.io-37132", "specs": [ "<3.0.0" ], "v": "<3.0.0" } ], "django-councilmatic": [ { "advisory": "Django-councilmatic 2.5.9 patches a XSS vulnerability when using filter options. This issue happens for all cities that use your product. Within the /search view, you can use the filter parameters to run Javascript code in an HTML script tag. See: .", "cve": null, "id": "pyup.io-38708", "specs": [ "<2.5.9" ], "v": "<2.5.9" } ], "django-countries": [ { "advisory": "django-countries 3.4 fixes a XSS escaping issue in CountrySelectWidget.", "cve": null, "id": "pyup.io-25747", "specs": [ "<3.4" ], "v": "<3.4" }, { "advisory": "django-countries 3.4 fixes an XSS escaping issue in CountrySelectWidget", "cve": null, "id": "pyup.io-37951", "specs": [ "<3.4" ], "v": "<3.4" } ], "django-crispy-forms": [ { "advisory": "django-crispy-forms 1.1.4 contains a security fix: Thread safety fixes to `CrispyFieldNode` thanks to Paul Oswald. This avoids leaking information between requests in multithreaded WSGI servers.", "cve": null, "id": "pyup.io-25751", "specs": [ "<1.1.4" ], "v": "<1.1.4" } ], "django-crispy-forms-ng": [ { "advisory": "django-crispy-forms before 0.9.0 fixes a XSS bug thanks to Charlie Denton, see GH-98. Errors cannot be rendered safe, because field's input can be part of the error message, that would mean XSS.", "cve": null, "id": "pyup.io-25750", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "django-crm": [ { "advisory": "MicroPyramid Django-CRM 0.2 does not use CSRF token for /users/create/, /users/##/edit/, and /accounts/##/delete/ URIs.", "cve": "CVE-2018-16552", "id": "pyup.io-36440", "specs": [ "<=0.2" ], "v": "<=0.2" }, { "advisory": "Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and /login/. See: CVE-2019-11457.", "cve": "CVE-2019-11457", "id": "pyup.io-37416", "specs": [ "==0.2.1" ], "v": "==0.2.1" } ], "django-dajaxice-me": [ { "advisory": "django-dajaxice-me 0.1.7 fixes the dajaxice callback model to improve security against XSS attacks.", "cve": null, "id": "pyup.io-25752", "specs": [ "<0.1.7" ], "v": "<0.1.7" } ], "django-dajaxice-ng": [ { "advisory": "django-dajaxice-ng 0.1.7 fixes the dajaxice callback model to improve security against XSS attacks.", "cve": null, "id": "pyup.io-25753", "specs": [ "<0.1.7" ], "v": "<0.1.7" } ], "django-debug-toolbar": [ { "advisory": "A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing the raw_sql input field of the SQL explain, analyze, or select form. See CVE-2021-30459.", "cve": "CVE-2021-30459", "id": "pyup.io-40207", "specs": [ "<1.11.1", ">2,<2.2.1", ">3,<3.2.1" ], "v": "<1.11.1,>2,<2.2.1,>3,<3.2.1" } ], "django-discord-bind": [ { "advisory": "django-discord-bind 0.2.0 added state validation to prevent CSRF attacks.", "cve": null, "id": "pyup.io-25754", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "django-embed-video": [ { "advisory": "django-embed-video 0.3 has a security fix: faked urls are treated as invalid.", "cve": null, "id": "pyup.io-25755", "specs": [ "<0.3" ], "v": "<0.3" } ], "django-envelope": [ { "advisory": "django-envelope 0.4.1 contains a security bugfix regarding initial form values.", "cve": null, "id": "pyup.io-25756", "specs": [ "<0.4.1" ], "v": "<0.4.1" } ], "django-epiced": [ { "advisory": "django-epiced before 0.3.0 does not escape HTML output by default.", "cve": null, "id": "pyup.io-34269", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "django-epiceditor": [ { "advisory": "There is a cross-site scripting vulnerability in django-epiceditor 0.2.3 via crafted content in a form field.", "cve": "CVE-2017-6591", "id": "pyup.io-35735", "specs": [ "<=0.2.3" ], "v": "<=0.2.3" } ], "django-fernet-fields": [ { "advisory": "django-fernet-fields 0.3 removes DualField and HashField. The only cases where they are useful, they aren't secure.", "cve": null, "id": "pyup.io-25757", "specs": [ "<0.3" ], "v": "<0.3" }, { "advisory": "django-fernet-fields before 0.3 has DualField and HashField. The only cases where they are useful, they aren't secure.", "cve": null, "id": "pyup.io-34331", "specs": [ "<0.3" ], "v": "<0.3" } ], "django-fiber": [ { "advisory": "django-fiber 0.9.9.1 contains a security bugfix: Changed permission check in API from IsAuthenticated to IsAdminUser", "cve": null, "id": "pyup.io-25758", "specs": [ "<0.9.9.1" ], "v": "<0.9.9.1" } ], "django-filebrowser-no-grappelli-staff": [ { "advisory": "django-filebrowser-no-grappelli-staff 3.4.2 fixes a XSS vulnerability with fb_tags.", "cve": null, "id": "pyup.io-25760", "specs": [ "<3.4.2" ], "v": "<3.4.2" } ], "django-filter": [ { "advisory": "Django-filter 2.4.0 added a MaxValueValidator to the form field for NumberFilter. This prevents a potential DoS attack if numbers with very large exponents were subsequently converted to integers.", "cve": null, "id": "pyup.io-38825", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.", "cve": "CVE-2020-15225", "id": "pyup.io-40317", "specs": [ "<2.4.0" ], "v": "<2.4.0" } ], "django-fluent-comments": [ { "advisory": "django-fluent-comments 1.0.1 fixes security hash formatting errors on bad requests..", "cve": null, "id": "pyup.io-25761", "specs": [ "<1.0.1" ], "v": "<1.0.1" } ], "django-formidable": [ { "advisory": "Django-formidable 4.0.0 adds an XSS prevention mechanism.", "cve": null, "id": "pyup.io-37875", "specs": [ "<4.0.0" ], "v": "<4.0.0" } ], "django-friendship": [ { "advisory": "django-friendship 1.2.0 fixes a security issue where the library was not checking the owner of a FriendRequest during accept and cancelation.", "cve": null, "id": "pyup.io-25762", "specs": [ "<1.2.0" ], "v": "<1.2.0" } ], "django-guts": [ { "advisory": "django-guts 0.1.1 fixes a security issue, allowing anyone to read any file.", "cve": null, "id": "pyup.io-25763", "specs": [ "<0.1.1" ], "v": "<0.1.1" } ], "django-hashedfilenamestorage": [ { "advisory": "django-hashedfilenamestorage 2.4 bumps Django dependency requirement to avoid vulnerable Django versions", "cve": null, "id": "pyup.io-36802", "specs": [ "<2.4" ], "v": "<2.4" } ], "django-hashid-field": [ { "advisory": "Django-hashid-field v1.0.0 \r\n\r\nIf you already specified `salt` in fields, like `id = HashidField(salt=\"something\")` everywhere then you're already set, and can upgrade worry-free.\r\n\r\nIf you instead let the module fallback to `salt=settings.SECRET_KEY` (default behavior) then this upgrade will change all of your existing fields. It has been pointed out that it's possible to discover the salt used when encoding Hashids, and thus it is very dangerous to use settings.SECRET_KEY, as an attacker may be able to get your SECRET_KEY from your HashidFields.\r\n\r\nIf you absolutely MUST maintain backwards-compatibility and continue to support your old hashed values, then you can set `HASHID_FIELD_SALT = SECRET_KEY` in your settings. But this is *VERY DISCOURAGED*.", "cve": null, "id": "pyup.io-38508", "specs": [ "<1.0.0" ], "v": "<1.0.0" }, { "advisory": "Django-hashid-field 3.1.1 fixes a security bug where comparison operators (gt, gte, lt, lte) would allow integer lookups regardless of ALLOW_INT_LOOKUP setting.", "cve": null, "id": "pyup.io-37680", "specs": [ "<3.1.1" ], "v": "<3.1.1" } ], "django-haystack": [ { "advisory": "django-haystack 1.1 removes insecure use of ``eval`` from the Whoosh backend.", "cve": null, "id": "pyup.io-25764", "specs": [ "<1.1" ], "v": "<1.1" } ], "django-heartbeat": [ { "advisory": "Django-heartbeat 2.0.3 fixes its dependency to an insecure psutil package.", "cve": null, "id": "pyup.io-38604", "specs": [ "<2.0.3" ], "v": "<2.0.3" } ], "django-hijack": [ { "advisory": "django-hijack before 1.0.7 has a unspecified security issue and is vulnerable via unknown vectors.", "cve": null, "id": "pyup.io-25765", "specs": [ "<1.0.7" ], "v": "<1.0.7" } ], "django-howl": [ { "advisory": "django-howl 1.0.4 updates django version to avoid security warnings.", "cve": null, "id": "pyup.io-37240", "specs": [ "<1.0.4" ], "v": "<1.0.4" }, { "advisory": "Django-howl 1.0.5 updates Pipfile.lock and test environment to avoid security issues.", "cve": null, "id": "pyup.io-38069", "specs": [ "<1.0.5" ], "v": "<1.0.5" } ], "django-html5-appcache": [ { "advisory": "django-html5-appcache 0.3.0 added a security check for sensitive views.", "cve": null, "id": "pyup.io-25766", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "django-idempotency-key": [ { "advisory": "Django-idempotency-key 1.1.0 drops support for Django (1.9, 1.10, 1.11). Django 1.11 was dropped because of security issues and is near to its end of life support. Django-idempotency-key 1.1.0 also updates some packages with security issues: Django (>=2.x), Bleach (>=3.1.4), Urllib3 (>=1.24.2).", "cve": null, "id": "pyup.io-38162", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "django-initial-avatars": [ { "advisory": "django-initial-avatars before 0.4 has a unspecified security issue and is vulnerable via unknown vectors.", "cve": null, "id": "pyup.io-25767", "specs": [ "<0.4" ], "v": "<0.4" }, { "advisory": "django-initial-avatars before 0.5.0 has a unspecified security issue and is vulnerable via unknown vectors.", "cve": null, "id": "pyup.io-25768", "specs": [ "<0.5.0" ], "v": "<0.5.0" } ], "django-jet": [ { "advisory": "django-jet 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.", "cve": null, "id": "pyup.io-25769", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], "django-jet-reboot": [ { "advisory": "Django-jet-reboot 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.", "cve": null, "id": "pyup.io-39370", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], "django-jinja-knockout": [ { "advisory": "'TemplateContext' class is used in Django-jinja-knockout 0.9.0 to manage client-side data injection.", "cve": null, "id": "pyup.io-39610", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "django-js-reverse": [ { "advisory": "django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_reverse_inline. See: CVE-2019-15486.", "cve": "CVE-2019-15486", "id": "pyup.io-37399", "specs": [ "<0.9.1" ], "v": "<0.9.1" } ], "django-lazysignup": [ { "advisory": "django-lazysignup before 0.4.0 fixes a security issue: Generated usernames are now based on the session key, rather than actually being the session key. This is to avoid a potential security issue where an app might simply display a username, giving away a significant part of the user's session key. The username is now generated from a SHA1 hash of the session key. This change means that existing generated users will become invalid.", "cve": null, "id": "pyup.io-25770", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], "django-lazysignup-redux": [ { "advisory": "django-lazysignup-redux 0.4.0 fixes a security issue: Generated usernames are now based on the session key, rather than actually being the session key. This is to avoid a potential security issue where an app might simply display a username, giving away a significant part of the user's session key. The username is now generated from a SHA1 hash of the session key. This change means that existing generated users will become invalid.", "cve": null, "id": "pyup.io-25771", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], "django-lfs": [ { "advisory": "django-lfs before 0.6.9 has a unspecified security issue and is vulnerable via unknown vectors.", "cve": null, "id": "pyup.io-25772", "specs": [ "<0.6.9" ], "v": "<0.6.9" } ], "django-mail-auth": [ { "advisory": "Django-mail-auth 0.1.3 fixes session key security issues.", "cve": null, "id": "pyup.io-37171", "specs": [ "<0.1.3" ], "v": "<0.1.3" } ], "django-make-app": [ { "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.", "cve": "CVE-2017-16764", "id": "pyup.io-35722", "specs": [ "<0.1.3" ], "v": "<0.1.3" } ], "django-mapstore-adapter": [ { "advisory": "Django-mapstore-adapter 1.0.4 fixes an unescaped \"ms2_config\" which may cause JS injection.", "cve": null, "id": "pyup.io-38936", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], "django-markupfield": [ { "advisory": "django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.", "cve": "CVE-2015-0846", "id": "pyup.io-25773", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.", "cve": "CVE-2015-0846", "id": "pyup.io-25774", "specs": [ "<1.3.3" ], "v": "<1.3.3" } ], "django-material": [ { "advisory": "django-material 0.9.0 fixes a XSS vulnerability in input fields.", "cve": null, "id": "pyup.io-25775", "specs": [ "<0.9.0" ], "v": "<0.9.0" }, { "advisory": "django-material before 1.5.1 included a js injection vulnerability in a list view", "cve": null, "id": "pyup.io-36950", "specs": [ "<1.5.1" ], "v": "<1.5.1" } ], "django-material-orange": [ { "advisory": "django-material-orange before 0.9.0 has a XSS vulnerability in input fields.", "cve": null, "id": "pyup.io-32207", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "django-material-saldoo": [ { "advisory": "django-material-saldoo before 0.9.0 has a XSS vulnerability in input fields.", "cve": null, "id": "pyup.io-32243", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "django-modern-rpc": [ { "advisory": "django-modern-rpc before 0.8.1 isn't correctly checking the authentication backend when executing 'system.multicall()'.", "cve": null, "id": "pyup.io-34991", "specs": [ "<0.8.1" ], "v": "<0.8.1" } ], "django-music-publisher": [ { "advisory": "Django 2.1 had a minor security issue, so 2.1.2 was promptly released.. django-music-publisher before 18.9.1 included this issue.", "cve": null, "id": "pyup.io-36523", "specs": [ "<18.9.1" ], "v": "<18.9.1" }, { "advisory": "django-music-publisher 18.9.3 updates Django to fix a minor security issue.", "cve": null, "id": "pyup.io-36608", "specs": [ "<18.9.3" ], "v": "<18.9.3" } ], "django-nameko-standalone": [ { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to avoid security warnings.", "cve": null, "id": "pyup.io-38565", "specs": [ "<1.3.2" ], "v": "<1.3.2" } ], "django-newsletter": [ { "advisory": "django-newsletter before 0.7 allowed a user to subscribe others to the newsletter without authorization.", "cve": null, "id": "pyup.io-36318", "specs": [ "<0.7" ], "v": "<0.7" }, { "advisory": "django-newsletter 0.9 updates several dependencies (waitress, Django) due to security issues", "cve": null, "id": "pyup.io-37916", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Django-newsletter 0.9b1 updates several dependencies due to security issues.", "cve": null, "id": "pyup.io-37677", "specs": [ "<0.9b1" ], "v": "<0.9b1" } ], "django-ninecms": [ { "advisory": "django-ninecms before 0.4.5b has a unknown security issue in its url configuration.", "cve": null, "id": "pyup.io-25776", "specs": [ "<0.4.5b" ], "v": "<0.4.5b" } ], "django-nopassword": [ { "advisory": "Django-nopassword before 5.0.0 stores cleartext secrets in the database. See: CVE-2019-10682.", "cve": "CVE-2019-10682", "id": "pyup.io-38080", "specs": [ "<5.0.0" ], "v": "<5.0.0" } ], "django-oauth-toolkit": [ { "advisory": "Django-oauth-toolkit 0.8.0 includes fixes for various vulnerabilities on 'Basic' authentication.", "cve": null, "id": "pyup.io-39609", "specs": [ "<0.8.0" ], "v": "<0.8.0" } ], "django-orghierarchy": [ { "advisory": "Django-orghierarchy 0.1.13 updates Django for security reasons.", "cve": null, "id": "pyup.io-37039", "specs": [ "<0.1.13" ], "v": "<0.1.13" }, { "advisory": "Django-orghierarchy 0.1.18 includes a not further specified security update.", "cve": null, "id": "pyup.io-37038", "specs": [ "<0.1.18" ], "v": "<0.1.18" } ], "django-perms-provisioner": [ { "advisory": "Django-perms-provisioner 0.0.4 updates PyYAML to a more secure version.", "cve": null, "id": "pyup.io-38289", "specs": [ "<0.0.4" ], "v": "<0.0.4" } ], "django-piston": [ { "advisory": "emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.", "cve": "CVE-2011-4103", "id": "pyup.io-25777", "specs": [ "<0.2.3" ], "v": "<0.2.3" } ], "django-pluggable-filebrowser": [ { "advisory": "django-pluggable-filebrowser 3.4.2 fixes a security bug: added staff_member_required decorator to the upload-function.", "cve": null, "id": "pyup.io-25778", "specs": [ "<3.4.2" ], "v": "<3.4.2" } ], "django-polaris": [ { "advisory": "Improvements in the Multi-signature Asset Distribution Account Support allow anchors since django-polaris version 1.1.0 to improve the security of the account that controls outbound payments.", "cve": null, "id": "pyup.io-38837", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "django-postman": [ { "advisory": "django-postman 3.6.2 fixes issue 101, for security concern, ignore the scheme and domain parts in the 'next' query param.", "cve": null, "id": "pyup.io-36667", "specs": [ "<3.6.2" ], "v": "<3.6.2" } ], "django-python3-ldap": [ { "advisory": "django-python3-ldap 0.9.5 fixes a security vulnerability where username and password could be transmitted in plain text before starting TLS.", "cve": null, "id": "pyup.io-25779", "specs": [ "<0.9.5" ], "v": "<0.9.5" }, { "advisory": "django-python3-ldap 0.9.8 fixes a security vulnerability allowing users to authenticate with a valid username but with an empty password if anonymous authentication is allowed on the LDAP server.", "cve": null, "id": "pyup.io-25780", "specs": [ "<0.9.8" ], "v": "<0.9.8" } ], "django-rated": [ { "advisory": "django-rated before 1.1.2 has a unspecified security issue and is vulnerable via unknown vectors.", "cve": null, "id": "pyup.io-25781", "specs": [ "<1.1.2" ], "v": "<1.1.2" } ], "django-registration": [ { "advisory": "django-registration before 1.7 leaked password reset token through the Referer\r\nheader.", "cve": null, "id": "pyup.io-36431", "specs": [ "<1.7" ], "v": "<1.7" }, { "advisory": "django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters to sensitive data, with the result that sensitive data could be included in error reports rather than removed automatically by Django. Triggering this requires: A site is using django-registration < 3.1.2, The site has detailed error reports (such as Django's emailed error reports to site staff/developers) enabled and a server-side error (HTTP 5xx) occurs during an attempt by a user to register an account. Under these conditions, recipients of the detailed error report will see all submitted data from the account-registration attempt, which may include the user's proposed credentials (such as a password). See CVE-2021-21416.", "cve": "CVE-2021-21416", "id": "pyup.io-40136", "specs": [ "<3.1.2" ], "v": "<3.1.2" } ], "django-registration-redux": [ { "advisory": "django-registration-redux before 1.7 leaks password reset tokens through the Referer header. For more info, see: https://github.com/macropin/django-registration/pull/268", "cve": null, "id": "pyup.io-35199", "specs": [ "<1.7" ], "v": "<1.7" } ], "django-relatives": [ { "advisory": "django-relatives before 0.3.0 is vulnerable to a unspecified XSS issue.", "cve": null, "id": "pyup.io-25782", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "django-rest-registration": [ { "advisory": "Django-rest-registration 0.5.0 fixes a critical security issue with misusing the Django Signer API. See: .", "cve": null, "id": "pyup.io-37385", "specs": [ "<0.5.0" ], "v": "<0.5.0" }, { "advisory": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.", "cve": "CVE-2019-13177", "id": "pyup.io-37266", "specs": [ "<0.5.0" ], "v": "<0.5.0" } ], "django-revproxy": [ { "advisory": "django-revproxy 0.9.6 fixes a security issue that allowed remote-user header injection.", "cve": null, "id": "pyup.io-25783", "specs": [ "<0.9.6" ], "v": "<0.9.6" }, { "advisory": "django-revproxy 0.9.7 fixes a security issue: when colon is present at URL path urljoin ignores the upstream and the request is redirected to the path itself allowing content injection.", "cve": null, "id": "pyup.io-25784", "specs": [ "<0.9.7" ], "v": "<0.9.7" } ], "django-safedelete": [ { "advisory": "django-safedelete 0.3.3 contains a security fix that prevents an XSS attack in the admin interface.", "cve": null, "id": "pyup.io-25785", "specs": [ "<0.3.3" ], "v": "<0.3.3" } ], "django-secure-auth": [ { "advisory": "django-secure-auth 1.1 includes undisclosed security fixes.", "cve": null, "id": "pyup.io-34185", "specs": [ "<1.1" ], "v": "<1.1" } ], "django-select2": [ { "advisory": "django-select2 5.7.0 contains a security fix that allows a `field_id` to only be used for the intended JSON endpoint.", "cve": null, "id": "pyup.io-25787", "specs": [ "<5.7.0" ], "v": "<5.7.0" } ], "django-selectable": [ { "advisory": "django-selectable 0.5.2 fixes a XSS flaw with lookup ``get_item_*`` methods.", "cve": null, "id": "pyup.io-25788", "specs": [ "<0.5.2" ], "v": "<0.5.2" } ], "django-server": [ { "advisory": "django-server is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", "cve": null, "id": "pyup.io-34982", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "django-session-security": [ { "advisory": "django-session-security 2.4.0 fixes a vulnerability when SESSION_EXPIRE_AT_BROWSER_CLOSE is off.", "cve": null, "id": "pyup.io-25789", "specs": [ "<2.4.0" ], "v": "<2.4.0" } ], "django-smart-lists": [ { "advisory": "Django-smart-lists 1.0.26 fixes a XSS vulnerability in the render_function.", "cve": null, "id": "pyup.io-38150", "specs": [ "<1.0.26" ], "v": "<1.0.26" } ], "django-smart-selects": [ { "advisory": "django-smart-selects before 1.5.0 allowed anybody to list arbitrary objects by tweaking URL parameters. 1.5.0 adds checks to the views to ensure that queries return an HTTP 403 (Permission denied) for models that do not have smart_selects fields defined.", "cve": null, "id": "pyup.io-34234", "specs": [ "<1.5.1" ], "v": "<1.5.1" } ], "django-social-auth": [ { "advisory": "django-social-auth 0.7.2 fixes a security hole - redirects via the next param are now properly sanitized to disallow redirecting to external hosts.", "cve": null, "id": "pyup.io-25790", "specs": [ "<0.7.2" ], "v": "<0.7.2" } ], "django-social-auth3": [ { "advisory": "django-social-auth3 0.7.2 fixes a security hole - redirects via the next param are now properly sanitized to disallow redirecting to external hosts.", "cve": null, "id": "pyup.io-25791", "specs": [ "<0.7.2" ], "v": "<0.7.2" } ], "django-sql-dashboard": [ { "advisory": "Django-sql-dashboard 0.14 fixes a security and permissions flaw, where users without the 'execute_sql' permission could still run custom queries by editing saved dashboards using the Django admin interface.", "cve": null, "id": "pyup.io-40482", "specs": [ "<0.14" ], "v": "<0.14" } ], "django-sql-explorer": [ { "advisory": "Users in django-sql-explorer version 0.5 with view permissions can use query parameters. This results in a potential for SQL injection.", "cve": null, "id": "pyup.io-39445", "specs": [ "<0.5" ], "v": "<0.5" }, { "advisory": "django-sql-explorer before 1.1.0 isn't escaping values from the database correctly, making it open for potential XSS-attacks.", "cve": null, "id": "pyup.io-33293", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "django-sticky-uploads": [ { "advisory": "django-sticky-uploads 0.2.0 fixes a security issue related to client changing the upload url specified by the widget for the upload.", "cve": null, "id": "pyup.io-25793", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "django-storages": [ { "advisory": "In django-storages before 1.7 - the ``S3BotoStorage`` and ``S3Boto3Storage`` backends have an insecure default ACL of ``public-read``. It is recommended that all current users upgrade to 1.7 and audit their bucket permissions. Support has been added for setting ``AWS_DEFAULT_ACL = None`` and ``AWS_BUCKET_ACL = None``. V1.7 will raise a warning if ``AWS_DEFAULT_ACL`` or ``AWS_BUCKET_ACL`` is not explicitly set.", "cve": null, "id": "pyup.io-36434", "specs": [ "<1.7" ], "v": "<1.7" } ], "django-tastypie": [ { "advisory": "The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.", "cve": "CVE-2011-4104", "id": "pyup.io-25794", "specs": [ "<0.9.10" ], "v": "<0.9.10" } ], "django-triggers": [ { "advisory": "Django-triggers 2.0.13 updates some dependencies to their latest secure versions.", "cve": null, "id": "pyup.io-37072", "specs": [ "<2.0.13" ], "v": "<2.0.13" } ], "django-two-factor-auth": [ { "advisory": "Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password and then leaves before entering their two-factor authentication code. The severity of this issue depends on which type of session storage you have configured: in the worst case, if you're using Django's default database session storage, then users' passwords are stored in clear text in your database. In the best case, if you're using Django's signed cookie session, then users' passwords are only stored in clear text within their browser's cookie store. In the common case of using Django's cache session store, the users' passwords are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis). This has been fixed in 1.12. After upgrading, users should be sure to delete any clear text passwords that have been stored. For example, if you're using the database session backend, you'll likely want to delete any session record from the database and purge that data from any database backups or replicas. In addition, affected organizations who have suffered a database breach while using an affected version should inform their users that their clear text passwords have been compromised. All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django's session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading. See: CVE-2020-15105.", "cve": "CVE-2020-15105", "id": "pyup.io-38562", "specs": [ "<1.12" ], "v": "<1.12" } ], "django-ucamlookup": [ { "advisory": "django-ucamlookup 1.9 fixes XXS vulnerability in template macros", "cve": null, "id": "pyup.io-36744", "specs": [ "<1.9" ], "v": "<1.9" } ], "django-uni-form": [ { "advisory": "django-uni-form 0.9.0 fixes a XSS security issue. Errors cannot be rendered safe, because field's input can be part of the error message, that would mean XSS.", "cve": null, "id": "pyup.io-25796", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "django-urlconf-export": [ { "advisory": "Django-urlconf-export 1.1.1 updates Django in pipfile.lock to address a security vulnerability.", "cve": null, "id": "pyup.io-38386", "specs": [ "<1.1.1" ], "v": "<1.1.1" } ], "django-user-accounts": [ { "advisory": "django-user-accounts before 2.0.2 has a potentional security issue with leaking password reset tokens through HTTP Referer header.", "cve": null, "id": "pyup.io-34774", "specs": [ "<2.0.2" ], "v": "<2.0.2" } ], "django-user-management": [ { "advisory": "Django-user-management 18.0.0 fixes a Pillow security issue and updates djangorestframework>=3.9.1 for an XSS fix.", "cve": null, "id": "pyup.io-38634", "specs": [ "<18.0.0" ], "v": "<18.0.0" } ], "django-user-sessions": [ { "advisory": "In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen. See: CVE-2020-5224.", "cve": "CVE-2020-5224", "id": "pyup.io-37777", "specs": [ "<1.7.1" ], "v": "<1.7.1" } ], "django-watchman": [ { "advisory": "django-watchman 0.10.0 improves security by keeping tokens out of logs.", "cve": null, "id": "pyup.io-25797", "specs": [ "<0.10.0" ], "v": "<0.10.0" } ], "django-x509": [ { "advisory": "Django-x509 0.9.1 updates the minimum version of 'cryptography' to 3.2 for security reasons.", "cve": null, "id": "pyup.io-39116", "specs": [ "<0.9.1" ], "v": "<0.9.1" } ], "djangocms-admin-style": [ { "advisory": "djangocms-admin-style 1.2.5 fixes a potential security issue if the ``Site.name`` field contains malicious code.", "cve": null, "id": "pyup.io-36834", "specs": [ "<1.2.5" ], "v": "<1.2.5" } ], "djangocms-highlightjs": [ { "advisory": "djangocms-highlightjs before 0.3.1 has a unspecified security issue and is vulnerable via unknown vectors.", "cve": null, "id": "pyup.io-25798", "specs": [ "<0.3.1" ], "v": "<0.3.1" } ], "djangorestframework": [ { "advisory": "djangorestframework 2.2.1 fixes a security issue: Use `defusedxml` package to address XML parsing vulnerabilities.", "cve": null, "id": "pyup.io-25799", "specs": [ "<2.2.1" ], "v": "<2.2.1" }, { "advisory": "djangorestframework 2.3.12 fixes a security issue: `OrderingField` now only allows ordering on readable serializer fields, or on fields explicitly specified using `ordering_fields`. This prevents users being able to order by fields that are not visible in the API, and exploiting the ordering of sensitive data such as password hashes.", "cve": null, "id": "pyup.io-25800", "specs": [ "<2.3.12" ], "v": "<2.3.12" }, { "advisory": "djangorestframework 2.3.14 fixes a security issue: Escape request path when it is include as part of the login and logout links in the browsable API.", "cve": null, "id": "pyup.io-25801", "specs": [ "<2.3.14" ], "v": "<2.3.14" }, { "advisory": "djangorestframework 2.4.4 fixes a security issue: Escape URLs when replacing `format=` query parameter, as used in dropdown on `GET` button in browsable API to allow explicit selection of JSON vs HTML output.", "cve": null, "id": "pyup.io-25802", "specs": [ "<2.4.4" ], "v": "<2.4.4" }, { "advisory": "djangorestframework 2.4.5 fixes a security issue: Escape tab switching cookie name in browsable API. [Backported from 3.1.1]", "cve": null, "id": "pyup.io-25803", "specs": [ "<2.4.5" ], "v": "<2.4.5" }, { "advisory": "djangorestframework 3.1.1 fixes a security issue: : Escape tab switching cookie name in browsable API.", "cve": null, "id": "pyup.io-25804", "specs": [ "<3.1.1" ], "v": "<3.1.1" }, { "advisory": "A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious