{ "$meta": { "advisory": "PyUp.io metadata", "base_domain": "https://pyup.io", "timestamp": 1730440847 }, "10cent10": [ { "advisory": "10Cent10 is a malicious package, typosquatting. It steals Discord access tokens, passwords, and even stage dependency confusion attacks.\r\nhttps://thehackernews.com/2021/11/11-malicious-pypi-python-libraries.html", "cve": "PVE-2022-45461", "id": "pyup.io-45461", "more_info_path": "/vulnerabilities/PVE-2022-45461/45461", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "10cent11": [ { "advisory": "10Cent11 is a malicious package, typosquatting. It steals Discord access tokens, passwords, and even stage dependency confusion attacks.\r\nhttps://thehackernews.com/2021/11/11-malicious-pypi-python-libraries.html", "cve": "PVE-2022-45462", "id": "pyup.io-45462", "more_info_path": "/vulnerabilities/PVE-2022-45462/45462", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "11cent": [ { "advisory": "11Cent is a malicious package. It exfiltrates data from the host where it is installed.\r\nhttps://bertusk.medium.com/malicious-pypi-packages-found-exfiltrating-data-and-opening-reverse-shells-87d4afb5d99e", "cve": "PVE-2022-47995", "id": "pyup.io-47995", "more_info_path": "/vulnerabilities/PVE-2022-47995/47995", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "123bla": [ { "advisory": "The OpenSSF Package Analysis project identified '123bla' @ 0.0.1 (pypi) as malicious.", "cve": "PVE-2024-73967", "id": "pyup.io-73967", "more_info_path": "/vulnerabilities/PVE-2024-73967/73967", "specs": [ ">=0", "<=0" ], "v": ">=0,<=0" } ], "12cent": [ { "advisory": "12Cent is a malicious package. It exfiltrates data from the host where it is installed.\r\nhttps://bertusk.medium.com/malicious-pypi-packages-found-exfiltrating-data-and-opening-reverse-shells-87d4afb5d99e", "cve": "PVE-2022-47999", "id": "pyup.io-47999", "more_info_path": "/vulnerabilities/PVE-2022-47999/47999", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "13cent": [ { "advisory": "13Cent is a malicious package. It exfiltrates data from the host where it is installed.\r\nhttps://bertusk.medium.com/malicious-pypi-packages-found-exfiltrating-data-and-opening-reverse-shells-87d4afb5d99e", "cve": "PVE-2022-48000", "id": "pyup.io-48000", "more_info_path": "/vulnerabilities/PVE-2022-48000/48000", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "14cent": [ { "advisory": "14Cent is a malicious package. It exfiltrates data from the host where it is installed.\r\nhttps://bertusk.medium.com/malicious-pypi-packages-found-exfiltrating-data-and-opening-reverse-shells-87d4afb5d99e", "cve": "PVE-2022-48001", "id": "pyup.io-48001", "more_info_path": "/vulnerabilities/PVE-2022-48001/48001", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "15cent": [ { "advisory": "15Cent is a malicious package. It exfiltrates data from the host where it is installed.\r\nhttps://bertusk.medium.com/malicious-pypi-packages-found-exfiltrating-data-and-opening-reverse-shells-87d4afb5d99e", "cve": "PVE-2022-47996", "id": "pyup.io-47996", "more_info_path": "/vulnerabilities/PVE-2022-47996/47996", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "16cent": [ { "advisory": "16Cent is a malicious package. It exfiltrates data from the host where it is installed.\r\nhttps://bertusk.medium.com/malicious-pypi-packages-found-exfiltrating-data-and-opening-reverse-shells-87d4afb5d99e", "cve": "PVE-2022-47997", "id": "pyup.io-47997", "more_info_path": "/vulnerabilities/PVE-2022-47997/47997", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "aa-timezones": [ { "advisory": "Aa-timezones 1.12.0 updates its NPM dependency 'moment-timezone' to include security fixes.\r\nhttps://github.com/ppfeufer/aa-timezones/pull/58/commits/8f382a1a3a3f9ddd77f10fb3b1d3380e6267eab1\r\nhttps://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9", "cve": "PVE-2022-51033", "id": "pyup.io-51033", "more_info_path": "/vulnerabilities/PVE-2022-51033/51033", "specs": [ "<1.12.0" ], "v": "<1.12.0" }, { "advisory": "Aa-timezones 1.12.0 updates its NPM dependency 'moment-timezone' to include security fixes.\r\nhttps://github.com/ppfeufer/aa-timezones/pull/58/commits/8f382a1a3a3f9ddd77f10fb3b1d3380e6267eab1\r\nhttps://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c", "cve": "PVE-2023-54978", "id": "pyup.io-54978", "more_info_path": "/vulnerabilities/PVE-2023-54978/54978", "specs": [ "<1.12.0" ], "v": "<1.12.0" } ], "aadhaar-py": [ { "advisory": "Aadhaar-py 2.0.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", "cve": "PVE-2021-44525", "id": "pyup.io-44561", "more_info_path": "/vulnerabilities/PVE-2021-44525/44561", "specs": [ "<2.0.1" ], "v": "<2.0.1" }, { "advisory": "Aadhaar-py 2.0.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", "cve": "CVE-2022-22815", "id": "pyup.io-44607", "more_info_path": "/vulnerabilities/CVE-2022-22815/44607", "specs": [ "<2.0.1" ], "v": "<2.0.1" }, { "advisory": "Aadhaar-py 2.0.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", "cve": "PVE-2022-44524", "id": "pyup.io-44604", "more_info_path": "/vulnerabilities/PVE-2022-44524/44604", "specs": [ "<2.0.1" ], "v": "<2.0.1" }, { "advisory": "Aadhaar-py 2.0.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", "cve": "CVE-2022-22816", "id": "pyup.io-44606", "more_info_path": "/vulnerabilities/CVE-2022-22816/44606", "specs": [ "<2.0.1" ], "v": "<2.0.1" }, { "advisory": "Aadhaar-py 2.0.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", "cve": "CVE-2022-22817", "id": "pyup.io-44605", "more_info_path": "/vulnerabilities/CVE-2022-22817/44605", "specs": [ "<2.0.1" ], "v": "<2.0.1" } ], "aamiles": [ { "advisory": "The AAmiles package in PyPI v0.1.0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.", "cve": "CVE-2022-33001", "id": "pyup.io-62691", "more_info_path": "/vulnerabilities/CVE-2022-33001/62691", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "aba-cli-scrapper": [ { "advisory": "Aba-cli-scrapper 0.3.0 replaces its dependency 'pymysql' as a DBAPIS with 'mysqlclient' to avoid a SQLi vulnerability.", "cve": "CVE-2024-36039", "id": "pyup.io-72564", "more_info_path": "/vulnerabilities/CVE-2024-36039/72564", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "abe": [ { "advisory": "Abe (aka bitcoin-abe) through 0.7.2, and 0.8pre, allows XSS in __call__ in abe.py because the PATH_INFO environment variable is mishandled during a PageNotFound exception.", "cve": "CVE-2020-11944", "id": "pyup.io-62858", "more_info_path": "/vulnerabilities/CVE-2020-11944/62858", "specs": [ "<0.7.2", "==0.8pre" ], "v": "<0.7.2,==0.8pre" } ], "abiflows": [ { "advisory": "Abiflows 0.6 includes a security patch for the function 'test_abipy_manager_from_file' in 'abiflows/fireworks/utils/tests/test_fw_utils.py'. It used the unsafe yaml.load(), that allows instantiation of arbitrary objects. Consider yaml.safe_load().\r\nhttps://github.com/abinit/abiflows/commit/479b957c3b1abe41d85aaff2d14439605ddc5d0b#diff-5a814c49249ffdc2d551933c1bec95c4b2fe64d0619470085c5fef247fea2309", "cve": "CVE-2017-18342", "id": "pyup.io-41306", "more_info_path": "/vulnerabilities/CVE-2017-18342/41306", "specs": [ "<0.6" ], "v": "<0.6" } ], "abilian-devtools": [ { "advisory": "Abilian-devtools 0.4.4 includes a fix for a command injection vulnerability.\r\nhttps://github.com/abilian/abilian-devtools/commit/9d71b0d3b6b467589d58aacc932ca3dc7e524ce2", "cve": "PVE-2023-62205", "id": "pyup.io-62205", "more_info_path": "/vulnerabilities/PVE-2023-62205/62205", "specs": [ "<0.4.4" ], "v": "<0.4.4" } ], "abracadabra": [ { "advisory": "Abracadabra 0.0.4 updates its dependency 'notebook' to include a security fix.", "cve": "CVE-2020-26215", "id": "pyup.io-39264", "more_info_path": "/vulnerabilities/CVE-2020-26215/39264", "specs": [ "<0.0.4" ], "v": "<0.0.4" } ], "accesscontrol": [ { "advisory": "AccessControl 4.4, 5.8 and 6.2 include a fix for CVE-2023-41050: Python's \"format\" functionality allows someone controlling the format string to \"read\" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown 'getattr' and 'getitem', not the policy restricted 'AccessControl' variants '_getattr_' and '_getitem_'. This can lead to critical information disclosure. 'AccessControl' already provides a safe variant for 'str.format' and denies access to 'string.Formatter'. However, 'str.format_map' is still unsafe. Affected are all users who allow untrusted users to create 'AccessControl' controlled Python code and execute it.", "cve": "CVE-2023-41050", "id": "pyup.io-60983", "more_info_path": "/vulnerabilities/CVE-2023-41050/60983", "specs": [ "<4.4", ">=5.0,<5.8", ">=6.0,<6.2" ], "v": "<4.4,>=5.0,<5.8,>=6.0,<6.2" }, { "advisory": "Accesscontrol 5.3.1 includes a fix for a race condition vulnerability.\r\nhttps://github.com/zopefoundation/AccessControl/pull/125", "cve": "PVE-2023-60951", "id": "pyup.io-60951", "more_info_path": "/vulnerabilities/PVE-2023-60951/60951", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Accesscontrol 4.3 and 5.3 include a fix for CVE-2021-32807: Remote Code Execution via unsafe classes in otherwise permitted modules .\r\nhttps://github.com/advisories/GHSA-qcx9-j53g-ccgf", "cve": "CVE-2021-32807", "id": "pyup.io-42315", "more_info_path": "/vulnerabilities/CVE-2021-32807/42315", "specs": [ ">=4.0,<4.3", ">=5.0,<5.2" ], "v": ">=4.0,<4.3,>=5.0,<5.2" } ], "acqusition": [ { "advisory": "acqusition is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", "cve": "PVE-2021-34978", "id": "pyup.io-34978", "more_info_path": "/vulnerabilities/PVE-2021-34978/34978", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "acryl-datahub": [ { "advisory": "DataHub's AuthServiceClient, particularly versions below 0.8.45, creates JSON strings using format strings with user-controlled data. This approach lets potential attackers alter these JSON strings and forward them to the backend, causing potential misuse and authentication bypasses. This could lead to the creation of system accounts, potentially resulting in full system compromise. This vulnerability was discovered and reported by the GitHub Security lab and is being tracked under GHSL-2022-081.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-7wc6-p6c4-522c", "cve": "CVE-2023-25561", "id": "pyup.io-63339", "more_info_path": "/vulnerabilities/CVE-2023-25561/63339", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { "advisory": "DataHub under 0.8.45 uses the X-DataHub-Actor HTTP header to identify the user making requests without authentication. However, this can be exploited by attackers who can manipulate the case of the header (e.g., X-DATAHUB-ACTOR), leading to potential authorization bypass and unauthorized actions. This issue, identified and reported by GitHub Security Lab, is known as GHSL-2022-079.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-qgp2-qr66-j8r8", "cve": "CVE-2023-25559", "id": "pyup.io-63343", "more_info_path": "/vulnerabilities/CVE-2023-25559/63343", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { "advisory": "DataHub under 0.8.45 frontend, acting as a proxy, is found to have a vulnerability where it doesn't properly construct URLs when forwarding data to the DataHub Metadata Store (GMS), potentially allowing external users to reroute requests from the DataHub Frontend to any host. This could enable attackers to reroute a request from the frontend proxy to any other server and return the result. The vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-076.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-5w2h-q83m-65xg", "cve": "CVE-2023-25557", "id": "pyup.io-63341", "more_info_path": "/vulnerabilities/CVE-2023-25557/63341", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { "advisory": "In DataHub versions prior to 0.8.45, session cookies are only cleared upon new sign-ins, not during logouts. This allows potential attackers to bypass authentication checks using the AuthUtils.hasValidSessionCookie() method by using a cookie from a logged-out session. Consequently, any logged-out session cookie might be considered valid, leading to an authentication bypass. Users are advised to upgrade to version 0.8.45 to rectify this vulnerability. Currently, there are no known workarounds. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-083.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-3974-hxjh-m3jj\r\nhttps://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/datahub-frontend/app/auth/AuthUtils.java#L78", "cve": "CVE-2023-25562", "id": "pyup.io-63338", "more_info_path": "/vulnerabilities/CVE-2023-25562/63338", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { "advisory": "DataHub's AuthServiceClient, specifically versions prior to 0.8.45, creates JSON strings using format strings containing user-controlled data. This method enables potential attackers to manipulate these JSON strings and forward them to the backend, leading to potential misuse and authentication bypasses. Such misuse could result in the generation of system accounts, potentially leading to full system compromise. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-080.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-6rpf-5cfg-h8f3", "cve": "CVE-2023-25560", "id": "pyup.io-63340", "more_info_path": "/vulnerabilities/CVE-2023-25560/63340", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { "advisory": "DataHub under 0.9.5 uses the X-DataHub-Actor HTTP header to infer the user sending requests on behalf of the frontend. However, due to case-insensitivity, an attacker could potentially exploit this by sending a header with different casing (e.g., X-DATAHUB-ACTOR), leading to potential authorization bypass. This allows any user to impersonate the system user account and perform actions on its behalf. This vulnerability, tracked as GHSL-2022-079, was discovered and reported by the GitHub Security lab.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-hrwp-2q5c-86wv\r\nhttps://github.com/datahub-project/datahub/commit/2a182f484677d056730d6b4e9f0143e67368359f", "cve": "CVE-2023-25558", "id": "pyup.io-63342", "more_info_path": "/vulnerabilities/CVE-2023-25558/63342", "specs": [ "<0.9.5" ], "v": "<0.9.5" }, { "advisory": "# Missing JWT signature check (`GHSL-2022-078`)\n\nThe [`StatelessTokenService`](https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L30) of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the `StatelessTokenService` of the Metadata service uses the [`parse`](https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L134) method of `io.jsonwebtoken.JwtParser`, which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm.\n\n#### Impact\n\nThis issue may lead to an authentication bypass.\n\n#### Resources\n\n* [CodeQL: Missing JWT signature check](https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/)", "cve": "CVE-2022-39366", "id": "pyup.io-54556", "more_info_path": "/vulnerabilities/CVE-2022-39366/54556", "specs": [ ">=0,<0.8.45" ], "v": ">=0,<0.8.45" } ], "actinia-core": [ { "advisory": "Actinia-core 2.0.0 fixes an unsafe temporary files creation vulnerability.\r\nhttps://github.com/mundialis/actinia_core/pull/262\r\nhttps://github.com/mundialis/actinia_core/pull/256", "cve": "PVE-2022-50460", "id": "pyup.io-50460", "more_info_path": "/vulnerabilities/PVE-2022-50460/50460", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Actinia-core 4.11.0 updates its dependency 'werkzeug' to v3.0.1 to include a security fix.", "cve": "CVE-2023-46136", "id": "pyup.io-62146", "more_info_path": "/vulnerabilities/CVE-2023-46136/62146", "specs": [ "<4.11.0" ], "v": "<4.11.0" }, { "advisory": "Actinia-core version 4.14.0 updates its Flask dependency from \"Flask>=1.1.4\" to \"Flask>=3.0.0\" to address the security vulnerability identified as CVE-2023-30861.", "cve": "CVE-2023-30861", "id": "pyup.io-71176", "more_info_path": "/vulnerabilities/CVE-2023-30861/71176", "specs": [ "<4.14.0" ], "v": "<4.14.0" }, { "advisory": "Actinia-core version 4.14.0 updates its dependency from version 2.3.6 to 3.0.1 to address the security vulnerability identified as CVE-2023-46136.", "cve": "CVE-2023-46136", "id": "pyup.io-71172", "more_info_path": "/vulnerabilities/CVE-2023-46136/71172", "specs": [ "<4.14.0" ], "v": "<4.14.0" }, { "advisory": "Actinia-core 4.5.0 includes a fix for a path traversal vulnerability.\r\nhttps://github.com/actinia-org/actinia-core/commit/be5299efb6490c9a8b0804f185421c0828c6d126", "cve": "PVE-2023-58948", "id": "pyup.io-58948", "more_info_path": "/vulnerabilities/PVE-2023-58948/58948", "specs": [ "<4.5.0" ], "v": "<4.5.0" } ], "actinis-django-storages": [ { "advisory": "Actinis-django-storages 1.7 fixes an insecure default ACL of 'public-read' in the 'S3BotoStorage' and 'S3Boto3Storage' backends.", "cve": "PVE-2022-48499", "id": "pyup.io-48499", "more_info_path": "/vulnerabilities/PVE-2022-48499/48499", "specs": [ "<1.7" ], "v": "<1.7" } ], "actipy": [ { "advisory": "Actipy 1.1.0 updates its dependency 'numpy' requirement to '>=1.22' to include security fixes.", "cve": "CVE-2021-41496", "id": "pyup.io-51303", "more_info_path": "/vulnerabilities/CVE-2021-41496/51303", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Actipy 1.1.0 updates its dependency 'numpy' requirement to '>=1.22' to include security fixes.", "cve": "CVE-2021-34141", "id": "pyup.io-51296", "more_info_path": "/vulnerabilities/CVE-2021-34141/51296", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "adios2": [ { "advisory": "Adios2 2.9.0 fixes a race condition in OnDemand timestep and in OnDemand delivery.\r\nhttps://github.com/ornladios/ADIOS2/pull/3355/commits/9d55dad75ac09b1a6bfb3a94a054b023ced43fb9\r\nhttps://github.com/ornladios/ADIOS2/pull/3369/commits/fd8b02a72d91ac31d9beb4e68fa77a353b657bb5", "cve": "PVE-2023-62779", "id": "pyup.io-62779", "more_info_path": "/vulnerabilities/PVE-2023-62779/62779", "specs": [ "<2.9.0" ], "v": "<2.9.0" } ], "adversarial-robustness-toolbox": [ { "advisory": "Adversarial-robustness-toolbox version 1.6.1 updates its dependency \"Pillow\" to a secure version. See CVE-2021-28675.", "cve": "CVE-2021-28675", "id": "pyup.io-41781", "more_info_path": "/vulnerabilities/CVE-2021-28675/41781", "specs": [ "<1.6.1" ], "v": "<1.6.1" }, { "advisory": "Adversarial-robustness-toolbox version 1.6.1 updates its dependency \"Pillow\" to a secure version. See CVE-2021-28678.", "cve": "CVE-2021-28678", "id": "pyup.io-41782", "more_info_path": "/vulnerabilities/CVE-2021-28678/41782", "specs": [ "<1.6.1" ], "v": "<1.6.1" }, { "advisory": "Adversarial-robustness-toolbox version 1.7.1 updates its dependency \"Pillow\" to a secure version. See CVE-2021-34552.", "cve": "CVE-2021-34552", "id": "pyup.io-41783", "more_info_path": "/vulnerabilities/CVE-2021-34552/41783", "specs": [ "<1.7.1" ], "v": "<1.7.1" }, { "advisory": "Adversarial-robustness-toolbox version 1.8.0 updates its dependency \"Pillow\" to a secure version.", "cve": "CVE-2021-23437", "id": "pyup.io-41784", "more_info_path": "/vulnerabilities/CVE-2021-23437/41784", "specs": [ "<1.8.0" ], "v": "<1.8.0" } ], "adyen": [ { "advisory": "Adyen version 7.1.0 addresses a security vulnerability related to a timing attack in HMAC comparisons.", "cve": "PVE-2024-66853", "id": "pyup.io-66853", "more_info_path": "/vulnerabilities/PVE-2024-66853/66853", "specs": [ "<7.1.0" ], "v": "<7.1.0" } ], "aegea": [ { "advisory": "Aegea 2.2.7 updates the minimum requirement for its dependency 'paramiko' to v2.4.2 to include a security fix.", "cve": "CVE-2018-1000805", "id": "pyup.io-37611", "more_info_path": "/vulnerabilities/CVE-2018-1000805/37611", "specs": [ "<2.2.7" ], "v": "<2.2.7" } ], "aethos": [ { "advisory": "Aethos 0.3.0.1 hotfixed NLTK package in setup.py.", "cve": "PVE-2021-37721", "id": "pyup.io-37721", "more_info_path": "/vulnerabilities/PVE-2021-37721/37721", "specs": [ "<0.3.0.1" ], "v": "<0.3.0.1" } ], "afdko": [ { "advisory": "Afdko 3.0.0 includes a fix for a code execution vulnerability.\r\nhttps://github.com/adobe-type-tools/afdko/issues/780", "cve": "PVE-2023-54923", "id": "pyup.io-54923", "more_info_path": "/vulnerabilities/PVE-2023-54923/54923", "specs": [ "<3.0.0" ], "v": "<3.0.0" } ], "agentscope": [ { "advisory": "Affected versions of Agentscope are vulnerable to Code Injection. Agentscope does not implement security measures to isolate the execution of user-provided code, which could lead to the takeover of the server running the code.", "cve": "PVE-2024-73116", "id": "pyup.io-73116", "more_info_path": "/vulnerabilities/PVE-2024-73116/73116", "specs": [ "<0.1.0" ], "v": "<0.1.0" }, { "advisory": "Affected versions of Agentscope are vulnerable to Code Injection. The fix for PVE-2024-73116 was incomplete. The applied black-list to filter out dangerous commands can be simply bypassed. For example, the attackers can run rm --rf (note that there are more than one space character in between the rm and -rf) to bypass the check as the blocked item only has one space in between. Moreover, the current black-list also overlooked many other dangerous commands such as netcat, the hackers can simply create a backdoor by the command nc -lvvp 6666 -e /bin/sh to enable a remote shell and then log into the victim system to run arbitrary commands as follows.", "cve": "PVE-2024-73124", "id": "pyup.io-73124", "more_info_path": "/vulnerabilities/PVE-2024-73124/73124", "specs": [ ">=0" ], "v": ">=0" } ], "agentuniverse": [ { "advisory": "Agentuniverse version 0.0.8 updates its langchain dependency from version 0.0.352 to 0.1.20 to address the security vulnerability identified as CVE-2024-21503.", "cve": "CVE-2024-21503", "id": "pyup.io-71402", "more_info_path": "/vulnerabilities/CVE-2024-21503/71402", "specs": [ "<0.0.8" ], "v": "<0.0.8" }, { "advisory": "Agentuniverse version 0.0.8 updates its gunicorn dependency from 21.2.0 to ^22.0.0 to address the security vulnerability identified as CVE-2024-1135.", "cve": "CVE-2024-1135", "id": "pyup.io-71403", "more_info_path": "/vulnerabilities/CVE-2024-1135/71403", "specs": [ "<0.0.8" ], "v": "<0.0.8" }, { "advisory": "Agentuniverse version 0.0.8 updates its requests dependency from version ^2.31.0 to ^2.32.0 to address the security vulnerability identified as CVE-2024-35195.", "cve": "CVE-2024-35195", "id": "pyup.io-71387", "more_info_path": "/vulnerabilities/CVE-2024-35195/71387", "specs": [ "<0.0.8" ], "v": "<0.0.8" }, { "advisory": "Agentuniverse version 0.0.8 updates its Jinja2 dependency to version ^3.1.4, addressing the security vulnerability identified as CVE-2024-22195.", "cve": "CVE-2024-22195", "id": "pyup.io-71401", "more_info_path": "/vulnerabilities/CVE-2024-22195/71401", "specs": [ "<0.0.8" ], "v": "<0.0.8" }, { "advisory": "Agentuniverse version 0.0.8 updates its flask dependency from ^2.2 to ^2.3.2 to address the security vulnerability identified as CVE-2023-30861.", "cve": "CVE-2023-30861", "id": "pyup.io-71400", "more_info_path": "/vulnerabilities/CVE-2023-30861/71400", "specs": [ "<0.0.8" ], "v": "<0.0.8" } ], "agixt": [ { "advisory": "Agixt 1.2.4 includes a fix for a path traversal vulnerability. \r\nhttps://github.com/Josh-XT/AGiXT/pull/673", "cve": "PVE-2023-58993", "id": "pyup.io-58993", "more_info_path": "/vulnerabilities/PVE-2023-58993/58993", "specs": [ "<1.2.4" ], "v": "<1.2.4" }, { "advisory": "Agixt version 1.5.17 fixes an issue with context injection strings, enhancing the handling of feedback and web search data. This update prevents potential vulnerabilities where maliciously crafted inputs could inject unintended commands or data into the application's context, thereby improving the security and reliability of the application's response generation.", "cve": "PVE-2024-71135", "id": "pyup.io-71135", "more_info_path": "/vulnerabilities/PVE-2024-71135/71135", "specs": [ "<1.5.17" ], "v": "<1.5.17" } ], "agpt": [ { "advisory": "A critical vulnerability in the ShellCommandExecutor component of the Forge library and significant-gravitas/autogpt affected versions allows attackers to execute arbitrary commands on the host system. The component lacks proper security measures, enabling command injection attacks. Additionally, attackers can bypass shell command denylists by using modified paths (e.g., /bin/./whoami). This vulnerability can lead to unauthorized access, data breaches, or system compromise. Users should avoid the ShellCommandExecutor in production, implement robust sandboxing, update autogpt to the latest version, and review command execution security measures to mitigate these risks.", "cve": "CVE-2024-6091", "id": "pyup.io-73328", "more_info_path": "/vulnerabilities/CVE-2024-6091/73328", "specs": [ ">=0" ], "v": ">=0" } ], "agraph-python": [ { "advisory": "Agraph-python 101.0.1 updates urllib3 from 1.22 to 1.23 for security reasons.", "cve": "CVE-2018-20060", "id": "pyup.io-38506", "more_info_path": "/vulnerabilities/CVE-2018-20060/38506", "specs": [ "<101.0.1" ], "v": "<101.0.1" }, { "advisory": "Agraph-python 101.0.1 updates requests from 2.18.4 to 2.20.0 for security reasons.", "cve": "CVE-2018-18074", "id": "pyup.io-42708", "more_info_path": "/vulnerabilities/CVE-2018-18074/42708", "specs": [ "<101.0.1" ], "v": "<101.0.1" }, { "advisory": "Agraph-python 101.0.3 updates urllib3 to 1.24.2 for security reasons.", "cve": "CVE-2019-11324", "id": "pyup.io-37085", "more_info_path": "/vulnerabilities/CVE-2019-11324/37085", "specs": [ "<101.0.3" ], "v": "<101.0.3" } ], "ahc-tools": [ { "advisory": "Directory traversal vulnerability in eNovance eDeploy allows remote attackers to create arbitrary directories and files and consequently cause a denial of service (resource consumption) via a (dot dot) the session parameter.", "cve": "CVE-2014-3702", "id": "pyup.io-70427", "more_info_path": "/vulnerabilities/CVE-2014-3702/70427", "specs": [ "<1.6.0" ], "v": "<1.6.0" } ], "ahjo": [ { "advisory": "Ahjo 3.1.1 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", "cve": "CVE-2022-40897", "id": "pyup.io-52764", "more_info_path": "/vulnerabilities/CVE-2022-40897/52764", "specs": [ "<3.1.1" ], "v": "<3.1.1" }, { "advisory": "Ahjo 3.1.5 updates its dependency 'pyodbc' to v4.0.39 to include a security fix.", "cve": "PVE-2023-54980", "id": "pyup.io-55055", "more_info_path": "/vulnerabilities/PVE-2023-54980/55055", "specs": [ "<3.1.5" ], "v": "<3.1.5" } ], "ai-flow": [ { "advisory": "A vulnerability was found in flink-extended ai-flow 0.3.1. It has been declared as critical. Affected by this vulnerability is the function cloudpickle.loads of the file \\ai_flow\\cli\\commands\\workflow_command.py. The manipulation leads to deserialization. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252205 was assigned to this vulnerability.", "cve": "CVE-2024-0960", "id": "pyup.io-66688", "more_info_path": "/vulnerabilities/CVE-2024-0960/66688", "specs": [ "<=0.3.1" ], "v": "<=0.3.1" } ], "ai-python": [ { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41213", "id": "pyup.io-43062", "more_info_path": "/vulnerabilities/CVE-2021-41213/43062", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41208", "id": "pyup.io-43071", "more_info_path": "/vulnerabilities/CVE-2021-41208/43071", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41211", "id": "pyup.io-43053", "more_info_path": "/vulnerabilities/CVE-2021-41211/43053", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41209", "id": "pyup.io-43061", "more_info_path": "/vulnerabilities/CVE-2021-41209/43061", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41228", "id": "pyup.io-43064", "more_info_path": "/vulnerabilities/CVE-2021-41228/43064", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41217", "id": "pyup.io-43054", "more_info_path": "/vulnerabilities/CVE-2021-41217/43054", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41214", "id": "pyup.io-43055", "more_info_path": "/vulnerabilities/CVE-2021-41214/43055", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41219", "id": "pyup.io-43056", "more_info_path": "/vulnerabilities/CVE-2021-41219/43056", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41218", "id": "pyup.io-43067", "more_info_path": "/vulnerabilities/CVE-2021-41218/43067", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41216", "id": "pyup.io-43068", "more_info_path": "/vulnerabilities/CVE-2021-41216/43068", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41206", "id": "pyup.io-43072", "more_info_path": "/vulnerabilities/CVE-2021-41206/43072", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41201", "id": "pyup.io-43077", "more_info_path": "/vulnerabilities/CVE-2021-41201/43077", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41197", "id": "pyup.io-43078", "more_info_path": "/vulnerabilities/CVE-2021-41197/43078", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41204", "id": "pyup.io-43063", "more_info_path": "/vulnerabilities/CVE-2021-41204/43063", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41222", "id": "pyup.io-43065", "more_info_path": "/vulnerabilities/CVE-2021-41222/43065", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41224", "id": "pyup.io-43066", "more_info_path": "/vulnerabilities/CVE-2021-41224/43066", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41220", "id": "pyup.io-43070", "more_info_path": "/vulnerabilities/CVE-2021-41220/43070", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41207", "id": "pyup.io-43075", "more_info_path": "/vulnerabilities/CVE-2021-41207/43075", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41202", "id": "pyup.io-43076", "more_info_path": "/vulnerabilities/CVE-2021-41202/43076", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41198", "id": "pyup.io-43080", "more_info_path": "/vulnerabilities/CVE-2021-41198/43080", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41215", "id": "pyup.io-43069", "more_info_path": "/vulnerabilities/CVE-2021-41215/43069", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41210", "id": "pyup.io-43081", "more_info_path": "/vulnerabilities/CVE-2021-41210/43081", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41196", "id": "pyup.io-43050", "more_info_path": "/vulnerabilities/CVE-2021-41196/43050", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41225", "id": "pyup.io-43059", "more_info_path": "/vulnerabilities/CVE-2021-41225/43059", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41203", "id": "pyup.io-43051", "more_info_path": "/vulnerabilities/CVE-2021-41203/43051", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41212", "id": "pyup.io-43074", "more_info_path": "/vulnerabilities/CVE-2021-41212/43074", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41195", "id": "pyup.io-43079", "more_info_path": "/vulnerabilities/CVE-2021-41195/43079", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41200", "id": "pyup.io-43052", "more_info_path": "/vulnerabilities/CVE-2021-41200/43052", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41226", "id": "pyup.io-43057", "more_info_path": "/vulnerabilities/CVE-2021-41226/43057", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41227", "id": "pyup.io-43058", "more_info_path": "/vulnerabilities/CVE-2021-41227/43058", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41221", "id": "pyup.io-43060", "more_info_path": "/vulnerabilities/CVE-2021-41221/43060", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41205", "id": "pyup.io-43073", "more_info_path": "/vulnerabilities/CVE-2021-41205/43073", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'tensorflow' to v2.6.1 to include security fixes.", "cve": "CVE-2021-41199", "id": "pyup.io-43002", "more_info_path": "/vulnerabilities/CVE-2021-41199/43002", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'pillow' to v8.3.2 to include security fixes.", "cve": "CVE-2021-34552", "id": "pyup.io-43082", "more_info_path": "/vulnerabilities/CVE-2021-34552/43082", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Ai-python 0.8.1 updates its dependency 'pillow' to v8.3.2 to include security fixes.", "cve": "CVE-2021-23437", "id": "pyup.io-43083", "more_info_path": "/vulnerabilities/CVE-2021-23437/43083", "specs": [ "<0.8.1" ], "v": "<0.8.1" } ], "aiida": [ { "advisory": "Aiida 0.12.3 fixes a security vulnerability by upgrading `paramiko` to `2.4.2`.", "cve": "PVE-2021-37054", "id": "pyup.io-37054", "more_info_path": "/vulnerabilities/PVE-2021-37054/37054", "specs": [ "<0.12.3" ], "v": "<0.12.3" }, { "advisory": "Aiida 1.1.0 includes a fix for a code execution vulnerability in its dependency 'pyyaml'.\r\nhttps://github.com/aiidateam/aiida-core/pull/3675/commits/3a921192622c225516c8d9b0fa104cbd8201c177\r\nNOTE: \"This metapackage for AiiDA has been deprecated as of v1.0 and is no longer being maintained. If you want to install AiiDA, please install the aiida-core package instead.\"", "cve": "CVE-2017-18342", "id": "pyup.io-43428", "more_info_path": "/vulnerabilities/CVE-2017-18342/43428", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "aiida-core": [ { "advisory": "aiida-core 0.12.3 fixes security vulnerability by upgrading `paramiko` to `2.4.2`", "cve": "PVE-2021-36956", "id": "pyup.io-36956", "more_info_path": "/vulnerabilities/PVE-2021-36956/36956", "specs": [ "<0.12.3" ], "v": "<0.12.3" }, { "advisory": "Aiida-core 1.1.0 updates its dependency 'pyyaml' to include a security fix.", "cve": "CVE-2017-18342", "id": "pyup.io-45582", "more_info_path": "/vulnerabilities/CVE-2017-18342/45582", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Aiida-core before 1.6.0 adds security option to toggle POST methods on/off with the 'verdi restapi --posting/--no-posting' options (it is on by default).", "cve": "PVE-2021-40304", "id": "pyup.io-40304", "more_info_path": "/vulnerabilities/PVE-2021-40304/40304", "specs": [ "<1.6.0" ], "v": "<1.6.0" }, { "advisory": "Aiida-core 1.6.5 updates 'PyYAML' to v5.4 to fix critical security issues.", "cve": "CVE-2020-1747", "id": "pyup.io-43457", "more_info_path": "/vulnerabilities/CVE-2020-1747/43457", "specs": [ "<1.6.5" ], "v": "<1.6.5" }, { "advisory": "Aiida-core 1.6.5 updates 'PyYAML' to v5.4 to fix critical security issues.", "cve": "CVE-2020-14343", "id": "pyup.io-43458", "more_info_path": "/vulnerabilities/CVE-2020-14343/43458", "specs": [ "<1.6.5" ], "v": "<1.6.5" }, { "advisory": "Aiida-core 1.6.5 updates its dependency 'pyyaml' to v5.4 to include security fixes.", "cve": "CVE-2019-20477", "id": "pyup.io-41169", "more_info_path": "/vulnerabilities/CVE-2019-20477/41169", "specs": [ "<1.6.5" ], "v": "<1.6.5" } ], "ail": [ { "advisory": "Global.py in AIL framework 2.8 allows path traversal.", "cve": "CVE-2020-8545", "id": "pyup.io-70578", "more_info_path": "/vulnerabilities/CVE-2020-8545/70578", "specs": [ "<2.9" ], "v": "<2.9" } ], "aim": [ { "advisory": "Aim 1.2.13 updates its dependency 'pillow' to v6.2.2 to include security fixes.", "cve": "CVE-2020-5311", "id": "pyup.io-48613", "more_info_path": "/vulnerabilities/CVE-2020-5311/48613", "specs": [ "<1.2.13" ], "v": "<1.2.13" }, { "advisory": "Aim 1.2.13 updates its dependency 'pillow' to v6.2.2 to include security fixes.", "cve": "CVE-2020-5310", "id": "pyup.io-48607", "more_info_path": "/vulnerabilities/CVE-2020-5310/48607", "specs": [ "<1.2.13" ], "v": "<1.2.13" }, { "advisory": "Aim 1.2.13 updates its dependency 'pillow' to v6.2.2 to include security fixes.", "cve": "CVE-2020-5312", "id": "pyup.io-48614", "more_info_path": "/vulnerabilities/CVE-2020-5312/48614", "specs": [ "<1.2.13" ], "v": "<1.2.13" }, { "advisory": "Aim 1.2.13 updates its dependency 'pillow' to v6.2.2 to include security fixes.", "cve": "CVE-2020-5313", "id": "pyup.io-48615", "more_info_path": "/vulnerabilities/CVE-2020-5313/48615", "specs": [ "<1.2.13" ], "v": "<1.2.13" }, { "advisory": "Aim before 3.2.0 runs its server only on unsafe HTTP protocol.\r\nhttps://github.com/aimhubio/aim/issues/1073", "cve": "PVE-2022-48606", "id": "pyup.io-48606", "more_info_path": "/vulnerabilities/PVE-2022-48606/48606", "specs": [ "<3.2.0" ], "v": "<3.2.0" }, { "advisory": "aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation.", "cve": "CVE-2024-2196", "id": "pyup.io-71905", "more_info_path": "/vulnerabilities/CVE-2024-2196/71905", "specs": [ "<=3.17.5" ], "v": "<=3.17.5" }, { "advisory": "A critical security vulnerability affects the aimhubio aim library. The vulnerability exists in the dangerouslySetInnerHTML function of the file textbox.tsx within the Text Explorer component. Attackers can exploit this vulnerability by manipulating the query argument, leading to cross-site scripting (XSS). This allows remote execution of malicious scripts in the context of the victim's browser, potentially compromising user data or performing unauthorized actions. The vulnerability has been publicly disclosed, and exploits may exist in the wild.", "cve": "CVE-2024-8863", "id": "pyup.io-73307", "more_info_path": "/vulnerabilities/CVE-2024-8863/73307", "specs": [ ">=0" ], "v": ">=0" }, { "advisory": "Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with \u00e2\u20ac\u0153dot-dot-slash (../)\u00e2\u20ac? sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0.", "cve": "CVE-2021-43775", "id": "pyup.io-54444", "more_info_path": "/vulnerabilities/CVE-2021-43775/54444", "specs": [ ">=0,<3.1.0" ], "v": ">=0,<3.1.0" }, { "advisory": "A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint in affected versions. The vulnerability resides in the run_search_api function of the aim/web/api/runs/views.py file, where improper restriction of user access to the RunView object allows for the execution of arbitrary code via the query parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.", "cve": "CVE-2024-2195", "id": "pyup.io-71904", "more_info_path": "/vulnerabilities/CVE-2024-2195/71904", "specs": [ ">=3.0.0" ], "v": ">=3.0.0" } ], "aio-pika": [ { "advisory": "Aio-pika 9.1.5 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/mosquito/aio-pika/pull/566", "cve": "PVE-2023-59901", "id": "pyup.io-59901", "more_info_path": "/vulnerabilities/PVE-2023-59901/59901", "specs": [ "<9.1.5" ], "v": "<9.1.5" } ], "aioapns": [ { "advisory": "Certificate hostname validation in aioapns version 1.10 is enabled by default for security reasons. It can be turned off by using no_cert_validation option.", "cve": "PVE-2021-38620", "id": "pyup.io-38620", "more_info_path": "/vulnerabilities/PVE-2021-38620/38620", "specs": [ "<1.10" ], "v": "<1.10" } ], "aiobotocore": [ { "advisory": "Aiobotocore 2.9.1 fixes a race condition that was affecting the S3 Express identity cache. This race condition could occur when multiple threads attempted to read from or write to the cache simultaneously, leading to unpredictable behavior. The fix involves implementing synchronization mechanisms, specifically an asyncio lock, to ensure that only one thread can access the cache at a time.\r\nhttps://github.com/aio-libs/aiobotocore/pull/1073/commits/9097884cd8246460794157125ccd6378c3e901f8", "cve": "PVE-2024-64278", "id": "pyup.io-64278", "more_info_path": "/vulnerabilities/PVE-2024-64278/64278", "specs": [ "<2.9.1" ], "v": "<2.9.1" } ], "aiocoap": [ { "advisory": "The proxy in aiocoap 0.4a1 only creates log files when explicitly requested (18ddf8c). Also, support for secured protocols has been added.", "cve": "PVE-2021-37469", "id": "pyup.io-37469", "more_info_path": "/vulnerabilities/PVE-2021-37469/37469", "specs": [ "<0.4a1" ], "v": "<0.4a1" } ], "aiocouchdb": [ { "advisory": "aiocouchdb 0.6.0 now correctly set members for database security.", "cve": "PVE-2021-25612", "id": "pyup.io-25612", "more_info_path": "/vulnerabilities/PVE-2021-25612/25612", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "aiocurrencylayer": [ { "advisory": "Aiocurrencylayer version 1.0.4 updates its httpx dependency to version 0.23 or newer in response to CVE-2021-41945.\r\nhttps://github.com/home-assistant-ecosystem/aiocurrencylayer/commit/5768c17400f7d6222290f671ba3c8ba7b4c223ce", "cve": "CVE-2021-41945", "id": "pyup.io-66794", "more_info_path": "/vulnerabilities/CVE-2021-41945/66794", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], "aioftp": [ { "advisory": "The server of aioftp 0.15.0 uses explicit mapping of available commands for security reasons.", "cve": "PVE-2021-38045", "id": "pyup.io-38045", "more_info_path": "/vulnerabilities/PVE-2021-38045/38045", "specs": [ "<0.15.0" ], "v": "<0.15.0" } ], "aiohttp": [ { "advisory": "Aiohttp 0.16.3 fixes a directory traversal vulnerability by making changes in StaticRoute class of web_urldispatcher.py.\r\nhttps://github.com/aio-libs/aiohttp/pull/383", "cve": "PVE-2021-25613", "id": "pyup.io-25613", "more_info_path": "/vulnerabilities/PVE-2021-25613/25613", "specs": [ "<0.16.3" ], "v": "<0.16.3" }, { "advisory": "The Aiohttp 0.22.0 addresses a security concern where ClientSession was leaking cookies across different hostnames. This update introduces improved cookie management in line with RFC 6265, adding filters based on the \"Domain\" attribute of cookies. It ensures cookies without a specified \"Domain\" are shared across all requests for backward compatibility, while cookies with a specific domain are handled appropriately. The update also includes enhancements like rejecting cookies from IP addresses and handling cookies with attributes like \"Secure\", \"Path\", \"Expires\", and \"Max-Age\". \r\nhttps://github.com/aio-libs/aiohttp/commit/00169997ff69ae3d31a894bcb9ea0549713cafa6", "cve": "PVE-2024-64598", "id": "pyup.io-64598", "more_info_path": "/vulnerabilities/PVE-2024-64598/64598", "specs": [ "<0.22.0" ], "v": "<0.22.0" }, { "advisory": "Aiohttp 3.7.4 includes a fix for CVE-2021-21330: In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the 'aiohttp.web_middlewares.normalize_path_middleware' middleware. A workaround can be to avoid using 'aiohttp.web_middlewares.normalize_path_middleware' in your applications.\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg", "cve": "CVE-2021-21330", "id": "pyup.io-39659", "more_info_path": "/vulnerabilities/CVE-2021-21330/39659", "specs": [ "<3.7.4" ], "v": "<3.7.4" }, { "advisory": "Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection.\r\nhttps://github.com/aio-libs/aiohttp/issues/4818", "cve": "PVE-2021-42692", "id": "pyup.io-42692", "more_info_path": "/vulnerabilities/PVE-2021-42692/42692", "specs": [ "<3.8.0" ], "v": "<3.8.0" }, { "advisory": "Aiohttp 3.8.0 includes a fix for CVE-2023-47641: Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request.\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j", "cve": "CVE-2023-47641", "id": "pyup.io-62327", "more_info_path": "/vulnerabilities/CVE-2023-47641/62327", "specs": [ "<3.8.0" ], "v": "<3.8.0" }, { "advisory": "Aiohttp 3.8.6 includes a fix for CVE-2023-47627: The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel).\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg", "cve": "CVE-2023-47627", "id": "pyup.io-62326", "more_info_path": "/vulnerabilities/CVE-2023-47627/62326", "specs": [ "<3.8.6" ], "v": "<3.8.6" }, { "advisory": "Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix.\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9", "cve": "PVE-2023-61657", "id": "pyup.io-61657", "more_info_path": "/vulnerabilities/PVE-2023-61657/61657", "specs": [ "<3.8.6" ], "v": "<3.8.6" }, { "advisory": "Aiohttp 3.9.0 includes a fix for CVE-2023-49081: Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request.\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2", "cve": "CVE-2023-49081", "id": "pyup.io-62582", "more_info_path": "/vulnerabilities/CVE-2023-49081/62582", "specs": [ "<3.9.0" ], "v": "<3.9.0" }, { "advisory": "Affected versions of aiohttp are vulnerable to an Improper Validation vulnerability. It is possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).", "cve": "CVE-2023-49082", "id": "pyup.io-62583", "more_info_path": "/vulnerabilities/CVE-2023-49082/62583", "specs": [ "<3.9.0" ], "v": "<3.9.0" }, { "advisory": "The aiohttp versions minor than 3.9. has a vulnerability that affects the Python HTTP parser used in the aiohttp library. It allows for minor differences in allowable character sets, which could lead to robust frame boundary matching of proxies to protect against the injection of additional requests. The vulnerability also allows \r\n exceptions during validation that aren't handled consistently with other malformed inputs.", "cve": "CVE-2024-23829", "id": "pyup.io-64644", "more_info_path": "/vulnerabilities/CVE-2024-23829/64644", "specs": [ "<3.9.1" ], "v": "<3.9.1" }, { "advisory": "Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions.", "cve": "CVE-2024-30251", "id": "pyup.io-71545", "more_info_path": "/vulnerabilities/CVE-2024-30251/71545", "specs": [ "<3.9.4" ], "v": "<3.9.4" }, { "advisory": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. See CVE-2024-27306.", "cve": "CVE-2024-27306", "id": "pyup.io-70630", "more_info_path": "/vulnerabilities/CVE-2024-27306/70630", "specs": [ "<3.9.4" ], "v": "<3.9.4" }, { "advisory": "Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.\r\nhttps://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w", "cve": "CVE-2023-37276", "id": "pyup.io-59725", "more_info_path": "/vulnerabilities/CVE-2023-37276/59725", "specs": [ "<=3.8.4" ], "v": "<=3.8.4" }, { "advisory": "The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended.\r\nhttps://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b", "cve": "CVE-2024-23334", "id": "pyup.io-64642", "more_info_path": "/vulnerabilities/CVE-2024-23334/64642", "specs": [ ">1.0.5,<3.9.2" ], "v": ">1.0.5,<3.9.2" } ], "aiohttp-auth-autz": [ { "advisory": "Aiohttp-auth-autz before 0.2.0 isn't correctly checking the user_id in acl middleware, leading to a possible permission escalation.\r\nhttps://github.com/ilex/aiohttp_auth_autz/commit/b8bb3178786daebc828298dc0d1988b191890495", "cve": "PVE-2021-32971", "id": "pyup.io-32971", "more_info_path": "/vulnerabilities/PVE-2021-32971/32971", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "aiohttp-jinja2": [ { "advisory": "Aiohttp-jinja2 1.1.1 updates minimal supported 'Jinja2' version to 2.10.1 to include security fixes.", "cve": "CVE-2014-1402", "id": "pyup.io-37095", "more_info_path": "/vulnerabilities/CVE-2014-1402/37095", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Aiohttp-jinja2 1.1.1 updates minimal supported 'Jinja2' version to 2.10.1 to include security fixes.", "cve": "CVE-2016-10745", "id": "pyup.io-44431", "more_info_path": "/vulnerabilities/CVE-2016-10745/44431", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Aiohttp-jinja2 1.1.1 updates minimal supported 'Jinja2' version to 2.10.1 to include security fixes.", "cve": "CVE-2019-10906", "id": "pyup.io-44432", "more_info_path": "/vulnerabilities/CVE-2019-10906/44432", "specs": [ "<1.1.1" ], "v": "<1.1.1" } ], "aiohttp-proxies": [ { "advisory": "Aiohttp-proxies is a malicious package. It contains a backdoor.\r\nhttps://blog.sonatype.com/can-you-spot-this-cryptic-reverse-shell-found-in-pypi-packages", "cve": "PVE-2022-47805", "id": "pyup.io-47805", "more_info_path": "/vulnerabilities/PVE-2022-47805/47805", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "aiohttp-session": [ { "advisory": "aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).", "cve": "CVE-2018-1000519", "id": "pyup.io-53986", "more_info_path": "/vulnerabilities/CVE-2018-1000519/53986", "specs": [ ">=0,<2.4.0" ], "v": ">=0,<2.4.0" }, { "advisory": "aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value.", "cve": "CVE-2018-1000814", "id": "pyup.io-53989", "more_info_path": "/vulnerabilities/CVE-2018-1000814/53989", "specs": [ ">=0,<2.7.0" ], "v": ">=0,<2.7.0" } ], "aiohttp-socks4": [ { "advisory": "Aiohttp-socks4 is a malicious package, typosquatting. It installs a Trojan in your system.\r\nhttps://blog.sonatype.com/careful-out-there-open-source-attacks-continue-to-be-on-the-uptick", "cve": "PVE-2022-47816", "id": "pyup.io-47816", "more_info_path": "/vulnerabilities/PVE-2022-47816/47816", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "aiohttp-socks5": [ { "advisory": "Aiohttp-socks5 is a malicious package, typosquatting. It installs a Trojan in your system.\r\nhttps://blog.sonatype.com/trojanized-pypi-package-imitates-a-popular-python-server-library", "cve": "PVE-2022-47822", "id": "pyup.io-47822", "more_info_path": "/vulnerabilities/PVE-2022-47822/47822", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "aiohttp-swagger": [ { "advisory": "Aiohttp-swagger before 1.0.15 includes a version of js-yaml that's not secure.", "cve": "PVE-2021-38483", "id": "pyup.io-38483", "more_info_path": "/vulnerabilities/PVE-2021-38483/38483", "specs": [ "<1.0.15" ], "v": "<1.0.15" } ], "aiokafka": [ { "advisory": "Aiokafka 0.4.0 includes a fix for a potential race condition vulnerability.\r\nhttps://github.com/aio-libs/aiokafka/pull/286", "cve": "PVE-2023-62410", "id": "pyup.io-62410", "more_info_path": "/vulnerabilities/PVE-2023-62410/62410", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], "aiolifx-themes": [ { "advisory": "Aiolifx-themes 0.4.1 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", "cve": "CVE-2022-40897", "id": "pyup.io-52569", "more_info_path": "/vulnerabilities/CVE-2022-40897/52569", "specs": [ "<0.4.1" ], "v": "<0.4.1" } ], "aiootp": [ { "advisory": "The `Opake.client` & `Opake.client_registration` methods in aiootp version 0.11.0 take an instantiated client database instead of client credentials which improves security, efficiency & usability. This change reduces the amount of exposure received by user passwords & other credentials. It also simplifies usage of the protocol by only needing to carry around a database instead of a slew of credentials, which is also faster, since the credentials are passed through the cpu & memory hard `passcrypt` function every time to open the database.", "cve": "PVE-2021-38602", "id": "pyup.io-38602", "more_info_path": "/vulnerabilities/PVE-2021-38602/38602", "specs": [ "<0.11.0" ], "v": "<0.11.0" }, { "advisory": "Aiootp 0.13.0 contains a security patch for 'xor' and 'axor' functions which define the one-time-pad cipher (they can leak <1-bit of plaintext).", "cve": "PVE-2021-39508", "id": "pyup.io-39508", "more_info_path": "/vulnerabilities/PVE-2021-39508/39508", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Aiootp 0.17.0 includes a security patch for a critical vulnerability.The HMAC verifiers on ciphertexts did not include the 'salt' or 'pid' values when deriving the HMAC. This associated data can therefore be changed to cause a party to decrypt a past ciphertext with a salt or pid of an attacker's choosing.", "cve": "PVE-2021-39534", "id": "pyup.io-39534", "more_info_path": "/vulnerabilities/PVE-2021-39534/39534", "specs": [ "<0.17.0" ], "v": "<0.17.0" }, { "advisory": "Aiootp 0.18.0 rewrites the HMAC validation procedure for all ciphers. The new StreamHMAC class ensures the user must contend with ciphertext validation even when using the *_encipher, *_decipher & *_xor Comprende generators.\r\nhttps://github.com/rmlibre/aiootp/commit/7700ed9fc7cc3255b85bef9ff2531a2ec511f5bd", "cve": "PVE-2021-40254", "id": "pyup.io-40254", "more_info_path": "/vulnerabilities/PVE-2021-40254/40254", "specs": [ "<0.18.0" ], "v": "<0.18.0" }, { "advisory": "Aiootp 0.18.1 deprecates and replaces an internal 'kdf' for saving database tags due to a vulnerability: If an adversary can get a user to reveal the value returned by the 'HMAC' method when fed the tag file's filename & the salt used for that encrypted tag, then they could deduce the decryption key for the tag.", "cve": "PVE-2021-40253", "id": "pyup.io-40253", "more_info_path": "/vulnerabilities/PVE-2021-40253/40253", "specs": [ "<0.18.1" ], "v": "<0.18.1" }, { "advisory": "Aiootp 0.19.0 includes several important security patches and other improvements.", "cve": "PVE-2021-40252", "id": "pyup.io-40252", "more_info_path": "/vulnerabilities/PVE-2021-40252/40252", "specs": [ "<0.19.0" ], "v": "<0.19.0" }, { "advisory": "Aiootp 0.19.3 removes 'map_encipher', 'map_decipher', 'amap_encipher' and 'amap_decipher' generators from the 'Chunky2048' and 'Comprende' classes due to security reasons.", "cve": "PVE-2021-40251", "id": "pyup.io-40251", "more_info_path": "/vulnerabilities/PVE-2021-40251/40251", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Aiootp 0.2.0 adds ephemeral salts to the ``AsyncDatabase`` & ``Database`` file encryption procedures. This is a major security fix, as re-encryption of files with the same tag in a database with the same open key would use the same streams of key material each time, breaking encryption if two different versions of a tag file's ciphertext stored to disk were available to an adversary. The database methods ``encrypt``, ``decrypt``, ``aencrypt`` & ``adecrypt`` will now produce and decipher true one-time pad ciphertext with these ephemeral salts.", "cve": "PVE-2021-38250", "id": "pyup.io-38250", "more_info_path": "/vulnerabilities/PVE-2021-38250/38250", "specs": [ "<0.2.0" ], "v": "<0.2.0" }, { "advisory": "Aiootp 0.22.0 includes a fix for a high severity vulnerability: The top-level '(a)csprng' functions were found to be unsafe in concurrent code, leading to the possibility of producing identical outputs from distinct calls if run in quick succession from concurrently running threads & co-routines. The classification of this vulnerability is severe because: 1) users should be able to expect the output of a 64-byte cryptographically secure pseudo-random number generator to always produce unique outputs; and, 2) much of the package utilizes them to produce cryptographic material. This vulnerability does not effect users of the library which are not running it in multiple concurrent threads or co-routines.", "cve": "PVE-2023-53025", "id": "pyup.io-53025", "more_info_path": "/vulnerabilities/PVE-2023-53025/53025", "specs": [ "<0.22.0" ], "v": "<0.22.0" }, { "advisory": "The ``AsyncDatabase`` & ``Database`` in aiootp version 0.3.0 use the more secure ``afilename`` & ``filename`` methods to derive the hashmap name and encryption streams from a user-defined tag internal to their ``aencrypt`` / ``adecrypt`` / ``encrypt`` / ``decrypt`` methods, as well as, prior to them getting called. This will break past versions of databases' ability to open their files.", "cve": "PVE-2021-38256", "id": "pyup.io-38256", "more_info_path": "/vulnerabilities/PVE-2021-38256/38256", "specs": [ "<0.3.0" ], "v": "<0.3.0" }, { "advisory": "Aiootp 0.6.0 replaces several usages of ``random.randrange`` within ``randoms.py`` to calls to ``secrets.token_bytes`` which is faster & more secure.", "cve": "PVE-2021-38361", "id": "pyup.io-38361", "more_info_path": "/vulnerabilities/PVE-2021-38361/38361", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Aiootp 0.8.0 fixes the test_hmac and atest_hmac functions in the keys & database classes. The new non-constant-time algorithm needs a random salt to be added before doing the secondary hmac to prevent some potential exotic forms of chosen plaintext/ciphertext attacks on the algorithm. The last version of the algorithm should not be used. \r\n\r\nAlso, the 'Keys' & 'AsyncKeys' interfaces were overhauled to remove the persistance of instance salts. They were intended to be updated by users with the 'reset' & 'areset' methods, but that cannot be guaranteed easily through the class, so it is an inappropriate interface since reusing salts for encryption is completely insecure. The instances do still maintain state of their main encryption key, & new stateful methods for key generation, like 'mnemonic' & 'table_key', have been added. The 'state' & 'astate' methods have been removed.", "cve": "PVE-2021-38381", "id": "pyup.io-38381", "more_info_path": "/vulnerabilities/PVE-2021-38381/38381", "specs": [ "<0.8.0" ], "v": "<0.8.0" }, { "advisory": "Aiootp 0.8.1 adds cryptographically secure pseudo-random values as default keys in encryption functions to safeguard against users accidentally encrypting data without specifying a key. This way, such mistakes will produce ciphertext with an unrecoverable key, instead of without a key at all.", "cve": "PVE-2021-38395", "id": "pyup.io-38395", "more_info_path": "/vulnerabilities/PVE-2021-38395/38395", "specs": [ "<0.8.1" ], "v": "<0.8.1" }, { "advisory": "Aiootp 0.9.0 adds hmac codes to ciphertext for the following functions: 'json_encrypt', 'ajson_encrypt', 'bytes_encrypt', 'abytes_encrypt', 'Database.encrypt' & 'AsyncDatabase.aencrypt'. This change greatly increases the security of ciphertext by ensuring it hasn't been modified or tampered with maliciously. One-time pad ciphertext is maleable, so without hmac validation it can be changed to successfully allow decryption but return the wrong plaintext. These functions are the highest level abstractions of the library for encryption/decryption, which made them excellent targets for this important security update. As well, it isn't easily possible for the library to provide hmac codes for generators that produce ciphertext, because the end of a stream of ciphertext isn't known until after the results have left the scope of library code. So users will need to produce their own hmac codes for generator ciphertext unless we find an elegant solution to this issue. These functions now all return dictionaries with the associated hmac stored in the 'hmac' entry. The bytes functions formerly returned lists, now their ciphertext is available from the '\"ciphertext\"' entry. And, all database files will have an hmac attached to them now. These changes were designed to still be compatible with old ciphertexts but they'll likely be made incompatible by the v0.11.x major release.", "cve": "PVE-2021-38401", "id": "pyup.io-38401", "more_info_path": "/vulnerabilities/PVE-2021-38401/38401", "specs": [ "<0.9.0" ], "v": "<0.9.0" }, { "advisory": "Aiootp 0.9.1 includes two security improvements:\r\n\r\n- Any falsey values for the 'salt' keyword argument in the library's 'keys', 'akeys', 'bytes_keys', 'abytes_keys', 'subkeys', & 'asubkeys' infinite keystream generators, & other functions around the library, will cause them to generate a new cryptographically secure pseudo-random value for the salt. It formerly only did this when 'salt' was 'None'. \r\n\r\n- The 'seeder' & 'aseeder' generators have been updated to introduce 512 new bits of entropy from 'secrets.token_bytes' on every iteration to ensure that the CSPRNG will produce secure outputs even if its internal state is somehow discovered. This also allows for simply calling the CSPRNG is enough, there's no longer a strong reason to pass new entropy into it manually, except to add even more entropy as desired.", "cve": "PVE-2021-38406", "id": "pyup.io-38406", "more_info_path": "/vulnerabilities/PVE-2021-38406/38406", "specs": [ "<0.9.1" ], "v": "<0.9.1" }, { "advisory": "Aiootp 0.9.2 adds 'passcrypt' & 'apasscrypt' instance methods to 'OneTimePad', 'Keys', & 'AsyncKeys' classes. They produce password hashes that are not just secured by the salt & passcrypt algorithm settings, but also by their main symmetric instance keys. This makes passwords infeasible to crack without also compromising the instance's 512-bit key.\r\n\r\nAlso, Aiootp 0.9.2 includes further improvements to the random number generator in 'randoms.py'. This made its internals less sequential and thereby raises the bar of work needed by an attacker to successfully carry out an order prediction attack.", "cve": "PVE-2021-38409", "id": "pyup.io-38409", "more_info_path": "/vulnerabilities/PVE-2021-38409/38409", "specs": [ "<0.9.2" ], "v": "<0.9.2" } ], "aiopioneer": [ { "advisory": "In version 0.1.5, aiopioneer resolves a race condition with the implementation of safe_wait_for, which enhances the handling of asynchronous tasks, especially during cancellations and event updates. \r\nhttps://github.com/crowbarz/aiopioneer/commit/f6f7ce66226825df9e039ed5f12f34812dcc4a7d", "cve": "PVE-2024-65890", "id": "pyup.io-65890", "more_info_path": "/vulnerabilities/PVE-2024-65890/65890", "specs": [ "<0.1.5" ], "v": "<0.1.5" }, { "advisory": "Aiopioneer version 0.4.3 addresses a race condition that potentially improves the reliability of the communication process by ensuring responses are queued effectively before sending a request. \r\nhttps://github.com/crowbarz/aiopioneer/commit/4a310412a3342e7a44b3d8aa1f8633c9575871fb", "cve": "PVE-2024-65889", "id": "pyup.io-65889", "more_info_path": "/vulnerabilities/PVE-2024-65889/65889", "specs": [ "<0.4.3" ], "v": "<0.4.3" } ], "aioradio": [ { "advisory": "Aioradio 0.17.9 updates 'httpx' to v0.23.0 to include a security fix.", "cve": "CVE-2021-41945", "id": "pyup.io-50342", "more_info_path": "/vulnerabilities/CVE-2021-41945/50342", "specs": [ "<0.17.9" ], "v": "<0.17.9" } ], "aiosmtpd": [ { "advisory": "aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. See CVE-2024-27305.", "cve": "CVE-2024-27305", "id": "pyup.io-66968", "more_info_path": "/vulnerabilities/CVE-2024-27305/66968", "specs": [ "<1.4.5" ], "v": "<1.4.5" }, { "advisory": "aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue. See CVE-2024-34083.", "cve": "CVE-2024-34083", "id": "pyup.io-71242", "more_info_path": "/vulnerabilities/CVE-2024-34083/71242", "specs": [ "<=1.4.5" ], "v": "<=1.4.5" } ], "aiosmtplib": [ { "advisory": "Aiosmtplib 1.1.7 fixes a possible injection vulnerability (a variant of https://consensys.net/diligence/vulnerabilities/python-smtplib-multiple-crlf-injection/).", "cve": "PVE-2022-50882", "id": "pyup.io-50882", "more_info_path": "/vulnerabilities/PVE-2022-50882/50882", "specs": [ "<1.1.7" ], "v": "<1.1.7" } ], "aiosolr": [ { "advisory": "Aiosolr 3.3.2 updates its dependency 'bleach' to v3.3.0 to include a security fix.", "cve": "CVE-2021-23980", "id": "pyup.io-40299", "more_info_path": "/vulnerabilities/CVE-2021-23980/40299", "specs": [ "<3.3.2" ], "v": "<3.3.2" } ], "aiotoolbox": [ { "advisory": "Aiotoolbox is a malicious package. It contains a custom script in setup.py that downloads malicious and obfuscated code.\r\nhttps://inspector.pypi.io/project/aiotoolbox/1.5.2/packages/a0/9b/a3d1fdfb3036ad1bb6ee69f50eab85d042e7cd39ab24b3e8a1c0accbad1d/aiotoolbox-1.5.2.tar.gz/aiotoolbox-1.5.2/setup.py#line.60", "cve": "PVE-2023-53560", "id": "pyup.io-53560", "more_info_path": "/vulnerabilities/PVE-2023-53560/53560", "specs": [ ">=0" ], "v": ">=0" } ], "aioxmpp": [ { "advisory": "aioxmpp version 0.10.2 and earlier contains a Improper Handling of Structural Elements vulnerability in Stanza Parser, rollback during error processing, aioxmpp.xso.model.guard function that can result in Denial of Service, Other. This attack appears to be exploitable via Remote. A crafted stanza can be sent to an application which uses the vulnerable components to either inject data in a different context or cause the application to reconnect (potentially losing data). This vulnerability appears to have been fixed in 0.10.3.", "cve": "CVE-2019-1000007", "id": "pyup.io-42257", "more_info_path": "/vulnerabilities/CVE-2019-1000007/42257", "specs": [ "<=0.10.2" ], "v": "<=0.10.2" } ], "airflow": [ { "advisory": "Apache-airflow 1.8.0 includes a fix for a code execution vulnerability in PrestoHook.", "cve": "PVE-2023-99973", "id": "pyup.io-60835", "more_info_path": "/vulnerabilities/PVE-2023-99973/60835", "specs": [ "<1.8.0" ], "v": "<1.8.0" }, { "advisory": "Specific versions of Airflow are susceptible to arbitrary code execution due to unchecked user input being sent to the Python eval function, allowing for direct execution of parameters. This vulnerability enables any user with the capability to create or edit charts to potentially execute arbitrary code on the server.\r\nhttps://github.com/apache/airflow/commit/88d9b0dc96e7528c87326c8070ee276e8565545f", "cve": "PVE-2024-99818", "id": "pyup.io-65907", "more_info_path": "/vulnerabilities/PVE-2024-99818/65907", "specs": [ "<1.9.0-1" ], "v": "<1.9.0-1" } ], "airflow-duckdb": [ { "advisory": "Airflow-duckdb version 0.1.1 updates its cryptography dependency from 42.0.2 to 42.0.4 to address the security issue CVE-2024-26130, enhancing its security features.\r\nhttps://github.com/hussein-awala/airflow-duckdb/commit/bdae387e9ee2c7045091b20632a740236405e54c", "cve": "CVE-2024-26130", "id": "pyup.io-65643", "more_info_path": "/vulnerabilities/CVE-2024-26130/65643", "specs": [ "<0.1.1" ], "v": "<0.1.1" }, { "advisory": "Airflow-duckdb 0.1.2 upgrades its flask-appbuilder dependency to version 4.3.11 from 4.3.10, addressing the security vulnerability detailed in CVE-2024-25128.\r\nhttps://github.com/hussein-awala/airflow-duckdb/pull/3/commits/b779796b3e675208f7698840cc3bf0dc88e9b21e", "cve": "CVE-2024-25128", "id": "pyup.io-65717", "more_info_path": "/vulnerabilities/CVE-2024-25128/65717", "specs": [ "<0.1.2" ], "v": "<0.1.2" } ], "aisee": [ { "advisory": "Aisee upgraded PyTorch to version 2.2.0 or higher to address a security vulnerability identified as CVE-2024-31580.", "cve": "CVE-2024-31580", "id": "pyup.io-72414", "more_info_path": "/vulnerabilities/CVE-2024-31580/72414", "specs": [ "<0.1.1" ], "v": "<0.1.1" } ], "ait-core": [ { "advisory": "AIT-Core affected versions were discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution.", "cve": "CVE-2024-35061", "id": "pyup.io-71906", "more_info_path": "/vulnerabilities/CVE-2024-35061/71906", "specs": [ "<=2.5.2" ], "v": "<=2.5.2" }, { "advisory": "An issue in the YAML Python library of NASA AIT-Core allows attackers to execute arbitrary commands via supplying a crafted YAML file.", "cve": "CVE-2024-35060", "id": "pyup.io-71244", "more_info_path": "/vulnerabilities/CVE-2024-35060/71244", "specs": [ "<=2.5.2" ], "v": "<=2.5.2" }, { "advisory": "An issue in the Pickle Python library of NASA AIT-Core allows attackers to execute arbitrary commands.", "cve": "CVE-2024-35059", "id": "pyup.io-71243", "more_info_path": "/vulnerabilities/CVE-2024-35059/71243", "specs": [ "<=2.5.2" ], "v": "<=2.5.2" } ], "aiutil": [ { "advisory": "Aiutil 0.71.1 includes a fix for an injection vulnerability through password input.\r\nhttps://github.com/legendu-net/aiutil/pull/333/commits/e1d016d329b39b5e799de9c2fcacb2249582863f", "cve": "PVE-2022-52477", "id": "pyup.io-52477", "more_info_path": "/vulnerabilities/PVE-2022-52477/52477", "specs": [ "<0.71.1" ], "v": "<0.71.1" } ], "ajenti": [ { "advisory": "A vulnerability has been found in ajenti 2.1.31 and classified as critical. This vulnerability affects unknown code of the component API. The manipulation leads to privilege escalation. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1.32 is able to address this issue. The name of the patch is 7aa146b724e0e20cfee2c71ca78fafbf53a8767c. It is recommended to upgrade the affected component.", "cve": "CVE-2019-25066", "id": "pyup.io-65835", "more_info_path": "/vulnerabilities/CVE-2019-25066/65835", "specs": [ "<2.1.37" ], "v": "<2.1.37" }, { "advisory": "ajenticp (aka Ajenti Docker control panel) for Ajenti through v1.2.23.13 has XSS via a filename that is mishandled in File Manager.", "cve": "CVE-2018-18548", "id": "pyup.io-54014", "more_info_path": "/vulnerabilities/CVE-2018-18548/54014", "specs": [ ">=0" ], "v": ">=0" }, { "advisory": "Cross-site scripting (XSS) vulnerability in plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality.", "cve": "CVE-2014-2260", "id": "pyup.io-54081", "more_info_path": "/vulnerabilities/CVE-2014-2260/54081", "specs": [ ">=0,<1.2.14" ], "v": ">=0,<1.2.14" }, { "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in the respond_error function in routing.py in Eugene Pankov Ajenti before 1.2.21.7 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) resources.js or (2) resources.css in ajenti:static/, related to the traceback page.", "cve": "CVE-2014-4301", "id": "pyup.io-54083", "more_info_path": "/vulnerabilities/CVE-2014-4301/54083", "specs": [ ">=0,<1.2.21.7" ], "v": ">=0,<1.2.21.7" }, { "advisory": "Versions of the Ajenti server administration panel are exposed to cross-site scripting (XSS) attacks because they fail to validate user input fed into the html() jQuery function. XSS attacks manipulate a web application into accepting a request from what it believes to be a trusted source, leading to the execution of malicious scripts on the client side. These attacks exploit the injection of malicious code into web applications, which, if successful, could result in session hijacking, exposure of sensitive information, unauthorized access to privileged functions, or malware distribution. The primary defense against XSS involves escaping special characters in user inputs, thereby preventing such characters from being interpreted in a harmful context by the browser. To mitigate the risk of XSS attacks, it is recommended to sanitize data input in HTTP requests by validating, filtering, or escaping it before reflecting it back to the user. Additionally, converting special characters to their HTML or URL encoded equivalents, allowing users to disable client-side scripts, redirecting invalid requests, detecting and invalidating simultaneous logins, enforcing a Content Security Policy, and understanding the handling of embedded HTML in utilized libraries are essential practices.", "cve": "PVE-2024-99815", "id": "pyup.io-65963", "more_info_path": "/vulnerabilities/PVE-2024-99815/65963", "specs": [ ">=1.2.20.0,<1.2.22.13" ], "v": ">=1.2.20.0,<1.2.22.13" } ], "ajenti-panel": [ { "advisory": "Ajenti version version 2 contains a Improper Error Handling vulnerability in Login JSON request that can result in The requisition leaks a path of the server. This attack appear to be exploitable via By sending a malformed JSON, the tool responds with a traceback error that leaks a path of the server.", "cve": "CVE-2018-1000083", "id": "pyup.io-53981", "more_info_path": "/vulnerabilities/CVE-2018-1000083/53981", "specs": [ ">=0" ], "v": ">=0" }, { "advisory": "Ajenti version version 2 contains a Input Validation vulnerability in ID string on Get-values POST request that can result in Server Crashing. This attack appear to be exploitable via An attacker can freeze te server by sending a giant string to the ID parameter ..", "cve": "CVE-2018-1000081", "id": "pyup.io-53979", "more_info_path": "/vulnerabilities/CVE-2018-1000081/53979", "specs": [ ">=0" ], "v": ">=0" }, { "advisory": "Ajenti version version 2 contains a Insecure Permissions vulnerability in Plugins download that can result in The download of any plugins as being a normal user. This attack appear to be exploitable via By knowing how the requisition is made, and sending it as a normal user, the server, in response, downloads the plugin.", "cve": "CVE-2018-1000080", "id": "pyup.io-53978", "more_info_path": "/vulnerabilities/CVE-2018-1000080/53978", "specs": [ ">=0" ], "v": ">=0" }, { "advisory": "Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is needed, when the victim access the infected trigger of the CSRF any code that match the victim privledges on the server can be executed..", "cve": "CVE-2018-1000082", "id": "pyup.io-53980", "more_info_path": "/vulnerabilities/CVE-2018-1000082/53980", "specs": [ ">=0" ], "v": ">=0" }, { "advisory": "Ajenti version 2 contains an Information Disclosure vulnerability in Line 176 of the code source that can result in user and system enumeration as well as data from the /etc/ajenti/config.yml file. This attack appears to be exploitable via network connectivity to the web application.", "cve": "CVE-2018-1000126", "id": "pyup.io-53982", "more_info_path": "/vulnerabilities/CVE-2018-1000126/53982", "specs": [ ">=0" ], "v": ">=0" } ], "ajsonrpc": [ { "advisory": "Ajsonrpc 1.1.0 ensures server security by having the response manager return a generic ServerError without error details in case of an application exception.", "cve": "PVE-2021-39665", "id": "pyup.io-39665", "more_info_path": "/vulnerabilities/PVE-2021-39665/39665", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "aldryn-django": [ { "advisory": "Aldryn-django 1.8.10.1 updates its dependency 'Django' to v1.8.10 to include security fixes.", "cve": "CVE-2016-2512", "id": "pyup.io-25614", "more_info_path": "/vulnerabilities/CVE-2016-2512/25614", "specs": [ "<1.8.10.1" ], "v": "<1.8.10.1" }, { "advisory": "Aldryn-django 1.8.10.1 updates its dependency 'Django' to v1.8.10 to include security fixes.", "cve": "CVE-2016-2513", "id": "pyup.io-49477", "more_info_path": "/vulnerabilities/CVE-2016-2513/49477", "specs": [ "<1.8.10.1" ], "v": "<1.8.10.1" }, { "advisory": "Aldryn-django 1.8.18.1 updates its dependency 'Django' to v1.18.18 to include security fixes.", "cve": "CVE-2017-7233", "id": "pyup.io-34512", "more_info_path": "/vulnerabilities/CVE-2017-7233/34512", "specs": [ "<1.8.18.1" ], "v": "<1.8.18.1" }, { "advisory": "Aldryn-django 1.8.18.1 updates its dependency 'Django' to v1.18.18 to include security fixes.", "cve": "CVE-2017-7234", "id": "pyup.io-49478", "more_info_path": "/vulnerabilities/CVE-2017-7234/49478", "specs": [ "<1.8.18.1" ], "v": "<1.8.18.1" }, { "advisory": "Aldryn-django 3.2.10.0 updates its dependency 'django' to v3.2.10 to include a security fix.", "cve": "CVE-2021-44420", "id": "pyup.io-45170", "more_info_path": "/vulnerabilities/CVE-2021-44420/45170", "specs": [ "<3.2.10.0" ], "v": "<3.2.10.0" }, { "advisory": "Aldryn-django 3.2.11.0 updates its dependency 'django' to v3.2.11 to include security fixes.", "cve": "CVE-2021-45452", "id": "pyup.io-45169", "more_info_path": "/vulnerabilities/CVE-2021-45452/45169", "specs": [ "<3.2.11.0" ], "v": "<3.2.11.0" }, { "advisory": "Aldryn-django 3.2.11.0 updates its dependency 'django' to v3.2.11 to include security fixes.", "cve": "CVE-2021-45115", "id": "pyup.io-45350", "more_info_path": "/vulnerabilities/CVE-2021-45115/45350", "specs": [ "<3.2.11.0" ], "v": "<3.2.11.0" }, { "advisory": "Aldryn-django 3.2.11.0 updates its dependency 'django' to v3.2.11 to include security fixes.", "cve": "CVE-2021-45116", "id": "pyup.io-45349", "more_info_path": "/vulnerabilities/CVE-2021-45116/45349", "specs": [ "<3.2.11.0" ], "v": "<3.2.11.0" }, { "advisory": "Aldryn-django 3.2.12.0 updates its dependency 'django' to v3.2.12 to include security fixes.", "cve": "CVE-2022-22818", "id": "pyup.io-45167", "more_info_path": "/vulnerabilities/CVE-2022-22818/45167", "specs": [ "<3.2.12.0" ], "v": "<3.2.12.0" }, { "advisory": "Aldryn-django 3.2.12.0 updates its dependency 'django' to v3.2.12 to include security fixes.", "cve": "CVE-2022-23833", "id": "pyup.io-45351", "more_info_path": "/vulnerabilities/CVE-2022-23833/45351", "specs": [ "<3.2.12.0" ], "v": "<3.2.12.0" }, { "advisory": "Aldryn-django 3.2.13.0 updates its dependency 'django' to v3.2.13 to include a security fix.", "cve": "CVE-2022-28347", "id": "pyup.io-61645", "more_info_path": "/vulnerabilities/CVE-2022-28347/61645", "specs": [ "<3.2.13.0" ], "v": "<3.2.13.0" }, { "advisory": "Aldryn-django 3.2.13.0 updates its dependency 'django' to v3.2.13 to include a security fix.", "cve": "CVE-2022-28346", "id": "pyup.io-61624", "more_info_path": "/vulnerabilities/CVE-2022-28346/61624", "specs": [ "<3.2.13.0" ], "v": "<3.2.13.0" }, { "advisory": "Aldryn-django 3.2.14.0 updates its dependency 'django' to v3.2.14 to include a security fix.", "cve": "CVE-2022-34265", "id": "pyup.io-61623", "more_info_path": "/vulnerabilities/CVE-2022-34265/61623", "specs": [ "<3.2.14.0" ], "v": "<3.2.14.0" }, { "advisory": "Aldryn-django 3.2.15.0 updates its dependency 'django' to v3.2.15 to include a security fix.", "cve": "CVE-2022-36359", "id": "pyup.io-61622", "more_info_path": "/vulnerabilities/CVE-2022-36359/61622", "specs": [ "<3.2.15.0" ], "v": "<3.2.15.0" }, { "advisory": "Aldryn-django 3.2.16.0 updates its dependency 'django' to v3.2.16 to include a security fix.", "cve": "CVE-2022-41323", "id": "pyup.io-61621", "more_info_path": "/vulnerabilities/CVE-2022-41323/61621", "specs": [ "<3.2.16.0" ], "v": "<3.2.16.0" }, { "advisory": "Aldryn-django 3.2.17.0 updates its dependency 'django' to v3.2.17 to include a security fix.", "cve": "CVE-2023-23969", "id": "pyup.io-61620", "more_info_path": "/vulnerabilities/CVE-2023-23969/61620", "specs": [ "<3.2.17.0" ], "v": "<3.2.17.0" }, { "advisory": "Aldryn-django 3.2.18.0 updates its dependency 'django' to v3.2.18 to include a security fix.", "cve": "CVE-2023-24580", "id": "pyup.io-61619", "more_info_path": "/vulnerabilities/CVE-2023-24580/61619", "specs": [ "<3.2.18.0" ], "v": "<3.2.18.0" }, { "advisory": "Aldryn-django 3.2.19.0 updates its dependency 'django' to v3.2.19 to include a security fix.", "cve": "CVE-2023-31047", "id": "pyup.io-61618", "more_info_path": "/vulnerabilities/CVE-2023-31047/61618", "specs": [ "<3.2.19.0" ], "v": "<3.2.19.0" }, { "advisory": "Aldryn-django 3.2.20.0 updates its dependency 'django' to v3.2.20 to include a security fix.", "cve": "CVE-2023-36053", "id": "pyup.io-61617", "more_info_path": "/vulnerabilities/CVE-2023-36053/61617", "specs": [ "<3.2.20.0" ], "v": "<3.2.20.0" }, { "advisory": "Aldryn-django 3.2.21.0 updates its dependency 'django' to v3.2.21 to include a security fix.", "cve": "CVE-2023-41164", "id": "pyup.io-61616", "more_info_path": "/vulnerabilities/CVE-2023-41164/61616", "specs": [ "<3.2.21.0" ], "v": "<3.2.21.0" }, { "advisory": "Aldryn-django 3.2.22.0 updates its dependency 'django' to v3.2.22 to include a security fix.", "cve": "CVE-2023-43665", "id": "pyup.io-61615", "more_info_path": "/vulnerabilities/CVE-2023-43665/61615", "specs": [ "<3.2.22.0" ], "v": "<3.2.22.0" }, { "advisory": "Aldryn-django 3.2.23.0 updates its dependency 'django' to v3.2.23 to include a security fix.", "cve": "CVE-2023-46695", "id": "pyup.io-62127", "more_info_path": "/vulnerabilities/CVE-2023-46695/62127", "specs": [ "<3.2.23.0" ], "v": "<3.2.23.0" }, { "advisory": "Aldryn-django 3.2.4.0 updates its dependency 'django' to v3.2.4 to include security fixes.", "cve": "CVE-2021-33203", "id": "pyup.io-45172", "more_info_path": "/vulnerabilities/CVE-2021-33203/45172", "specs": [ "<3.2.4.0" ], "v": "<3.2.4.0" }, { "advisory": "Aldryn-django 3.2.4.0 updates its dependency 'django' to v3.2.4 to include security fixes.", "cve": "CVE-2021-33571", "id": "pyup.io-45348", "more_info_path": "/vulnerabilities/CVE-2021-33571/45348", "specs": [ "<3.2.4.0" ], "v": "<3.2.4.0" }, { "advisory": "Aldryn-django 3.2.5.0 updates its dependency 'django' to v3.2.5 to include a security fix.", "cve": "CVE-2021-35042", "id": "pyup.io-45171", "more_info_path": "/vulnerabilities/CVE-2021-35042/45171", "specs": [ "<3.2.5.0" ], "v": "<3.2.5.0" }, { "advisory": "Aldryn-django 4.2.1.0 updates its Django dependency to version 4.2.1, addressing the security vulnerability CVE-2023-31047.", "cve": "CVE-2023-31047", "id": "pyup.io-65015", "more_info_path": "/vulnerabilities/CVE-2023-31047/65015", "specs": [ "<4.2.1.0" ], "v": "<4.2.1.0" }, { "advisory": "Aldryn-django 4.2.10.0 upgrades its Django dependency to 4.2.10 due to CVE-2024-24680.", "cve": "CVE-2024-24680", "id": "pyup.io-65010", "more_info_path": "/vulnerabilities/CVE-2024-24680/65010", "specs": [ "<4.2.10.0" ], "v": "<4.2.10.0" }, { "advisory": "Aldryn-django 4.2.3.0 upgrades its Django dependency to 4.2.3 due to CVE-2023-36053.", "cve": "CVE-2023-36053", "id": "pyup.io-65014", "more_info_path": "/vulnerabilities/CVE-2023-36053/65014", "specs": [ "<4.2.3.0" ], "v": "<4.2.3.0" }, { "advisory": "Aldryn-django 4.2.5.0 upgrades its Django dependency to 4.2.5 due to the CVE-2023-41164.", "cve": "CVE-2023-41164", "id": "pyup.io-65013", "more_info_path": "/vulnerabilities/CVE-2023-41164/65013", "specs": [ "<4.2.5.0" ], "v": "<4.2.5.0" }, { "advisory": "Aldryn-django 4.2.6.0 upgrades its Django dependency to 4.2.6 due to the CVE-2023-43665.", "cve": "CVE-2023-43665", "id": "pyup.io-65012", "more_info_path": "/vulnerabilities/CVE-2023-43665/65012", "specs": [ "<4.2.6.0" ], "v": "<4.2.6.0" }, { "advisory": "Aldryn-django 4.2.7.0 upgrades its Django dependency to 4.2.7 due to the CVE-2023-46695.", "cve": "CVE-2023-46695", "id": "pyup.io-65011", "more_info_path": "/vulnerabilities/CVE-2023-46695/65011", "specs": [ "<4.2.7.0" ], "v": "<4.2.7.0" } ], "aleksis-core": [ { "advisory": "An access control issue in aleksis/core/util/auth_helpers.py: ClientProtectedResourceMixin of AlekSIS-Core v2.8.1 and below allows attackers to access arbitrary scopes if no allowed scopes are specifically set.\r\nhttps://edugit.org/AlekSIS/official/AlekSIS-Core/-/issues/688", "cve": "CVE-2022-29773", "id": "pyup.io-54457", "more_info_path": "/vulnerabilities/CVE-2022-29773/54457", "specs": [ ">=0,<2.9" ], "v": ">=0,<2.9" } ], "aleph-message": [ { "advisory": "Aleph-message 0.3.1 updates its dependency ''pydantic' requirement to versions '~=1.10.5' to include a security fix.", "cve": "CVE-2020-10735", "id": "pyup.io-53518", "more_info_path": "/vulnerabilities/CVE-2020-10735/53518", "specs": [ "<0.3.1" ], "v": "<0.3.1" } ], "alerta-server": [ { "advisory": "In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. A fix has been implemented in version 8.1.0 that returns HTTP 401 Unauthorized response for any authentication attempts where the password field is empty. As a workaround LDAP administrators can disallow unauthenticated bind requests by clients.", "cve": "CVE-2020-26214", "id": "pyup.io-42286", "more_info_path": "/vulnerabilities/CVE-2020-26214/42286", "specs": [ "<7.5.7", ">=8.0.0,<8.1.0" ], "v": "<7.5.7,>=8.0.0,<8.1.0" }, { "advisory": "Alerta versions between v7.0.0 and v8.7.0 are susceptible to Stored Cross-Site Scripting (XSS) in the field for the full name. Administrative account takeover can occur when an admin navigates to the groups page, triggering the XSS payload and sending the authorization token to the intruder's server.", "cve": "PVE-2023-99968", "id": "pyup.io-60871", "more_info_path": "/vulnerabilities/PVE-2023-99968/60871", "specs": [ ">=7.0.0,<=8.7.0" ], "v": ">=7.0.0,<=8.7.0" } ], "alex-ber-utils": [ { "advisory": "Alex-ber-utils 0.6.3 changes the base docker image version to 0.1.0, because it has a fix for a potential security risk: Git changed to not store credentials as plain text but to keep them in memory for 1 hour.", "cve": "PVE-2021-39148", "id": "pyup.io-39148", "more_info_path": "/vulnerabilities/PVE-2021-39148/39148", "specs": [ "<0.6.3" ], "v": "<0.6.3" } ], "alexandra": [ { "advisory": "Alexandra 0.4.0 updates its dependency 'pyOpenSSL' to v17.5.0 to include security fixes.", "cve": "CVE-2018-1000807", "id": "pyup.io-49031", "more_info_path": "/vulnerabilities/CVE-2018-1000807/49031", "specs": [ "<0.4.0" ], "v": "<0.4.0" }, { "advisory": "Alexandra 0.4.0 updates its dependency 'pyOpenSSL' to v17.5.0 to include security fixes.", "cve": "CVE-2018-1000808", "id": "pyup.io-36552", "more_info_path": "/vulnerabilities/CVE-2018-1000808/36552", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], "alfred3-interact": [ { "advisory": "Alfred3-interact 0.2.4 fixes a race condition in `MatchMaker._init_member()` which apparently creates a member before its session ID is available in the database.\r\nhttps://github.com/jobrachem/alfred3-interact/commit/0e3c7e964338af72f50066475382c35778888701", "cve": "PVE-2023-62763", "id": "pyup.io-62763", "more_info_path": "/vulnerabilities/PVE-2023-62763/62763", "specs": [ "<0.2.4" ], "v": "<0.2.4" } ], "algokit": [ { "advisory": "Algokit 0.3.0 updates its dependency 'GitPython' to v3.1.30 to include a security fix.", "cve": "CVE-2022-24439", "id": "pyup.io-53440", "more_info_path": "/vulnerabilities/CVE-2022-24439/53440", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "algorithm-toolkit": [ { "advisory": "Algorithm-toolkit 0.1.3beta resolves security issues with internal dependencies Pillow and marked.js.", "cve": "PVE-2021-39381", "id": "pyup.io-39381", "more_info_path": "/vulnerabilities/PVE-2021-39381/39381", "specs": [ "<0.1.3beta" ], "v": "<0.1.3beta" } ], "algorithmic": [ { "advisory": "Algorithmic is a malicious package. It triggers the install of W4SP Stealer in your system.", "cve": "PVE-2022-51694", "id": "pyup.io-51694", "more_info_path": "/vulnerabilities/PVE-2022-51694/51694", "specs": [ ">0" ], "v": ">0" } ], "algoseek-connector": [ { "advisory": "Algoseek-connector version 2.1.3 addresses a security vulnerability in the sqlparse library by updating from version \"^0.4.4\" to \"^0.5.0\", in response to the security advisory GHSA-2m57-hf25-phgg.", "cve": "PVE-2024-67887", "id": "pyup.io-67981", "more_info_path": "/vulnerabilities/PVE-2024-67887/67981", "specs": [ "<2.1.3" ], "v": "<2.1.3" } ], "aliyundrive-webdav": [ { "advisory": "An issue in aliyundrive-webdav affected versions allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component.", "cve": "CVE-2024-29640", "id": "pyup.io-71997", "more_info_path": "/vulnerabilities/CVE-2024-29640/71997", "specs": [ ">=0" ], "v": ">=0" } ], "allennlp": [ { "advisory": "allennlp 0.6.1 upgrades flask to avoid security vulnerability.", "cve": "PVE-2021-36530", "id": "pyup.io-36530", "more_info_path": "/vulnerabilities/PVE-2021-36530/36530", "specs": [ "<0.6.1" ], "v": "<0.6.1" }, { "advisory": "Allennlp 0.9.0 includes a fix for hotflip attacks.", "cve": "PVE-2021-37901", "id": "pyup.io-37901", "more_info_path": "/vulnerabilities/PVE-2021-37901/37901", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "allmydata-tahoe": [ { "advisory": "Allmydata-tahoe 1.1.0 removes 'localdir=/localfile=' and 't=download' operations to avoid security issues.\r\nhttps://github.com/tahoe-lafs/tahoe-lafs/commit/151f69d9b59ee76522c5ae3dad259ded752e8ad4", "cve": "PVE-2021-34432", "id": "pyup.io-34432", "more_info_path": "/vulnerabilities/PVE-2021-34432/34432", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Allmydata-tahoe 1.2.0 makes the immutable-file \"ciphertext hash tree\" mandatory. Previous releases allowed the uploader to decide whether their file would have an integrity check on the ciphertext or not. A malicious uploader could use this to create a readcap that would download as one file or a different one, depending upon which shares the client fetched first, with no errors raised. There are other integrity checks on the shares themselves, preventing a storage server or other party from violating the integrity properties of the read-cap: this failure was only exploitable by the uploader who gives you a carefully constructed read-cap.\r\nhttps://tahoe-lafs.org/trac/tahoe-lafs/ticket/491", "cve": "PVE-2021-34433", "id": "pyup.io-34433", "more_info_path": "/vulnerabilities/PVE-2021-34433/34433", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { "advisory": "Allmydata-tahoe 1.4.1 fixes a timing attack due to the use of strcmp against the write-enabler and lease-renewal/cancel secrets. An attacker who could measure response-time variations of approximately 3ns against a very noisy background time of about 15ms, might be able to guess these secrets. The attack is believed to be only theoretical feasible.", "cve": "PVE-2021-34435", "id": "pyup.io-34435", "more_info_path": "/vulnerabilities/PVE-2021-34435/34435", "specs": [ "<1.4.1" ], "v": "<1.4.1" }, { "advisory": "Allmydata-tahoe 1.5.0 removes helper access to plaintext hashes.\r\nhttps://tahoe-lafs.org/trac/tahoe-lafs/ticket/722", "cve": "PVE-2021-34436", "id": "pyup.io-34436", "more_info_path": "/vulnerabilities/PVE-2021-34436/34436", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Allmydata-tahoe 1.7.0 updates its Python version dependency to 2.4.4 to include a fix for a buffer overrun in repr() in cPython.\r\nhttps://tahoe-lafs.org/trac/tahoe-lafs/ticket/1066", "cve": "CVE-2006-4980", "id": "pyup.io-34437", "more_info_path": "/vulnerabilities/CVE-2006-4980/34437", "specs": [ "<1.7.0" ], "v": "<1.7.0" }, { "advisory": "Allmydata-tahoe 1.7.1 encrypts its temporary files in the FTP frontend, protecting their contents from an attacker who is able to read the disk.", "cve": "PVE-2021-34438", "id": "pyup.io-34438", "more_info_path": "/vulnerabilities/PVE-2021-34438/34438", "specs": [ "<1.7.1" ], "v": "<1.7.1" }, { "advisory": "Allmydata-tahoe 1.8.3 includes a fix for a vulnerability that allowed deletion of shares.", "cve": "PVE-2021-34439", "id": "pyup.io-34439", "more_info_path": "/vulnerabilities/PVE-2021-34439/34439", "specs": [ "<1.8.3" ], "v": "<1.8.3" } ], "alt-model-checkpoint": [ { "advisory": "alt-model-checkpoint 1.0.1 upgrades dependencies, esp. for requests==2.20.0 security patch", "cve": "PVE-2021-36628", "id": "pyup.io-36628", "more_info_path": "/vulnerabilities/PVE-2021-36628/36628", "specs": [ "<1.0.1" ], "v": "<1.0.1" } ], "altair-recipes": [ { "advisory": "Altair-recipes 0.9.2 updates its dependency 'ipython' to v7.31.1 to include a security fix.", "cve": "CVE-2022-21699", "id": "pyup.io-45388", "more_info_path": "/vulnerabilities/CVE-2022-21699/45388", "specs": [ "<0.9.2" ], "v": "<0.9.2" } ], "altvmasterlist": [ { "advisory": "Altvmasterlist version 3.1.0 updates its IDNA dependency from version 3.6 to 3.7 to fix a denial of service vulnerability.", "cve": "CVE-2022-45061", "id": "pyup.io-67623", "more_info_path": "/vulnerabilities/CVE-2022-45061/67623", "specs": [ "<3.1.0" ], "v": "<3.1.0" } ], "alvaro": [ { "advisory": "Alvaro 1.1.1 replaced Pickle with JSON to prevent code injection vulnerabilities.\r\nhttps://github.com/edgecase963/Alvaro/commit/d87c53359e7edde827add46a7870d4192eef0451", "cve": "PVE-2022-50145", "id": "pyup.io-50145", "more_info_path": "/vulnerabilities/PVE-2022-50145/50145", "specs": [ "<1.1.1" ], "v": "<1.1.1" } ], "amazon-product-details-scraper": [ { "advisory": "Amazon-product-details-scraper version 1.0.4 introduces a security update to enhance the validation process for host URLs, mitigating potential vulnerabilities associated with improper URL verification.\r\nhttps://github.com/ranjan-mohanty/amazon-product-details-scraper/pull/10/commits/e8491b1e13b4b9a35f6009d65b7c33d16e3cff10", "cve": "PVE-2024-66905", "id": "pyup.io-66905", "more_info_path": "/vulnerabilities/PVE-2024-66905/66905", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], "ambient-api": [ { "advisory": "Ambient-api 1.5.2 updates requirements.txt to use urllib3>=1.23 to include a security fix.", "cve": "CVE-2018-20060", "id": "pyup.io-36594", "more_info_path": "/vulnerabilities/CVE-2018-20060/36594", "specs": [ "<1.5.2" ], "v": "<1.5.2" } ], "amdsmi": [ { "advisory": "Affected versions of the AMD SMI CLI are vulnerable to potential privilege escalation due to improper handling of root-required operations for process isolation and SRAM data clearing. Attackers could exploit misconfigured permissions to gain unauthorized access or manipulate GPU processes. The vulnerable functions include amdsmi_set_gpu_process_isolation and amdsmi_set_gpu_clear_sram_data. To mitigate, ensure proper configuration of permissions and restrict root access to trusted users only. This vulnerability is specific to systems where these features are enabled without adequate security measures.", "cve": "PVE-2024-73455", "id": "pyup.io-73455", "more_info_path": "/vulnerabilities/PVE-2024-73455/73455", "specs": [ "<6.1.2" ], "v": "<6.1.2" } ], "aml-ds-pipeline-contrib": [ { "advisory": "Aml-ds-pipeline-contrib is a malicious package, typosquatting. It aims at targeting Azure environments.\r\nhttps://blog.sonatype.com/careful-out-there-open-source-attacks-continue-to-be-on-the-uptick", "cve": "PVE-2022-47809", "id": "pyup.io-47809", "more_info_path": "/vulnerabilities/PVE-2022-47809/47809", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "amqp": [ { "advisory": "AMQP versions 0.8 to 0.9.1 (Python client) do not carry out hostname verification during tls connections, paving the way for potential Man-in-the-Middle attacks.", "cve": "PVE-2023-99972", "id": "pyup.io-60836", "more_info_path": "/vulnerabilities/PVE-2023-99972/60836", "specs": [ ">=0.8,<=0.9.1" ], "v": ">=0.8,<=0.9.1" } ], "amqplib": [ { "advisory": "AMQPlib versions 0.8 to 0.9.1 (Python client) do not carry out hostname verification during tls connections, paving the way for potential Man-in-the-Middle attacks.", "cve": "PVE-2023-99972", "id": "pyup.io-60837", "more_info_path": "/vulnerabilities/PVE-2023-99972/60837", "specs": [ ">=0.8,<=0.9.1" ], "v": ">=0.8,<=0.9.1" } ], "amqtt": [ { "advisory": "Amqtt 0.10.0 includes a security fix: If an attacker could produce a KeyError inside an authentication plugin, the authentication was accepted instead of rejected.\r\nhttps://github.com/Yakifo/amqtt/pull/68", "cve": "PVE-2023-53085", "id": "pyup.io-53085", "more_info_path": "/vulnerabilities/PVE-2023-53085/53085", "specs": [ "<0.10.0" ], "v": "<0.10.0" } ], "amsterdam": [ { "advisory": "Amsterdam 1.1 runs the suricata container with lower permissions to increase security.\r\nhttps://github.com/StamusNetworks/Amsterdam/commit/cadf11008a148919cd77da57e1d77c5a2e1092e9", "cve": "PVE-2017-47647", "id": "pyup.io-47647", "more_info_path": "/vulnerabilities/PVE-2017-47647/47647", "specs": [ "<1.1" ], "v": "<1.1" } ], "amundsen-frontend": [ { "advisory": "Amundsen-frontend 3.0.0 updates its dependency 'serialize-javascript' to v3.1.0 to include a security fix.", "cve": "CVE-2020-7660", "id": "pyup.io-39065", "more_info_path": "/vulnerabilities/CVE-2020-7660/39065", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "Amundsen-frontend 3.1.0 includes a security fix: UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES not respected by frontend service backend.\r\nhttps://github.com/advisories/GHSA-47qg-q58v-7vrp", "cve": "PVE-2023-55102", "id": "pyup.io-55102", "more_info_path": "/vulnerabilities/PVE-2023-55102/55102", "specs": [ "<3.1.0" ], "v": "<3.1.0" } ], "analytics-zoo": [ { "advisory": "Analytics-zoo 0.11.1 updates its dependency 'log4j' to v2.17.0 to fix critical and severe vulnerabilities.\r\nhttps://github.com/intel-analytics/analytics-zoo/commit/be893d0c173563df923b54578774bd4226d0bbd9", "cve": "CVE-2021-45105", "id": "pyup.io-43746", "more_info_path": "/vulnerabilities/CVE-2021-45105/43746", "specs": [ "<0.11.1" ], "v": "<0.11.1" }, { "advisory": "Analytics-zoo 0.11.1 updates its dependency 'log4j' to v2.17.0 to fix severe vulnerabilities.\r\nhttps://github.com/intel-analytics/analytics-zoo/commit/be893d0c173563df923b54578774bd4226d0bbd9", "cve": "CVE-2021-44228", "id": "pyup.io-43615", "more_info_path": "/vulnerabilities/CVE-2021-44228/43615", "specs": [ "<0.11.1" ], "v": "<0.11.1" }, { "advisory": "Analytics-zoo 0.11.1 updates its dependency 'log4j' to v2.17.0 to fix critical and severe vulnerabilities.\r\nhttps://github.com/intel-analytics/analytics-zoo/commit/be893d0c173563df923b54578774bd4226d0bbd9", "cve": "CVE-2021-45046", "id": "pyup.io-43745", "more_info_path": "/vulnerabilities/CVE-2021-45046/43745", "specs": [ "<0.11.1" ], "v": "<0.11.1" }, { "advisory": "Analytics-zoo 0.11.2 updates its dependency 'log4j' to v2.17.1 to fix a medium severity vulnerability.\r\nhttps://github.com/intel-analytics/analytics-zoo/commit/c75cfc1076adbefa4f5fe0185bff4e7cf3f99b82", "cve": "CVE-2021-44832", "id": "pyup.io-44464", "more_info_path": "/vulnerabilities/CVE-2021-44832/44464", "specs": [ "<0.11.2" ], "v": "<0.11.2" } ], "anaplan-api": [ { "advisory": "Anaplan-api 0.2.13 updates its cryptography dependency from version 42.0.6 to 42.0.8 to include a security fix for CVE-2024-4603.", "cve": "CVE-2024-4603", "id": "pyup.io-71674", "more_info_path": "/vulnerabilities/CVE-2024-4603/71674", "specs": [ "<0.2.13" ], "v": "<0.2.13" }, { "advisory": "Anaplan-api 0.2.13 updates its idna dependency from version 3.6 to 3.7 to address CVE-2024-3651.", "cve": "CVE-2024-3651", "id": "pyup.io-71679", "more_info_path": "/vulnerabilities/CVE-2024-3651/71679", "specs": [ "<0.2.13" ], "v": "<0.2.13" } ], "anchore": [ { "advisory": "In Anchore Engine version 0.7.0, a specially crafted container image manifest, fetched from a registry, can be used to trigger a shell escape flaw in the anchore engine analyzer service during an image analysis process. The image analysis operation can only be executed by an authenticated user via a valid API request to anchore engine, or if an already added image that anchore is monitoring has its manifest altered to exploit the same flaw. A successful attack can be used to execute commands that run in the analyzer environment, with the same permissions as the user that anchore engine is run as - including access to the credentials that Engine uses to access its own database which have read-write ability, as well as access to the running engien analyzer service environment. By default Anchore Engine is released and deployed as a container where the user is non-root, but if users run Engine directly or explicitly set the user to 'root' then that level of access may be gained in the execution environment where Engine runs. This issue is fixed in version 0.7.1.", "cve": "CVE-2020-11075", "id": "pyup.io-62856", "more_info_path": "/vulnerabilities/CVE-2020-11075/62856", "specs": [ "==0.7.0" ], "v": "==0.7.0" } ], "anchorecli": [ { "advisory": "In Anchore Engine version 0.7.0, a specially crafted container image manifest, fetched from a registry, can be used to trigger a shell escape flaw in the anchore engine analyzer service during an image analysis process. The image analysis operation can only be executed by an authenticated user via a valid API request to anchore engine, or if an already added image that anchore is monitoring has its manifest altered to exploit the same flaw. A successful attack can be used to execute commands that run in the analyzer environment, with the same permissions as the user that anchore engine is run as - including access to the credentials that Engine uses to access its own database which have read-write ability, as well as access to the running engien analyzer service environment. By default Anchore Engine is released and deployed as a container where the user is non-root, but if users run Engine directly or explicitly set the user to 'root' then that level of access may be gained in the execution environment where Engine runs. This issue is fixed in version 0.7.1.", "cve": "CVE-2020-11075", "id": "pyup.io-62857", "more_info_path": "/vulnerabilities/CVE-2020-11075/62857", "specs": [ "==0.7.0" ], "v": "==0.7.0" } ], "anchorpy": [ { "advisory": "Anchorpy 0.6.4 updates its dependency 'ipython' to v8.0.1 to include a security fix.", "cve": "CVE-2022-21699", "id": "pyup.io-44648", "more_info_path": "/vulnerabilities/CVE-2022-21699/44648", "specs": [ "<0.6.4" ], "v": "<0.6.4" } ], "anki": [ { "advisory": "Anki version 24.06 includes security fixes for handling shared decks. Users who download and use shared decks from untrusted authors are recommended to update to the latest version to enhance security and protect against potential vulnerabilities.", "cve": "PVE-2024-71393", "id": "pyup.io-71393", "more_info_path": "/vulnerabilities/PVE-2024-71393/71393", "specs": [ "<24.06" ], "v": "<24.06" }, { "advisory": "Anki 24.6.1 includes a security fix for the handling of shared decks, specially important for users who make use of shared decks from untrusted authors.", "cve": "PVE-2024-71422", "id": "pyup.io-71422", "more_info_path": "/vulnerabilities/PVE-2024-71422/71422", "specs": [ "<24.6.1" ], "v": "<24.6.1" } ], "annotator": [ { "advisory": "Annotator 0.11.2 fixes a bug that allowed authenticated users to overwrite annotations on which they did not have permissions.\r\nhttps://github.com/openannotation/annotator-store/issues/82", "cve": "PVE-2021-25615", "id": "pyup.io-25615", "more_info_path": "/vulnerabilities/PVE-2021-25615/25615", "specs": [ "<0.11.2" ], "v": "<0.11.2" } ], "anomalib": [ { "advisory": "Anomalib 0.5.0 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.", "cve": "CVE-2007-4559", "id": "pyup.io-58628", "more_info_path": "/vulnerabilities/CVE-2007-4559/58628", "specs": [ "<0.5.0" ], "v": "<0.5.0" } ], "ansible": [ { "advisory": "Ansible 1.2.1 includes a fix for CVE-2013-2233: Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=980821", "cve": "CVE-2013-2233", "id": "pyup.io-42921", "more_info_path": "/vulnerabilities/CVE-2013-2233/42921", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Ansible 1.2.3 includes local security fixes for predictable file locations for ControlPersist and retry file paths on shared machines on operating systems without kernel symlink/hardlink protections. See CVE-2013-4260.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=998227", "cve": "CVE-2013-4260", "id": "pyup.io-25616", "more_info_path": "/vulnerabilities/CVE-2013-4260/25616", "specs": [ "<1.2.3" ], "v": "<1.2.3" }, { "advisory": "Ansible 1.2.3 includes a fix for CVE-2013-4259: runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/.", "cve": "CVE-2013-4259", "id": "pyup.io-42920", "more_info_path": "/vulnerabilities/CVE-2013-4259/42920", "specs": [ "<1.2.3" ], "v": "<1.2.3" }, { "advisory": "Ansible 1.5.4 includes a fix for CVE-2014-2686: Ansible prior to 1.5.4 mishandles the evaluation of some strings.\r\nhttps://groups.google.com/forum/#!searchin/ansible-project/1.5.4/ansible-project/MUQxiKwSQDc/id6aVaawVboJ", "cve": "CVE-2014-2686", "id": "pyup.io-42919", "more_info_path": "/vulnerabilities/CVE-2014-2686/42919", "specs": [ "<1.5.4" ], "v": "<1.5.4" }, { "advisory": "Ansible 1.5.4 includes a fix for CVE-2014-4657: The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.", "cve": "CVE-2014-4657", "id": "pyup.io-25617", "more_info_path": "/vulnerabilities/CVE-2014-4657/25617", "specs": [ "<1.5.4" ], "v": "<1.5.4" }, { "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4658: The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.", "cve": "CVE-2014-4658", "id": "pyup.io-25618", "more_info_path": "/vulnerabilities/CVE-2014-4658/25618", "specs": [ "<1.5.5" ], "v": "<1.5.5" }, { "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4660: Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the \"deb http://user:pass@server:port/\" format.\r\nhttps://www.openwall.com/lists/oss-security/2014/06/26/19", "cve": "CVE-2014-4660", "id": "pyup.io-42918", "more_info_path": "/vulnerabilities/CVE-2014-4660/42918", "specs": [ "<1.5.5" ], "v": "<1.5.5" }, { "advisory": "Ansible 1.5.5 includes a fix for CVE-2014-4659: Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the \"deb http://user:pass@server:port/\" format.", "cve": "CVE-2014-4659", "id": "pyup.io-42854", "more_info_path": "/vulnerabilities/CVE-2014-4659/42854", "specs": [ "<1.5.5" ], "v": "<1.5.5" }, { "advisory": "Ansible 1.6.4 includes a fix for CVE-2014-4678: The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657.", "cve": "CVE-2014-4678", "id": "pyup.io-25619", "more_info_path": "/vulnerabilities/CVE-2014-4678/25619", "specs": [ "<1.6.4" ], "v": "<1.6.4" }, { "advisory": "Ansible 1.6.6 includes a fix for CVE-2014-3498: The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands.", "cve": "CVE-2014-3498", "id": "pyup.io-25620", "more_info_path": "/vulnerabilities/CVE-2014-3498/25620", "specs": [ "<1.6.6" ], "v": "<1.6.6" }, { "advisory": "ansible 1.6.7 contains two security fixes:\r\n * Strip lookup calls out of inventory variables and clean unsafe data\r\n returned from lookup plugins (CVE-2014-4966)\r\n * Make sure vars don't insert extra parameters into module args and prevent\r\n duplicate params from superseding previous params (CVE-2014-4967)", "cve": "CVE-2014-4967", "id": "pyup.io-25621", "more_info_path": "/vulnerabilities/CVE-2014-4967/25621", "specs": [ "<1.6.7" ], "v": "<1.6.7" }, { "advisory": "Ansible before 1.6.7 does not prevent inventory data with \"{{\" and \"lookup\" substrings, and does not prevent remote data with \"{{\" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.", "cve": "CVE-2014-4966", "id": "pyup.io-42334", "more_info_path": "/vulnerabilities/CVE-2014-4966/42334", "specs": [ "<1.6.7" ], "v": "<1.6.7" }, { "advisory": "Ansible 1.7.0 avoids templating raw lookup strings.", "cve": "PVE-2022-45329", "id": "pyup.io-45329", "more_info_path": "/vulnerabilities/PVE-2022-45329/45329", "specs": [ "<1.7" ], "v": "<1.7" }, { "advisory": "Ansible 1.7.0 adds path checking for relative/escaped tar filenames in the ansible-galaxy command.", "cve": "PVE-2021-25622", "id": "pyup.io-25622", "more_info_path": "/vulnerabilities/PVE-2021-25622/25622", "specs": [ "<1.7" ], "v": "<1.7" }, { "advisory": "ansible 1.7.1 contains a security fix to disallow specifying 'args:' as a string, which could allow the insertion of extra module parameters through variables.", "cve": "PVE-2021-25623", "id": "pyup.io-25623", "more_info_path": "/vulnerabilities/PVE-2021-25623/25623", "specs": [ "<1.7.1" ], "v": "<1.7.1" }, { "advisory": "ansible 1.8.3 fixes a security bug related to the default permissions set on a temporary file created when using \"ansible-vault view \".", "cve": "PVE-2021-25624", "id": "pyup.io-25624", "more_info_path": "/vulnerabilities/PVE-2021-25624/25624", "specs": [ "<1.8.3" ], "v": "<1.8.3" }, { "advisory": "Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", "cve": "CVE-2015-3908", "id": "pyup.io-25625", "more_info_path": "/vulnerabilities/CVE-2015-3908/25625", "specs": [ "<1.9.2" ], "v": "<1.9.2" }, { "advisory": "Ansible 1.9.2 includes a fix for CVE-2015-6240: The chroot, jail, and zone connection plugins in Ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1243468", "cve": "CVE-2015-6240", "id": "pyup.io-42917", "more_info_path": "/vulnerabilities/CVE-2015-6240/42917", "specs": [ "<1.9.2" ], "v": "<1.9.2" }, { "advisory": "Ansible versions 2.1.4 and 2.2.1 include a fix for CVE-2016-9587: Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.\r\nhttps://www.exploit-db.com/exploits/41013/", "cve": "CVE-2016-9587", "id": "pyup.io-33285", "more_info_path": "/vulnerabilities/CVE-2016-9587/33285", "specs": [ "<2.1.4", ">=2.2.0,<2.2.1" ], "v": "<2.1.4,>=2.2.0,<2.2.1" }, { "advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.", "cve": "CVE-2020-25636", "id": "pyup.io-54229", "more_info_path": "/vulnerabilities/CVE-2020-25636/54229", "specs": [ "<2.10.5" ], "v": "<2.10.5" }, { "advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.", "cve": "CVE-2020-25635", "id": "pyup.io-54230", "more_info_path": "/vulnerabilities/CVE-2020-25635/54230", "specs": [ "<2.10.5" ], "v": "<2.10.5" }, { "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8628: Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628", "cve": "CVE-2016-8628", "id": "pyup.io-42915", "more_info_path": "/vulnerabilities/CVE-2016-8628/42915", "specs": [ "<2.2.0" ], "v": "<2.2.0" }, { "advisory": "Ansible 2.3 includes a fix for CVE-2017-7466: Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466", "cve": "CVE-2017-7466", "id": "pyup.io-42890", "more_info_path": "/vulnerabilities/CVE-2017-7466/42890", "specs": [ "<2.3" ], "v": "<2.3" }, { "advisory": "Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. See: CVE-2017-7481.", "cve": "CVE-2017-7481", "id": "pyup.io-34941", "more_info_path": "/vulnerabilities/CVE-2017-7481/34941", "specs": [ "<2.3.1" ], "v": "<2.3.1" }, { "advisory": "Ansible 2.5.14, 2.6.11 and 2.7.5 include a fix for CVE-2018-16876: Ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16876", "cve": "CVE-2018-16876", "id": "pyup.io-42889", "more_info_path": "/vulnerabilities/CVE-2018-16876/42889", "specs": [ "<2.5.14", ">=2.6.0a0,<2.6.11", ">=2.7.0a0,<2.7.5" ], "v": "<2.5.14,>=2.6.0a0,<2.6.11,>=2.7.0a0,<2.7.5" }, { "advisory": "A vulnerability in versions of the Ansible solaris_zone module permits an attacker to execute arbitrary commands on a Solaris host. This issue arises when the module checks the zone name by using a basic 'ps' command, enabling the attack through a maliciously crafted zone name. This flaw poses a risk to various versions of Ansible Engine, exposing systems to potential unauthorized command execution.", "cve": "CVE-2019-14904", "id": "pyup.io-68097", "more_info_path": "/vulnerabilities/CVE-2019-14904/68097", "specs": [ "<2.7.15", ">=2.8.0a1,<2.8.7", ">=2.9.0b1,<2.9.2" ], "v": "<2.7.15,>=2.8.0a1,<2.8.7,>=2.9.0b1,<2.9.2" }, { "advisory": "Ansible versions 2.7.17, 2.8.11 and 2.9.7 include a fix for CVE-2020-1733: A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 && mkdir -p \"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733", "cve": "CVE-2020-1733", "id": "pyup.io-42879", "more_info_path": "/vulnerabilities/CVE-2020-1733/42879", "specs": [ "<2.7.17", ">=2.8.0a0,<2.8.11", ">=2.9.0a0,<2.9.7" ], "v": "<2.7.17,>=2.8.0a0,<2.8.11,>=2.9.0a0,<2.9.7" }, { "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1735: A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735", "cve": "CVE-2020-1735", "id": "pyup.io-42877", "more_info_path": "/vulnerabilities/CVE-2020-1735/42877", "specs": [ "<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0a0,<2.9.6" ], "v": "<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" }, { "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1739: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739", "cve": "CVE-2020-1739", "id": "pyup.io-42871", "more_info_path": "/vulnerabilities/CVE-2020-1739/42871", "specs": [ "<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0a0,<2.9.6" ], "v": "<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" }, { "advisory": "A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.", "cve": "CVE-2020-10685", "id": "pyup.io-54331", "more_info_path": "/vulnerabilities/CVE-2020-10685/54331", "specs": [ "<2.7.17", ">=2.8.0a1,<2.8.11", ">=2.9.0b1,<2.9.7" ], "v": "<2.7.17,>=2.8.0a1,<2.8.11,>=2.9.0b1,<2.9.7" }, { "advisory": "A flaw was found in the Ansible Engine, in ansible-engine affected versions, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, the default behaviour. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.", "cve": "CVE-2020-14365", "id": "pyup.io-54224", "more_info_path": "/vulnerabilities/CVE-2020-14365/54224", "specs": [ "<2.8.15", ">=2.9.0b1,<2.9.13" ], "v": "<2.8.15,>=2.9.0b1,<2.9.13" }, { "advisory": "Ansible 2.9.18 includes a fix for CVE-2021-20178: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1914774", "cve": "CVE-2021-20178", "id": "pyup.io-42858", "more_info_path": "/vulnerabilities/CVE-2021-20178/42858", "specs": [ "<2.9.18" ], "v": "<2.9.18" }, { "advisory": "An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.", "cve": "CVE-2020-14330", "id": "pyup.io-54219", "more_info_path": "/vulnerabilities/CVE-2020-14330/54219", "specs": [ ">=0,<2.10.0" ], "v": ">=0,<2.10.0" }, { "advisory": "An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed.", "cve": "CVE-2016-8647", "id": "pyup.io-54118", "more_info_path": "/vulnerabilities/CVE-2016-8647/54118", "specs": [ ">=0,<2.2.1.0" ], "v": ">=0,<2.2.1.0" }, { "advisory": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.", "cve": "CVE-2018-16837", "id": "pyup.io-54010", "more_info_path": "/vulnerabilities/CVE-2018-16837/54010", "specs": [ ">=0,<2.5.11", ">=2.6.0a1,<2.6.9", ">=2.7.0.dev0,<2.7.1" ], "v": ">=0,<2.5.11,>=2.6.0a1,<2.6.9,>=2.7.0.dev0,<2.7.1" }, { "advisory": "In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.", "cve": "CVE-2019-14846", "id": "pyup.io-54288", "more_info_path": "/vulnerabilities/CVE-2019-14846/54288", "specs": [ ">=0,<2.6.20", ">=2.7.0a0,<2.7.14", ">=2.8.0a0,<2.8.6" ], "v": ">=0,<2.6.20,>=2.7.0a0,<2.7.14,>=2.8.0a0,<2.8.6" }, { "advisory": "A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.", "cve": "CVE-2020-1734", "id": "pyup.io-54189", "more_info_path": "/vulnerabilities/CVE-2020-1734/54189", "specs": [ ">=0,<2.7.17" ], "v": ">=0,<2.7.17" }, { "advisory": "A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.", "cve": "CVE-2020-1746", "id": "pyup.io-54284", "more_info_path": "/vulnerabilities/CVE-2020-1746/54284", "specs": [ ">=0,<2.7.17", ">=2.8.0a0,<2.8.11", ">=2.9.0b1,<2.9.7" ], "v": ">=0,<2.7.17,>=2.8.0a0,<2.8.11,>=2.9.0b1,<2.9.7" }, { "advisory": "A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.", "cve": "CVE-2020-1737", "id": "pyup.io-54191", "more_info_path": "/vulnerabilities/CVE-2020-1737/54191", "specs": [ ">=0,<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0b1,<2.9.6" ], "v": ">=0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0b1,<2.9.6" }, { "advisory": "A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.", "cve": "CVE-2020-1753", "id": "pyup.io-54240", "more_info_path": "/vulnerabilities/CVE-2020-1753/54240", "specs": [ ">=0,<2.7.18", ">=2.8.0a0,<2.8.11", ">=2.9.0b1,<2.9.7" ], "v": ">=0,<2.7.18,>=2.8.0a0,<2.8.11,>=2.9.0b1,<2.9.7" }, { "advisory": "A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.", "cve": "CVE-2020-14332", "id": "pyup.io-54226", "more_info_path": "/vulnerabilities/CVE-2020-14332/54226", "specs": [ ">=0,<2.8.14", ">=2.9.0b1,<2.9.12" ], "v": ">=0,<2.8.14,>=2.9.0b1,<2.9.12" }, { "advisory": "Ansible is an IT automation system that handles configuration management, application deployment, cloud provisioning, ad-hoc task execution, network automation, and multi-node orchestration. A flaw was found in Ansible Engine's ansible-connection module where sensitive information, such as the Ansible user credentials, is disclosed by default in the traceback error message when Ansible receives an unexpected response from `set_options`. The highest threat from this vulnerability is confidentiality.", "cve": "CVE-2021-3620", "id": "pyup.io-54421", "more_info_path": "/vulnerabilities/CVE-2021-3620/54421", "specs": [ ">=0,<2.9.27" ], "v": ">=0,<2.9.27" }, { "advisory": "A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.", "cve": "CVE-2020-10729", "id": "pyup.io-54283", "more_info_path": "/vulnerabilities/CVE-2020-10729/54283", "specs": [ ">=0,<2.9.6" ], "v": ">=0,<2.9.6" }, { "advisory": "Ansible 1.9.6 and 2.0.2 include a fix for CVE-2016-3096: The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.", "cve": "CVE-2016-3096", "id": "pyup.io-25627", "more_info_path": "/vulnerabilities/CVE-2016-3096/25627", "specs": [ ">=2.0.0.0,<2.0.2", "<1.9.6" ], "v": ">=2.0.0.0,<2.0.2,<1.9.6" }, { "advisory": "Ansible 2.1.0.0 include a security fix: Information disclosure of sensitive data in log files.", "cve": "PVE-2023-99974", "id": "pyup.io-60834", "more_info_path": "/vulnerabilities/PVE-2023-99974/60834", "specs": [ ">=2.0.0.0,<2.1.0.0" ], "v": ">=2.0.0.0,<2.1.0.0" }, { "advisory": "A vulnerability was found in Ansible engine and Ansible tower. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.", "cve": "CVE-2019-14858", "id": "pyup.io-54153", "more_info_path": "/vulnerabilities/CVE-2019-14858/54153", "specs": [ ">=2.10.0a1,<2.10.0b1", ">=2.9.0b1,<2.9.0", ">=2.8.0a1,<2.8.6", ">=2.7.0.dev0,<2.7.14", "<2.6.20" ], "v": ">=2.10.0a1,<2.10.0b1,>=2.9.0b1,<2.9.0,>=2.8.0a1,<2.8.6,>=2.7.0.dev0,<2.7.14,<2.6.20" }, { "advisory": "A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.", "cve": "CVE-2021-20228", "id": "pyup.io-54286", "more_info_path": "/vulnerabilities/CVE-2021-20228/54286", "specs": [ ">=2.10.0a1,<2.10.7", ">=2.9.0b1,<2.9.18", ">=0,<2.8.19" ], "v": ">=2.10.0a1,<2.10.7,>=2.9.0b1,<2.9.18,>=0,<2.8.19" }, { "advisory": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.", "cve": "CVE-2018-10855", "id": "pyup.io-54290", "more_info_path": "/vulnerabilities/CVE-2018-10855/54290", "specs": [ ">=2.5.0a1,<2.5.5", ">=2.4.0,<2.4.5" ], "v": ">=2.5.0a1,<2.5.5,>=2.4.0,<2.4.5" }, { "advisory": "A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.", "cve": "CVE-2022-3697", "id": "pyup.io-54564", "more_info_path": "/vulnerabilities/CVE-2022-3697/54564", "specs": [ ">=2.5.0a1,<7.0.0" ], "v": ">=2.5.0a1,<7.0.0" }, { "advisory": "A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.", "cve": "CVE-2018-10875", "id": "pyup.io-54289", "more_info_path": "/vulnerabilities/CVE-2018-10875/54289", "specs": [ ">=2.5a1,<2.5.6", ">=2.6a1,<2.6.1", "<2.4.6.0" ], "v": ">=2.5a1,<2.5.6,>=2.6a1,<2.6.1,<2.4.6.0" }, { "advisory": "Ansible 2.5.15, 2.6.14 and 2.7.8 include a fix for CVE-2019-3828: Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local Ansible controller host by not restricting an absolute path.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828\r\nhttps://github.com/ansible/ansible/pull/52133", "cve": "CVE-2019-3828", "id": "pyup.io-42888", "more_info_path": "/vulnerabilities/CVE-2019-3828/42888", "specs": [ ">=2.6.0a0,<2.6.14", ">=2.7.0a0,<2.7.8", "<2.5.15" ], "v": ">=2.6.0a0,<2.6.14,>=2.7.0a0,<2.7.8,<2.5.15" }, { "advisory": "Affected versions of Ansible are vulnerable to CVE-2019-14856: The fix for CVE-2019-10206 was found to be incomplete for the data disclosure flaw in Ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.", "cve": "CVE-2019-14856", "id": "pyup.io-42884", "more_info_path": "/vulnerabilities/CVE-2019-14856/42884", "specs": [ ">=2.6.0a0,<2.6.20", ">=2.7.0a0,<2.7.14", ">=2.8.0a0,<2.8.6", ">=2.10.0a1,<2.10.0b1", ">=2.9.0b1,<2.9.0rc4" ], "v": ">=2.6.0a0,<2.6.20,>=2.7.0a0,<2.7.14,>=2.8.0a0,<2.8.6,>=2.10.0a1,<2.10.0b1,>=2.9.0b1,<2.9.0rc4" }, { "advisory": "Ansible 2.6.18, 2.7.12 and 2.8.2 include a fix for CVE-2019-10156: A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156", "cve": "CVE-2019-10156", "id": "pyup.io-42887", "more_info_path": "/vulnerabilities/CVE-2019-10156/42887", "specs": [ ">=2.7.0a0,<2.7.12", ">=2.8.0a1,<2.8.2", "<2.6.18" ], "v": ">=2.7.0a0,<2.7.12,>=2.8.0a1,<2.8.2,<2.6.18" }, { "advisory": "Ansible versions 2.7.15, 2.8.7 and 2.9.1 include a fix for CVE-2019-14864: Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, are not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used to send tasks results events to collectors. This would disclose and collect any sensitive data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864", "cve": "CVE-2019-14864", "id": "pyup.io-42882", "more_info_path": "/vulnerabilities/CVE-2019-14864/42882", "specs": [ ">=2.7.0a0,<2.7.15", ">=2.8.0a0,<2.8.7", ">=2.9.0a0,<2.9.1" ], "v": ">=2.7.0a0,<2.7.15,>=2.8.0a0,<2.8.7,>=2.9.0a0,<2.9.1" }, { "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1736: A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736", "cve": "CVE-2020-1736", "id": "pyup.io-42875", "more_info_path": "/vulnerabilities/CVE-2020-1736/42875", "specs": [ ">=2.7.0a0,<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0a0,<2.9.6" ], "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" }, { "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684", "cve": "CVE-2020-10684", "id": "pyup.io-42864", "more_info_path": "/vulnerabilities/CVE-2020-10684/42864", "specs": [ ">=2.7.0a0,<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0a0,<2.9.6" ], "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" }, { "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1738: A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738", "cve": "CVE-2020-1738", "id": "pyup.io-42873", "more_info_path": "/vulnerabilities/CVE-2020-1738/42873", "specs": [ ">=2.7.0a0,<2.7.17", ">=2.8.0a0,<2.8.9", ">=2.9.0a0,<2.9.6" ], "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" }, { "advisory": "A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.", "cve": "CVE-2019-14905", "id": "pyup.io-54155", "more_info_path": "/vulnerabilities/CVE-2019-14905/54155", "specs": [ ">=2.7.0a1,<2.7.16", ">=2.8.0a1,<2.8.8", ">=2.9.0b1,<2.9.3" ], "v": ">=2.7.0a1,<2.7.16,>=2.8.0a1,<2.8.8,>=2.9.0b1,<2.9.3" }, { "advisory": "Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password.", "cve": "CVE-2018-16859", "id": "pyup.io-54011", "more_info_path": "/vulnerabilities/CVE-2018-16859/54011", "specs": [ ">=2.7.0a1,<2.7.4", ">=0,<2.5.13", ">=2.6.0a1,<2.6.10" ], "v": ">=2.7.0a1,<2.7.4,>=0,<2.5.13,>=2.6.0a1,<2.6.10" }, { "advisory": "Ansible 2.8.4 includes a fix for CVE-2019-10217: A flaw was found in Ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all GCP modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running Ansible playbooks.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217", "cve": "CVE-2019-10217", "id": "pyup.io-42885", "more_info_path": "/vulnerabilities/CVE-2019-10217/42885", "specs": [ ">=2.8.0a0,<2.8.4" ], "v": ">=2.8.0a0,<2.8.4" }, { "advisory": "Ansible 2.6.19, 2.7.13 and 2.8.4 include a fix for CVE-2019-10206: Ansible-playbook -k and Ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206", "cve": "CVE-2019-10206", "id": "pyup.io-42886", "more_info_path": "/vulnerabilities/CVE-2019-10206/42886", "specs": [ ">=2.8.0a0,<2.8.4", ">=2.7.0a0,<2.7.13", "<2.6.19" ], "v": ">=2.8.0a0,<2.8.4,>=2.7.0a0,<2.7.13,<2.6.19" }, { "advisory": "Ansible versions 2.7.16, 2.8.8 and 2.9.3 include a fix for CVE-2019-14904: A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1776944", "cve": "CVE-2019-14904", "id": "pyup.io-42881", "more_info_path": "/vulnerabilities/CVE-2019-14904/42881", "specs": [ ">=2.8.0a0,<2.8.8", ">=2.9.0a0,<2.9.3", "<2.7.16" ], "v": ">=2.8.0a0,<2.8.8,>=2.9.0a0,<2.9.3,<2.7.16" }, { "advisory": "A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.", "cve": "CVE-2021-20180", "id": "pyup.io-54426", "more_info_path": "/vulnerabilities/CVE-2021-20180/54426", "specs": [ ">=2.8.0a1,<2.8.19", ">=2.9.0b1,<2.9.18" ], "v": ">=2.8.0a1,<2.8.19,>=2.9.0b1,<2.9.18" }, { "advisory": "An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.", "cve": "CVE-2020-10691", "id": "pyup.io-54172", "more_info_path": "/vulnerabilities/CVE-2020-10691/54172", "specs": [ ">=2.9.0b1,<2.9.7" ], "v": ">=2.9.0b1,<2.9.7" } ], "ansible-core": [ { "advisory": "A flaw was found in Ansible if an Ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world-writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.", "cve": "CVE-2021-3533", "id": "pyup.io-66667", "more_info_path": "/vulnerabilities/CVE-2021-3533/66667", "specs": [ "<2.12.0b1" ], "v": "<2.12.0b1" }, { "advisory": "An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.", "cve": "CVE-2024-0690", "id": "pyup.io-66700", "more_info_path": "/vulnerabilities/CVE-2024-0690/66700", "specs": [ "<2.14.14", ">=2.15.0b1,<2.15.9", ">=2.16.0b1,<2.16.3" ], "v": "<2.14.14,>=2.15.0b1,<2.15.9,>=2.16.0b1,<2.16.3" }, { "advisory": "Ansible-core 2.15.8 includes a fix for CVE-2023-5764: A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce code injection when supplying templating data.", "cve": "CVE-2023-5764", "id": "pyup.io-63066", "more_info_path": "/vulnerabilities/CVE-2023-5764/63066", "specs": [ "<2.15.8" ], "v": "<2.15.8" }, { "advisory": "A critical security vulnerability affects Ansible, impacting the handling of sensitive information stored in Ansible Vault files. The vulnerability occurs during playbook execution when using tasks like include_vars to load vaulted variables without setting the no_log: true parameter. This flaw causes sensitive data, including passwords and API keys, to be exposed in plaintext within playbook outputs or logs. Attackers who gain access to these outputs could potentially acquire secrets, leading to unauthorized access or actions on affected systems. Users must immediately review and update their Ansible playbooks to ensure proper use of the no_log: true parameter when handling vaulted variables. Additionally, users should audit recent playbook outputs and logs for potential secret exposure.", "cve": "CVE-2024-8775", "id": "pyup.io-73302", "more_info_path": "/vulnerabilities/CVE-2024-8775/73302", "specs": [ ">=0" ], "v": ">=0" }, { "advisory": "An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.", "cve": "CVE-2023-5115", "id": "pyup.io-65511", "more_info_path": "/vulnerabilities/CVE-2023-5115/65511", "specs": [ ">=0,<2.13.13rc1", ">=2.14.0,<2.14.11rc1", ">=2.15.0,<2.15.5rc1", ">=2.16.0b1,<2.16.0b2" ], "v": ">=0,<2.13.13rc1,>=2.14.0,<2.14.11rc1,>=2.15.0,<2.15.5rc1,>=2.16.0b1,<2.16.0b2" }, { "advisory": "A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.", "cve": "CVE-2023-4237", "id": "pyup.io-70895", "more_info_path": "/vulnerabilities/CVE-2023-4237/70895", "specs": [ ">=2.8.0,<=2.15.2" ], "v": ">=2.8.0,<=2.15.2" } ], "ansible-doctor": [ { "advisory": "Ansible-doctor version 4.0.0 upgrades its dependency on ansible-core from version 2.13.13 to 2.14.12, in response to the identified vulnerabilities outlined in CVE-2023-5764.", "cve": "CVE-2023-5764", "id": "pyup.io-63672", "more_info_path": "/vulnerabilities/CVE-2023-5764/63672", "specs": [ "<4.0.0" ], "v": "<4.0.0" } ], "ansible-runner": [ { "advisory": "Ansible-runner 1.3.1 sets safer default permissions when writing job events.\r\nhttps://github.com/ansible/ansible-runner/commit/dd2e549c6aadca4fb4f2cde11f1d4dca4b98964f", "cve": "PVE-2021-36995", "id": "pyup.io-36995", "more_info_path": "/vulnerabilities/PVE-2021-36995/36995", "specs": [ "<1.3.1" ], "v": "<1.3.1" }, { "advisory": "A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.", "cve": "CVE-2021-4041", "id": "pyup.io-54468", "more_info_path": "/vulnerabilities/CVE-2021-4041/54468", "specs": [ ">=0,<2.1.0" ], "v": ">=0,<2.1.0" }, { "advisory": "A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality.", "cve": "CVE-2021-3702", "id": "pyup.io-54467", "more_info_path": "/vulnerabilities/CVE-2021-3702/54467", "specs": [ ">=2.0.0,<2.1.0" ], "v": ">=2.0.0,<2.1.0" }, { "advisory": "A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity.", "cve": "CVE-2021-3701", "id": "pyup.io-54466", "more_info_path": "/vulnerabilities/CVE-2021-3701/54466", "specs": [ ">=2.0.0,<2.1.0" ], "v": ">=2.0.0,<2.1.0" } ], "ansible-tower-cli": [ { "advisory": "Ansible-tower-cli versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684", "cve": "CVE-2020-10684", "id": "pyup.io-42865", "more_info_path": "/vulnerabilities/CVE-2020-10684/42865", "specs": [ "<3.2.0" ], "v": "<3.2.0" }, { "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1738.", "cve": "CVE-2020-1738", "id": "pyup.io-42874", "more_info_path": "/vulnerabilities/CVE-2020-1738/42874", "specs": [ "<3.2.0" ], "v": "<3.2.0" }, { "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1739.", "cve": "CVE-2020-1739", "id": "pyup.io-42872", "more_info_path": "/vulnerabilities/CVE-2020-1739/42872", "specs": [ "<3.2.0" ], "v": "<3.2.0" }, { "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1736.", "cve": "CVE-2020-1736", "id": "pyup.io-42876", "more_info_path": "/vulnerabilities/CVE-2020-1736/42876", "specs": [ "<3.2.0" ], "v": "<3.2.0" }, { "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2021-3447.", "cve": "CVE-2021-3447", "id": "pyup.io-42861", "more_info_path": "/vulnerabilities/CVE-2021-3447/42861", "specs": [ "<3.2.0" ], "v": "<3.2.0" }, { "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1740.", "cve": "CVE-2020-1740", "id": "pyup.io-42870", "more_info_path": "/vulnerabilities/CVE-2020-1740/42870", "specs": [ "<3.2.0" ], "v": "<3.2.0" }, { "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1733.", "cve": "CVE-2020-1733", "id": "pyup.io-42880", "more_info_path": "/vulnerabilities/CVE-2020-1733/42880", "specs": [ "<3.2.0" ], "v": "<3.2.0" }, { "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2020-1735.", "cve": "CVE-2020-1735", "id": "pyup.io-42878", "more_info_path": "/vulnerabilities/CVE-2020-1735/42878", "specs": [ "<3.2.0" ], "v": "<3.2.0" }, { "advisory": "Ansible-tower-cli versions 3.1.x and before use API v1, what implies the use of ansible-tower version 3.2.x or earlier. These are affected by CVE-2021-3583.", "cve": "CVE-2021-3583", "id": "pyup.io-42925", "more_info_path": "/vulnerabilities/CVE-2021-3583/42925", "specs": [ "<3.2.0" ], "v": "<3.2.0" } ], "ansible-vault": [ { "advisory": "An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.\r\nhttps://github.com/tomoh1r/ansible-vault/commit/3f8f659ef443ab870bb19f95d43543470168ae04", "cve": "CVE-2017-2809", "id": "pyup.io-35730", "more_info_path": "/vulnerabilities/CVE-2017-2809/35730", "specs": [ "<1.0.5" ], "v": "<1.0.5" } ], "ansibleguy-webui": [ { "advisory": "vansibleguy-webui is an open-source WebUI for using Ansible. Multiple forms in affected versions allowed the injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser.", "cve": "CVE-2024-36110", "id": "pyup.io-71998", "more_info_path": "/vulnerabilities/CVE-2024-36110/71998", "specs": [ "<0.0.21" ], "v": "<0.0.21" }, { "advisory": "Affected versions of Ansibleguy-webui are potentially vulnerable to XSS.", "cve": "PVE-2024-72284", "id": "pyup.io-72284", "more_info_path": "/vulnerabilities/PVE-2024-72284/72284", "specs": [ "<0.0.23" ], "v": "<0.0.23" } ], "ansigenome": [ { "advisory": "Ansigenome before 0.6.0 uses yaml.load() instead of yaml.safe_load(), allowing a code execution vulnerability.", "cve": "CVE-2017-18342", "id": "pyup.io-34505", "more_info_path": "/vulnerabilities/CVE-2017-18342/34505", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "ansitoimg": [ { "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "cve": "CVE-2020-35654", "id": "pyup.io-40996", "more_info_path": "/vulnerabilities/CVE-2020-35654/40996", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "cve": "CVE-2021-27921", "id": "pyup.io-40611", "more_info_path": "/vulnerabilities/CVE-2021-27921/40611", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "cve": "CVE-2021-27923", "id": "pyup.io-40993", "more_info_path": "/vulnerabilities/CVE-2021-27923/40993", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "cve": "CVE-2020-35655", "id": "pyup.io-40994", "more_info_path": "/vulnerabilities/CVE-2020-35655/40994", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "cve": "CVE-2020-35653", "id": "pyup.io-40995", "more_info_path": "/vulnerabilities/CVE-2020-35653/40995", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" }, { "advisory": "Ansitoimg 2021.0.1 updates its dependency 'pillow' to a version >= 8.1.1 to include security fixes.", "cve": "CVE-2021-27922", "id": "pyup.io-40612", "more_info_path": "/vulnerabilities/CVE-2021-27922/40612", "specs": [ "<2021.0.1" ], "v": "<2021.0.1" } ], "ansys-geometry-core": [ { "advisory": "PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. On file src/ansys/geometry/core/connection/product_instance.py, upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. This vulnerability is fixed in 0.3.3 and 0.4.12. See CVE-2024-29189.", "cve": "CVE-2024-29189", "id": "pyup.io-66973", "more_info_path": "/vulnerabilities/CVE-2024-29189/66973", "specs": [ ">=0.3.0,<0.3.3", ">=0.4.0,<0.4.12" ], "v": ">=0.3.0,<0.3.3,>=0.4.0,<0.4.12" } ], "ansys-tools-repo-sync": [ { "advisory": "Ansys-tools-repo-sync 0.1.17 updates its dependency 'urllib3' to v1.26.9 to include security fixes.", "cve": "CVE-2020-26137", "id": "pyup.io-51112", "more_info_path": "/vulnerabilities/CVE-2020-26137/51112", "specs": [ "<0.1.17" ], "v": "<0.1.17" }, { "advisory": "Ansys-tools-repo-sync 0.1.17 updates its dependency 'urllib3' to v1.26.9 to include security fixes.", "cve": "CVE-2018-20060", "id": "pyup.io-51115", "more_info_path": "/vulnerabilities/CVE-2018-20060/51115", "specs": [ "<0.1.17" ], "v": "<0.1.17" }, { "advisory": "Ansys-tools-repo-sync 0.1.17 updates its dependency 'urllib3' to v1.26.9 to include security fixes.", "cve": "CVE-2019-11324", "id": "pyup.io-51113", "more_info_path": "/vulnerabilities/CVE-2019-11324/51113", "specs": [ "<0.1.17" ], "v": "<0.1.17" }, { "advisory": "Ansys-tools-repo-sync 0.1.17 updates its dependency 'urllib3' to v1.26.9 to include security fixes.", "cve": "CVE-2021-33503", "id": "pyup.io-51024", "more_info_path": "/vulnerabilities/CVE-2021-33503/51024", "specs": [ "<0.1.17" ], "v": "<0.1.17" }, { "advisory": "Ansys-tools-repo-sync 0.1.17 updates its dependency 'urllib3' to v1.26.9 to include security fixes.", "cve": "CVE-2019-11236", "id": "pyup.io-51114", "more_info_path": "/vulnerabilities/CVE-2019-11236/51114", "specs": [ "<0.1.17" ], "v": "<0.1.17" } ], "anthropic": [ { "advisory": "Anthropic 0.3.2 updates its dependency 'certifi' to version '2023.5.7' to include a security fix.\r\nhttps://github.com/anthropics/anthropic-sdk-python/pull/51", "cve": "CVE-2022-23491", "id": "pyup.io-59254", "more_info_path": "/vulnerabilities/CVE-2022-23491/59254", "specs": [ "<0.3.2" ], "v": "<0.3.2" } ], "antilles-tools": [ { "advisory": "A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi.", "cve": "CVE-2021-3840", "id": "pyup.io-54373", "more_info_path": "/vulnerabilities/CVE-2021-3840/54373", "specs": [ ">=0,<1.0.1" ], "v": ">=0,<1.0.1" } ], "anyio": [ { "advisory": "Anyio version 4.4.0 addresses a thread race condition in `_eventloop.get_asynclib()` that caused crashes when multiple event loops of the same backend were running in separate threads and simultaneously attempted to use AnyIO for the first time. This fix ensures more stable and reliable performance in multi-threaded environments.", "cve": "PVE-2024-71199", "id": "pyup.io-71199", "more_info_path": "/vulnerabilities/PVE-2024-71199/71199", "specs": [ "<4.4.0" ], "v": "<4.4.0" } ], "anymotion-sdk": [ { "advisory": "Anymotion-sdk 1.2.5 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", "cve": "CVE-2021-33503", "id": "pyup.io-40842", "more_info_path": "/vulnerabilities/CVE-2021-33503/40842", "specs": [ "<1.2.5" ], "v": "<1.2.5" } ], "ao3-poster": [ { "advisory": "Ao3-poster version 0.0.7 updates its dependency 'httplib2' to v0.19.0 to include security fixes.", "cve": "CVE-2021-21240", "id": "pyup.io-49127", "more_info_path": "/vulnerabilities/CVE-2021-21240/49127", "specs": [ "<0.0.7" ], "v": "<0.0.7" }, { "advisory": "Ao3-poster version 0.0.7 updates its dependency 'pygments' to v2.7.4 to include security fixes.", "cve": "CVE-2021-27291", "id": "pyup.io-49124", "more_info_path": "/vulnerabilities/CVE-2021-27291/49124", "specs": [ "<0.0.7" ], "v": "<0.0.7" }, { "advisory": "Ao3-poster version 0.0.7 updates its dependency 'rsa' to v4.7 to include security fixes.", "cve": "CVE-2020-25658", "id": "pyup.io-49125", "more_info_path": "/vulnerabilities/CVE-2020-25658/49125", "specs": [ "<0.0.7" ], "v": "<0.0.7" }, { "advisory": "Ao3-poster version 0.0.7 updates its dependency 'pygments' to v2.7.4 to include security fixes.", "cve": "CVE-2021-20270", "id": "pyup.io-49123", "more_info_path": "/vulnerabilities/CVE-2021-20270/49123", "specs": [ "<0.0.7" ], "v": "<0.0.7" }, { "advisory": "Ao3-poster version 0.0.7 updates its dependency 'httplib2' to v0.19.0 to include security fixes.", "cve": "CVE-2020-11078", "id": "pyup.io-49128", "more_info_path": "/vulnerabilities/CVE-2020-11078/49128", "specs": [ "<0.0.7" ], "v": "<0.0.7" }, { "advisory": "Ao3-poster version 0.0.7 updates its dependency 'jinja2' to v2.11.3 to include a security fix.", "cve": "CVE-2020-28493", "id": "pyup.io-42030", "more_info_path": "/vulnerabilities/CVE-2020-28493/42030", "specs": [ "<0.0.7" ], "v": "<0.0.7" }, { "advisory": "Ao3-poster version 0.0.7 updates its dependency 'jinja2' to v2.11.3 to include a security fix.", "cve": "CVE-2020-13757", "id": "pyup.io-49126", "more_info_path": "/vulnerabilities/CVE-2020-13757/49126", "specs": [ "<0.0.7" ], "v": "<0.0.7" } ], "apache-age-python": [ { "advisory": "Apache-age-python is affected by CVE-2022-45786: There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition to the latest version of AGE that is used for PostgreSQL 11 or PostgreSQL 12. The update of AGE will add a new function to enable parameterization of the cypher() function, which, in conjunction with the driver updates, will resolve this issue. Background (for those who want more information): After thoroughly researching this issue, we found that due to the nature of the cypher() function, it was not easy to parameterize the values passed into it. This enabled SQL injections, if the developer of the driver wasn't careful. The developer of the Golang and Pyton drivers didn't fully utilize parameterization, likely because of this, thus enabling SQL injections. The obvious fix to this issue is to use parameterization in the drivers for all PG SQL queries. However, parameterizing all PG queries is complicated by the fact that the cypher() function call itself cannot be parameterized directly, as it isn't a real function. At least, not the parameters that would take the graph name and cypher query. The reason the cypher() function cannot have those values parameterized is because the function is a placeholder and never actually runs. The cypher() function node, created by PG in the query tree, is transformed and replaced with a query tree for the actual cypher query during the analyze phase. The problem is that parameters - that would be passed in and that the cypher() function transform needs to be resolved - are only resolved in the execution phase, which is much later. Since the transform of the cypher() function needs to know the graph name and cypher query prior to execution, they can't be passed as parameters. The fix that we are testing right now, and are proposing to use, is to create a function that will be called prior to the execution of the cypher() function transform. This new function will allow values to be passed as parameters for the graph name and cypher query. As this command will be executed prior to the cypher() function transform, its values will be resolved. These values can then be cached for the immediately following cypher() function transform to use. As added features, the cached values will store the calling session's pid, for validation. And, the cypher() function transform will clear this cached information after function invocation, regardless of whether it was used. This method will allow the parameterizing of the cypher() function indirectly and provide a way to lock out SQL injection attacks.", "cve": "CVE-2022-45786", "id": "pyup.io-52972", "more_info_path": "/vulnerabilities/CVE-2022-45786/52972", "specs": [ ">0" ], "v": ">0" } ], "apache-airflow": [ { "advisory": "Apache-airflow 1.10.0 fixes XSS vulnerability in Variable endpoint.\r\nhttps://github.com/apache/airflow/commit/8f9bf94d82abc59336e642db64e575cee0cc5df0", "cve": "PVE-2021-36832", "id": "pyup.io-36832", "more_info_path": "/vulnerabilities/PVE-2021-36832/36832", "specs": [ "<1.10.0" ], "v": "<1.10.0" }, { "advisory": "In Apache Airflow < 1.10.12, the \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS.", "cve": "CVE-2020-13944", "id": "pyup.io-42325", "more_info_path": "/vulnerabilities/CVE-2020-13944/42325", "specs": [ "<1.10.12" ], "v": "<1.10.12" }, { "advisory": "In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. See CVE-2020-17513.", "cve": "CVE-2020-17513", "id": "pyup.io-39282", "more_info_path": "/vulnerabilities/CVE-2020-17513/39282", "specs": [ "<1.10.13" ], "v": "<1.10.13" }, { "advisory": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.", "cve": "CVE-2020-17515", "id": "pyup.io-42326", "more_info_path": "/vulnerabilities/CVE-2020-17515/42326", "specs": [ "<1.10.13" ], "v": "<1.10.13" }, { "advisory": "Apache-airflow 1.10.14 starts using a random SECRET_KEY, as it is recommended by Flask community.\r\nhttps://github.com/apache/airflow/commit/dfa7b26ddaca80ee8fd9915ee9f6eac50fac77f6\r\nhttps://github.com/apache/airflow/commit/fe6d00a54f83468e296777d3b83b65a2ae7169ec", "cve": "PVE-2022-48307", "id": "pyup.io-48307", "more_info_path": "/vulnerabilities/PVE-2022-48307/48307", "specs": [ "<1.10.14" ], "v": "<1.10.14" }, { "advisory": "Apache-airflow 1.10.3 updates its dependency 'gunicorn' minimum requirement to v19.5.0 to include a security fix.", "cve": "CVE-2018-1000164", "id": "pyup.io-51833", "more_info_path": "/vulnerabilities/CVE-2018-1000164/51833", "specs": [ "<1.10.3" ], "v": "<1.10.3" }, { "advisory": "Apache-airflow 1.10.3 sets HttpOnly flag to cookies by default.\r\nhttps://github.com/apache/airflow/commit/1211dddfd7167fd90575f40dd6734b0af9aec8b7", "cve": "PVE-2022-51848", "id": "pyup.io-51848", "more_info_path": "/vulnerabilities/PVE-2022-51848/51848", "specs": [ "<1.10.3" ], "v": "<1.10.3" }, { "advisory": "Apache-airflow 1.10.3 updates its dependency 'flask-admin' v1.5.3 to include a security fix.", "cve": "CVE-2018-16516", "id": "pyup.io-51849", "more_info_path": "/vulnerabilities/CVE-2018-16516/51849", "specs": [ "<1.10.3" ], "v": "<1.10.3" }, { "advisory": "Apache-airflow 1.9.0a0 includes a security fix: An individual with the capacity to create or modify Charts holds the potential to run any code they desire on the Airflow server.", "cve": "PVE-2023-99964", "id": "pyup.io-60877", "more_info_path": "/vulnerabilities/PVE-2023-99964/60877", "specs": [ "<1.9.0a0" ], "v": "<1.9.0a0" }, { "advisory": "Apache-airflow 1.9.0a0 includes a security fix: When navigating to a page where the 'dag_id' parameter is specified as an HTML tag, the tag is rendered. This is because it uses the Markup tag, which subsequently marks HTML as safe. This presents cross-site scripting vulnerabilities due to the display of unsanitized user input.", "cve": "PVE-2023-99965", "id": "pyup.io-60876", "more_info_path": "/vulnerabilities/PVE-2023-99965/60876", "specs": [ "<1.9.0a0" ], "v": "<1.9.0a0" }, { "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the JDBC provider integration. Therefore, it is affected by CVE-2023-22886.", "cve": "CVE-2023-22886", "id": "pyup.io-63171", "more_info_path": "/vulnerabilities/CVE-2023-22886/63171", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2023-25696.", "cve": "CVE-2023-25696", "id": "pyup.io-63179", "more_info_path": "/vulnerabilities/CVE-2023-25696/63179", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-28710.", "cve": "CVE-2023-28710", "id": "pyup.io-63173", "more_info_path": "/vulnerabilities/CVE-2023-28710/63173", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Google Cloud Provider integration. Therefore, it is affected by CVE-2023-25692.", "cve": "CVE-2023-25692", "id": "pyup.io-63176", "more_info_path": "/vulnerabilities/CVE-2023-25692/63176", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-40195.", "cve": "CVE-2023-40195", "id": "pyup.io-63170", "more_info_path": "/vulnerabilities/CVE-2023-40195/63170", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Docker provider integration. Therefore, it is affected by CVE-2022-38362.", "cve": "CVE-2022-38362", "id": "pyup.io-63172", "more_info_path": "/vulnerabilities/CVE-2022-38362/63172", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Google Cloud provider integration. Therefore, it is affected by CVE-2023-25691.", "cve": "CVE-2023-25691", "id": "pyup.io-63175", "more_info_path": "/vulnerabilities/CVE-2023-25691/63175", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2022-46421.", "cve": "CVE-2022-46421", "id": "pyup.io-63180", "more_info_path": "/vulnerabilities/CVE-2022-46421/63180", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2023-28706.", "cve": "CVE-2023-28706", "id": "pyup.io-63174", "more_info_path": "/vulnerabilities/CVE-2023-28706/63174", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Sqoop provider integration. Therefore, it is affected by CVE-2023-25693.", "cve": "CVE-2023-25693", "id": "pyup.io-63178", "more_info_path": "/vulnerabilities/CVE-2023-25693/63178", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Amazon provider integration. Therefore, it is affected by CVE-2023-25956.", "cve": "CVE-2023-25956", "id": "pyup.io-63177", "more_info_path": "/vulnerabilities/CVE-2023-25956/63177", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { "advisory": "Apache-airflow 2.1.0rc1 updates its NPM dependency 'stylelint' to include a security fix.\r\nhttps://github.com/apache/airflow/pull/15784", "cve": "CVE-2020-7753", "id": "pyup.io-48305", "more_info_path": "/vulnerabilities/CVE-2020-7753/48305", "specs": [ "<2.1.0rc1" ], "v": "<2.1.0rc1" }, { "advisory": "Apache-airflow 2.1.1 updates NPM dependencies to fix a vulnerability in 'normalize-url' package.\r\nhttps://github.com/apache/airflow/pull/16375", "cve": "CVE-2021-33502", "id": "pyup.io-48304", "more_info_path": "/vulnerabilities/CVE-2021-33502/48304", "specs": [ "<2.1.1" ], "v": "<2.1.1" }, { "advisory": "Apache Airflow version 2.1.2 includes a fix for CVE-2021-35936: If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. \r\nhttps://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E", "cve": "CVE-2021-35936", "id": "pyup.io-41181", "more_info_path": "/vulnerabilities/CVE-2021-35936/41181", "specs": [ "<2.1.2" ], "v": "<2.1.2" }, { "advisory": "Apache Airflow, in affected versions, contains a vulnerability where a malicious provider could exploit a cross-site scripting (XSS) attack through a provider documentation link. A malicious user could inject a JavaScript URL (e.g., `javascript:prompt(document.domain)`) into the provider's metadata. If a user clicks on this crafted link, it could trigger an XSS attack. The vulnerability requires the malicious provider to be installed on the web server and the user to interact with the malicious link.", "cve": "CVE-2024-41937", "id": "pyup.io-72974", "more_info_path": "/vulnerabilities/CVE-2024-41937/72974", "specs": [ "<2.10.0" ], "v": "<2.10.0" }, { "advisory": "Apache Airflow affected versions contain a critical vulnerability in the example DAG file \"example_inlet_event_extra.py\". This flaw allows authenticated attackers with only DAG trigger permission to execute arbitrary commands on the Airflow worker. Users who have based their DAGs on this example may be at risk. It is strongly recommended to avoid exposing example DAGs in production environments. If exposure is necessary, upgrade immediately to Airflow version 2.10.1 or later, which patches this vulnerability. Additionally, review all DAGs derived from this example for similar security issues.", "cve": "CVE-2024-45498", "id": "pyup.io-73187", "more_info_path": "/vulnerabilities/CVE-2024-45498/73187", "specs": [ "<2.10.1" ], "v": "<2.10.1" }, { "advisory": "Apache Airflow affected versions contain a potential security vulnerability in the initialization process. The DAGS_FOLDER was added to sys.path before importing local settings, potentially allowing execution of malicious code if an attacker had write access to the DAGS_FOLDER. The fix reorganizes the initialization sequence, ensuring DAGS_FOLDER is added to sys.path only after local settings are imported. This change mitigates the risk of unintended code execution during startup. Users are strongly advised to update to the latest version incorporating this fix, especially in environments where DAGS_FOLDER access is not strictly controlled.", "cve": "CVE-2024-45034", "id": "pyup.io-73188", "more_info_path": "/vulnerabilities/CVE-2024-45034/73188", "specs": [ "<2.10.1" ], "v": "<2.10.1" }, { "advisory": "Apache-airflow 2.2.5 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/apache/airflow/pull/20699", "cve": "PVE-2023-60199", "id": "pyup.io-60199", "more_info_path": "/vulnerabilities/PVE-2023-60199/60199", "specs": [ "<2.2.5" ], "v": "<2.2.5" }, { "advisory": "Apache-airflow 2.3.0 updates its NPM dependency 'datatables.net' to versions ^1.10.23 to include a security fix.", "cve": "CVE-2021-23445", "id": "pyup.io-48604", "more_info_path": "/vulnerabilities/CVE-2021-23445/48604", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Apache-airflow 2.3.0 updates its NPM dependency 'tar' requirement to '>=6.1.9' to include security fixes.", "cve": "CVE-2021-37712", "id": "pyup.io-48617", "more_info_path": "/vulnerabilities/CVE-2021-37712/48617", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Apache-airflow 2.3.0 updates its NPM dependency 'tar' requirement to '>=6.1.9' to include security fixes.", "cve": "CVE-2021-37701", "id": "pyup.io-48616", "more_info_path": "/vulnerabilities/CVE-2021-37701/48616", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Apache-airflow 2.3.0 updates its NPM dependency 'tar' requirement to '>=6.1.9' to include security fixes.", "cve": "CVE-2021-37713", "id": "pyup.io-48618", "more_info_path": "/vulnerabilities/CVE-2021-37713/48618", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Affected version of Apache-airflow are vulnerable to Privilege Context Switching Error. File Task Handler should apply different permissions to log files generated by Airflow in order to handle impersonation.", "cve": "CVE-2023-25754", "id": "pyup.io-62916", "more_info_path": "/vulnerabilities/CVE-2023-25754/62916", "specs": [ "<2.6.0" ], "v": "<2.6.0" }, { "advisory": "The details page for task instances in the user interface is subject to a stored XSS vulnerability. This problem pertains to Apache Airflow versions prior to 2.6.0.\r\nhttps://github.com/apache/airflow/pull/30447/commits/3d894f7a643e9319f5c48e343ac39b248dedaa9b\r\nhttps://github.com/apache/airflow/pull/30779/commits/7c566f7ef4b33175aafc4f89f94fb2096b093940", "cve": "CVE-2023-29247", "id": "pyup.io-63344", "more_info_path": "/vulnerabilities/CVE-2023-29247/63344", "specs": [ "<2.6.0" ], "v": "<2.6.0" }, { "advisory": "Execution with Unnecessary Privileges: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow. The \"Run Task\" feature enables authenticated users to bypass some of the restrictions put in place. It allows the execution of code in the webserver context as well as bypasses the limitation of access the user has to certain DAGs. The \"Run Task\" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0", "cve": "CVE-2023-39508", "id": "pyup.io-65021", "more_info_path": "/vulnerabilities/CVE-2023-39508/65021", "specs": [ "<2.6.0" ], "v": "<2.6.0" }, { "advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected", "cve": "CVE-2023-22887", "id": "pyup.io-62890", "more_info_path": "/vulnerabilities/CVE-2023-22887/62890", "specs": [ "<2.6.3" ], "v": "<2.6.3" }, { "advisory": "Apache Airflow affected versions are affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it.", "cve": "CVE-2022-46651", "id": "pyup.io-71689", "more_info_path": "/vulnerabilities/CVE-2022-46651/71689", "specs": [ "<2.6.3" ], "v": "<2.6.3" }, { "advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected", "cve": "CVE-2023-22888", "id": "pyup.io-62891", "more_info_path": "/vulnerabilities/CVE-2023-22888/62891", "specs": [ "<2.6.3" ], "v": "<2.6.3" }, { "advisory": "Apache Airflow affected versions have a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected", "cve": "CVE-2023-36543", "id": "pyup.io-71687", "more_info_path": "/vulnerabilities/CVE-2023-36543/71687", "specs": [ "<2.6.3" ], "v": "<2.6.3" }, { "advisory": "Apache Airflow affected versions are affected by a vulnerability that allows unauthorized read access to a DAG through the URL.", "cve": "CVE-2023-35908", "id": "pyup.io-71688", "more_info_path": "/vulnerabilities/CVE-2023-35908/71688", "specs": [ "<2.6.3" ], "v": "<2.6.3" }, { "advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.", "cve": "PVE-2023-99911", "id": "pyup.io-62823", "more_info_path": "/vulnerabilities/PVE-2023-99911/62823", "specs": [ "<2.6.3" ], "v": "<2.6.3" }, { "advisory": "Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected", "cve": "PVE-2024-99900", "id": "pyup.io-64989", "more_info_path": "/vulnerabilities/PVE-2024-99900/64989", "specs": [ "<2.6.3" ], "v": "<2.6.3" }, { "advisory": "Apache-airflow 2.7.0 disables support for the deserialize flag by default in the 'xcomEntries' API. This was an unsafe default, as deserialization may instantiates arbitrary objects.\r\nhttps://github.com/apache/airflow/pull/32176", "cve": "PVE-2023-60962", "id": "pyup.io-60962", "more_info_path": "/vulnerabilities/PVE-2023-60962/60962", "specs": [ "<2.7.0" ], "v": "<2.7.0" }, { "advisory": "Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and\u00a0Apache Airflow before 2.7.0 are affected by the\u00a0Validation of OpenSSL Certificate vulnerability.\r\n\r\nThe default SSL context with SSL library did not check a server's X.509\u00a0certificate.\u00a0 Instead, the code accepted any certificate, which could\u00a0result in the disclosure of mail server credentials or mail contents\u00a0when the client connects to an attacker in a MITM position.\r\n\r\nUsers are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability", "cve": "CVE-2023-39441", "id": "pyup.io-65020", "more_info_path": "/vulnerabilities/CVE-2023-39441/65020", "specs": [ "<2.7.0" ], "v": "<2.7.0" }, { "advisory": "Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.\r\n\r\nUsers of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.", "cve": "CVE-2023-37379", "id": "pyup.io-65002", "more_info_path": "/vulnerabilities/CVE-2023-37379/65002", "specs": [ "<2.7.0" ], "v": "<2.7.0" }, { "advisory": "A session fixation vulnerability allows authenticated users to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that). With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behavior.", "cve": "CVE-2023-40273", "id": "pyup.io-65797", "more_info_path": "/vulnerabilities/CVE-2023-40273/65797", "specs": [ "<2.7.0" ], "v": "<2.7.0" }, { "advisory": "Apache-airflow 2.7.0 disables default allowing the testing of connections in UI, API and CLI for security reasons.\r\nhttps://github.com/apache/airflow/pull/32052", "cve": "PVE-2023-60952", "id": "pyup.io-60952", "more_info_path": "/vulnerabilities/PVE-2023-60952/60952", "specs": [ "<2.7.0" ], "v": "<2.7.0" }, { "advisory": "Versions of Apache Airflow are susceptible to a vulnerability permitting authenticated and DAG-view authorized users to manipulate certain DAG run detail values, like configuration parameters and start dates, through note submission.", "cve": "CVE-2023-40611", "id": "pyup.io-65394", "more_info_path": "/vulnerabilities/CVE-2023-40611/65394", "specs": [ "<2.7.1" ], "v": "<2.7.1" }, { "advisory": "Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated\u00a0users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.", "cve": "CVE-2023-40712", "id": "pyup.io-65521", "more_info_path": "/vulnerabilities/CVE-2023-40712/65521", "specs": [ "<2.7.1" ], "v": "<2.7.1" }, { "advisory": "Apache Airflow contains a vulnerability where an authorized user with limited permissions can access task instance information across unintended DAGs, posing a risk to versions prior to 2.7.2. Users are encouraged to upgrade to mitigate this security risk.", "cve": "CVE-2023-42663", "id": "pyup.io-65393", "more_info_path": "/vulnerabilities/CVE-2023-42663/65393", "specs": [ "<2.7.2" ], "v": "<2.7.2" }, { "advisory": "A security vulnerability exists in versions of Apache Airflow that enables an authenticated user with limited permissions to potentially alter DAG resources they should not have access to, by crafting specific requests. This flaw could lead to unauthorized modification of DAGs, compromising the integrity of those processes.", "cve": "CVE-2023-42792", "id": "pyup.io-65390", "more_info_path": "/vulnerabilities/CVE-2023-42792/65390", "specs": [ "<2.7.2" ], "v": "<2.7.2" }, { "advisory": "A security flaw in Apache Airflow allows authenticated users to view warnings and related details for all Directed Acyclic Graphs (DAGs), including those they are not permitted to see. This exposure includes DAG IDs and stack traces from import errors, posing a risk to versions of Apache Airflow before 2.7.2.", "cve": "CVE-2023-42780", "id": "pyup.io-65392", "more_info_path": "/vulnerabilities/CVE-2023-42780/65392", "specs": [ "<2.7.2" ], "v": "<2.7.2" }, { "advisory": "Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.\u00a0 This is a different issue than CVE-2023-42663 but leading to similar outcome.\r\nUsers of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.", "cve": "CVE-2023-42781", "id": "pyup.io-65391", "more_info_path": "/vulnerabilities/CVE-2023-42781/65391", "specs": [ "<2.7.3" ], "v": "<2.7.3" }, { "advisory": "Compromising versions of Apache Airflow allow authenticated and DAG-view authorized users to inappropriately modify DAG run detail values, including configuration parameters and start dates.", "cve": "CVE-2023-47037", "id": "pyup.io-65387", "more_info_path": "/vulnerabilities/CVE-2023-47037/65387", "specs": [ "<2.7.3" ], "v": "<2.7.3" }, { "advisory": "Apache Airflow affected versions have a vulnerability related to improper preservation of permissions. The local file task handler incorrectly sets write permissions for all parent folders of the log folder, potentially adding write access to the Unix group. This is particularly problematic if Airflow is run as the root user, potentially impacting SSH operations if log files are stored in the home directory. This issue does not affect users of Official Airflow Docker images. Affected users should upgrade to version 2.8.4 or above, change the file task handler permissions, or ensure their umask is set to 002.", "cve": "CVE-2024-29735", "id": "pyup.io-71685", "more_info_path": "/vulnerabilities/CVE-2024-29735/71685", "specs": [ "<2.8.4" ], "v": "<2.8.4" }, { "advisory": "Airflow versions affected versions have a vulnerability that allows an authenticated user to see sensitive provider configuration via the \"configuration\" UI page when \"non-sensitive-only\" was set as \"webserver.expose_config\" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your \"expose_config\" configuration to False as a workaround. This is similar, but different to CVE-2023-46288 which concerned API, not UI configuration page.", "cve": "CVE-2024-31869", "id": "pyup.io-71686", "more_info_path": "/vulnerabilities/CVE-2024-31869/71686", "specs": [ "<2.9" ], "v": "<2.9" }, { "advisory": "Apache Airflow affected versions have a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs.", "cve": "CVE-2024-32077", "id": "pyup.io-71634", "more_info_path": "/vulnerabilities/CVE-2024-32077/71634", "specs": [ "<2.9.1" ], "v": "<2.9.1" }, { "advisory": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return \"Cache-Control\" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.", "cve": "CVE-2024-25142", "id": "pyup.io-71856", "more_info_path": "/vulnerabilities/CVE-2024-25142/71856", "specs": [ "<2.9.2" ], "v": "<2.9.2" }, { "advisory": "Affected versions of Apache Airflow have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider.", "cve": "CVE-2024-39863", "id": "pyup.io-72254", "more_info_path": "/vulnerabilities/CVE-2024-39863/72254", "specs": [ "<2.9.3" ], "v": "<2.9.3" }, { "advisory": "Apache-airflow 2.3.2 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49785", "more_info_path": "/vulnerabilities/PVE-2022-47833/49785", "specs": [ "<=2.3.2" ], "v": "<=2.3.2" }, { "advisory": "Apache-airflow 2.3.2 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49787", "more_info_path": "/vulnerabilities/PVE-2021-42852/49787", "specs": [ "<=2.3.2" ], "v": "<=2.3.2" }, { "advisory": "Apache-airflow 2.3.2 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49786", "more_info_path": "/vulnerabilities/CVE-2022-29217/49786", "specs": [ "<=2.3.2" ], "v": "<=2.3.2" }, { "advisory": "The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking.", "cve": "CVE-2018-20245", "id": "pyup.io-54021", "more_info_path": "/vulnerabilities/CVE-2018-20245/54021", "specs": [ ">=0,<1.10.1" ], "v": ">=0,<1.10.1" }, { "advisory": "Apache-airflow 1.10.11 includes a fix for CVE-2020-13927: The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default '[api]auth_backend = airflow.api.auth.backend.deny_all' as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default", "cve": "CVE-2020-13927", "id": "pyup.io-54436", "more_info_path": "/vulnerabilities/CVE-2020-13927/54436", "specs": [ ">=0,<1.10.11" ], "v": ">=0,<1.10.11" }, { "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.", "cve": "CVE-2020-11981", "id": "pyup.io-54177", "more_info_path": "/vulnerabilities/CVE-2020-11981/54177", "specs": [ ">=0,<1.10.11rc1" ], "v": ">=0,<1.10.11rc1" }, { "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.", "cve": "CVE-2020-11982", "id": "pyup.io-54179", "more_info_path": "/vulnerabilities/CVE-2020-11982/54179", "specs": [ ">=0,<1.10.11rc1" ], "v": ">=0,<1.10.11rc1" }, { "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the \"classic\" UI.", "cve": "CVE-2020-9485", "id": "pyup.io-54204", "more_info_path": "/vulnerabilities/CVE-2020-9485/54204", "specs": [ ">=0,<1.10.11rc1" ], "v": ">=0,<1.10.11rc1" }, { "advisory": "Apache-airflow 1.10.11rc1 includes a fix for CVE-2020-11978: A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.", "cve": "CVE-2020-11978", "id": "pyup.io-54349", "more_info_path": "/vulnerabilities/CVE-2020-11978/54349", "specs": [ ">=0,<1.10.11rc1" ], "v": ">=0,<1.10.11rc1" }, { "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.", "cve": "CVE-2020-11983", "id": "pyup.io-54181", "more_info_path": "/vulnerabilities/CVE-2020-11983/54181", "specs": [ ">=0,<1.10.11rc1" ], "v": ">=0,<1.10.11rc1" }, { "advisory": "In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.", "cve": "CVE-2020-17511", "id": "pyup.io-54253", "more_info_path": "/vulnerabilities/CVE-2020-17511/54253", "specs": [ ">=0,<1.10.13" ], "v": ">=0,<1.10.13" }, { "advisory": "Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.", "cve": "CVE-2020-17526", "id": "pyup.io-54278", "more_info_path": "/vulnerabilities/CVE-2020-17526/54278", "specs": [ ">=0,<1.10.14" ], "v": ">=0,<1.10.14" }, { "advisory": "In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.", "cve": "CVE-2018-20244", "id": "pyup.io-54020", "more_info_path": "/vulnerabilities/CVE-2018-20244/54020", "specs": [ ">=0,<1.10.2" ], "v": ">=0,<1.10.2" }, { "advisory": "A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.", "cve": "CVE-2019-0216", "id": "pyup.io-54125", "more_info_path": "/vulnerabilities/CVE-2019-0216/54125", "specs": [ ">=0,<1.10.3b1" ], "v": ">=0,<1.10.3b1" }, { "advisory": "A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.", "cve": "CVE-2019-0229", "id": "pyup.io-54127", "more_info_path": "/vulnerabilities/CVE-2019-0229/54127", "specs": [ ">=0,<1.10.3b1" ], "v": ">=0,<1.10.3b1" }, { "advisory": "Versions of Apache Airflow prior to 1.10.5 expose a vulnerability where the Databricks operator logs API keys in plaintext during task execution. This exposure results from the operator encouraging users to input their API key into a connection's \"extra\" field, which the Databricks hook subsequently logs, leading to information exposure.\r\nhttps://github.com/apache/airflow/pull/5635/commits/89f015e6c89392b6de61dab8ab90182e6ee42b74", "cve": "PVE-2024-99796", "id": "pyup.io-66019", "more_info_path": "/vulnerabilities/PVE-2024-99796/66019", "specs": [ ">=0,<1.10.5" ], "v": ">=0,<1.10.5" }, { "advisory": "In Apache Airflow before 1.10.5 when running with the \"classic\" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new \"RBAC\" UI is unaffected.", "cve": "CVE-2019-12398", "id": "pyup.io-54139", "more_info_path": "/vulnerabilities/CVE-2019-12398/54139", "specs": [ ">=0,<1.10.5" ], "v": ">=0,<1.10.5" }, { "advisory": "A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.", "cve": "CVE-2019-12417", "id": "pyup.io-54143", "more_info_path": "/vulnerabilities/CVE-2019-12417/54143", "specs": [ ">=0,<1.10.6rc1" ], "v": ">=0,<1.10.6rc1" }, { "advisory": "It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for this is to upgrade to Apache Airflow 1.9.0 or above.", "cve": "CVE-2017-12614", "id": "pyup.io-53928", "more_info_path": "/vulnerabilities/CVE-2017-12614/53928", "specs": [ ">=0,<1.9.0" ], "v": ">=0,<1.9.0" }, { "advisory": "In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.", "cve": "CVE-2017-17835", "id": "pyup.io-53948", "more_info_path": "/vulnerabilities/CVE-2017-17835/53948", "specs": [ ">=0,<1.9.0" ], "v": ">=0,<1.9.0" }, { "advisory": "In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, whether it be via XSS or by leaving a machine unlocked can exfiltrate all credentials from the system.", "cve": "CVE-2017-17836", "id": "pyup.io-53950", "more_info_path": "/vulnerabilities/CVE-2017-17836/53950", "specs": [ ">=0,<1.9.0" ], "v": ">=0,<1.9.0" }, { "advisory": "In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.\r\nhttps://github.com/apache/airflow/pull/2132", "cve": "CVE-2017-15720", "id": "pyup.io-53938", "more_info_path": "/vulnerabilities/CVE-2017-15720/53938", "specs": [ ">=0,<1.9.0" ], "v": ">=0,<1.9.0" }, { "advisory": "In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.", "cve": "CVE-2022-24288", "id": "pyup.io-54244", "more_info_path": "/vulnerabilities/CVE-2022-24288/54244", "specs": [ ">=0,<2.2.4" ], "v": ">=0,<2.2.4" }, { "advisory": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.", "cve": "CVE-2021-45229", "id": "pyup.io-54261", "more_info_path": "/vulnerabilities/CVE-2021-45229/54261", "specs": [ ">=0,<2.2.4rc1" ], "v": ">=0,<2.2.4rc1" }, { "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).", "cve": "CVE-2022-40954", "id": "pyup.io-54588", "more_info_path": "/vulnerabilities/CVE-2022-40954/54588", "specs": [ ">=0,<2.3.0" ], "v": ">=0,<2.3.0" }, { "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.", "cve": "CVE-2022-40189", "id": "pyup.io-54587", "more_info_path": "/vulnerabilities/CVE-2022-40189/54587", "specs": [ ">=0,<2.3.0" ], "v": ">=0,<2.3.0" }, { "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.", "cve": "CVE-2022-38649", "id": "pyup.io-54586", "more_info_path": "/vulnerabilities/CVE-2022-38649/54586", "specs": [ ">=0,<2.3.0" ], "v": ">=0,<2.3.0" }, { "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).", "cve": "CVE-2022-41131", "id": "pyup.io-54592", "more_info_path": "/vulnerabilities/CVE-2022-41131/54592", "specs": [ ">=0,<2.3.0" ], "v": ">=0,<2.3.0" }, { "advisory": "A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.", "cve": "CVE-2022-27949", "id": "pyup.io-54578", "more_info_path": "/vulnerabilities/CVE-2022-27949/54578", "specs": [ ">=0,<2.3.1" ], "v": ">=0,<2.3.1" }, { "advisory": "In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the '--daemon' flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.", "cve": "CVE-2022-38170", "id": "pyup.io-54525", "more_info_path": "/vulnerabilities/CVE-2022-38170/54525", "specs": [ ">=0,<2.3.4" ], "v": ">=0,<2.3.4" }, { "advisory": "A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow versions prior to 2.4.0.", "cve": "CVE-2022-40127", "id": "pyup.io-54577", "more_info_path": "/vulnerabilities/CVE-2022-40127/54577", "specs": [ ">=0,<2.4.0" ], "v": ">=0,<2.4.0" }, { "advisory": "In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.", "cve": "CVE-2022-41672", "id": "pyup.io-54508", "more_info_path": "/vulnerabilities/CVE-2022-41672/54508", "specs": [ ">=0,<2.4.1" ], "v": ">=0,<2.4.1" }, { "advisory": "In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.", "cve": "CVE-2022-43985", "id": "pyup.io-54567", "more_info_path": "/vulnerabilities/CVE-2022-43985/54567", "specs": [ ">=0,<2.4.2" ], "v": ">=0,<2.4.2" }, { "advisory": "In Apache Airflow versions prior to 2.4.2, the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument.", "cve": "CVE-2022-43982", "id": "pyup.io-54568", "more_info_path": "/vulnerabilities/CVE-2022-43982/54568", "specs": [ ">=0,<2.4.2" ], "v": ">=0,<2.4.2" }, { "advisory": "In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.", "cve": "CVE-2022-45402", "id": "pyup.io-54582", "more_info_path": "/vulnerabilities/CVE-2022-45402/54582", "specs": [ ">=0,<2.4.3" ], "v": ">=0,<2.4.3" }, { "advisory": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider. This issue affects Apache Airflow before 2.5.1 and Apache Airflow MySQL Provider before 4.0.0.", "cve": "CVE-2023-22884", "id": "pyup.io-54620", "more_info_path": "/vulnerabilities/CVE-2023-22884/54620", "specs": [ ">=0,<2.5.1" ], "v": ">=0,<2.5.1" }, { "advisory": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. The traceback contains information that might be useful for a potential attacker to better target their attack (Python/Airflow version, node name). This information should not be shown if traceback is shown to unauthenticated user.", "cve": "CVE-2023-25695", "id": "pyup.io-54667", "more_info_path": "/vulnerabilities/CVE-2023-25695/54667", "specs": [ ">=0,<2.5.2" ], "v": ">=0,<2.5.2" }, { "advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected.", "cve": "PVE-2024-99905", "id": "pyup.io-64688", "more_info_path": "/vulnerabilities/PVE-2024-99905/64688", "specs": [ ">=0,<2.6.3" ], "v": ">=0,<2.6.3" }, { "advisory": "Apache Airflow, in versions before 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2\u00a0Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.", "cve": "CVE-2023-48291", "id": "pyup.io-65191", "more_info_path": "/vulnerabilities/CVE-2023-48291/65191", "specs": [ ">=0,<2.8.0b1" ], "v": ">=0,<2.8.0b1" }, { "advisory": "Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.", "cve": "CVE-2023-50783", "id": "pyup.io-65201", "more_info_path": "/vulnerabilities/CVE-2023-50783/65201", "specs": [ ">=0,<2.8.0b1" ], "v": ">=0,<2.8.0b1" }, { "advisory": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of \"enable_xcom_pickling=False\" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.", "cve": "CVE-2023-50943", "id": "pyup.io-65264", "more_info_path": "/vulnerabilities/CVE-2023-50943/65264", "specs": [ ">=0,<2.8.1" ], "v": ">=0,<2.8.1" }, { "advisory": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access.\u00a0This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.", "cve": "CVE-2023-50944", "id": "pyup.io-65265", "more_info_path": "/vulnerabilities/CVE-2023-50944/65265", "specs": [ ">=0,<2.8.1" ], "v": ">=0,<2.8.1" }, { "advisory": "** DISPUTED ** Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view.\u00a0With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability.", "cve": "CVE-2024-26280", "id": "pyup.io-68489", "more_info_path": "/vulnerabilities/CVE-2024-26280/68489", "specs": [ ">=0,<2.8.2" ], "v": ">=0,<2.8.2" }, { "advisory": "** DISPUTED ** Apache Airflow is affected by a vulnerability impacting versions before 2.8.2, where authenticated users can access DAG code and import errors for DAGs without required permissions via the API and UI. To mitigate this risk, upgrading to version 2.8.2 or newer is recommended.", "cve": "CVE-2024-27906", "id": "pyup.io-68475", "more_info_path": "/vulnerabilities/CVE-2024-27906/68475", "specs": [ ">=0,<2.8.2" ], "v": ">=0,<2.8.2" }, { "advisory": "Apache-airflow 1.10.15 and 2.0.2 include a fix for CVE-2021-28359: The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).", "cve": "CVE-2021-28359", "id": "pyup.io-40341", "more_info_path": "/vulnerabilities/CVE-2021-28359/40341", "specs": [ ">=1.0.0a1,<1.10.15", ">=2.0.0a1,<2.0.2" ], "v": ">=1.0.0a1,<1.10.15,>=2.0.0a1,<2.0.2" }, { "advisory": "In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for.", "cve": "CVE-2021-45230", "id": "pyup.io-54733", "more_info_path": "/vulnerabilities/CVE-2021-45230/54733", "specs": [ ">=1.10.0,<2.0.0b1", ">=2.0.0,<2.2.0" ], "v": ">=1.10.0,<2.0.0b1,>=2.0.0,<2.2.0" }, { "advisory": "Certain versions of Apache Airflow and its Celery provider are affected by a vulnerability that results in sensitive information being logged in clear text, specifically when using the rediss, amqp, or rpc protocols as the Celery result backend. The security risk pertains to the exposure of this information within log files. Users are advised to implement upgrades that address this vulnerability to mitigate potential security risks.", "cve": "CVE-2023-46215", "id": "pyup.io-65388", "more_info_path": "/vulnerabilities/CVE-2023-46215/65388", "specs": [ ">=1.10.0,<2.7.0" ], "v": ">=1.10.0,<2.7.0" }, { "advisory": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue only affects Apache Airflow 2.0.0.", "cve": "CVE-2021-26697", "id": "pyup.io-54461", "more_info_path": "/vulnerabilities/CVE-2021-26697/54461", "specs": [ ">=2.0.0,<2.0.1" ], "v": ">=2.0.0,<2.0.1" }, { "advisory": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.", "cve": "CVE-2021-26559", "id": "pyup.io-54168", "more_info_path": "/vulnerabilities/CVE-2021-26559/54168", "specs": [ ">=2.0.0,<2.0.1" ], "v": ">=2.0.0,<2.0.1" }, { "advisory": "The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.", "cve": "CVE-2021-38540", "id": "pyup.io-54319", "more_info_path": "/vulnerabilities/CVE-2021-38540/54319", "specs": [ ">=2.0.0,<2.1.3" ], "v": ">=2.0.0,<2.1.3" }, { "advisory": "In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.", "cve": "CVE-2022-38054", "id": "pyup.io-54522", "more_info_path": "/vulnerabilities/CVE-2022-38054/54522", "specs": [ ">=2.2.4,<2.3.4rc1" ], "v": ">=2.2.4,<2.3.4rc1" }, { "advisory": "In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.", "cve": "CVE-2022-40604", "id": "pyup.io-54551", "more_info_path": "/vulnerabilities/CVE-2022-40604/54551", "specs": [ ">=2.3.0,<2.4.0b1" ], "v": ">=2.3.0,<2.4.0b1" }, { "advisory": "In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.", "cve": "CVE-2022-40754", "id": "pyup.io-54715", "more_info_path": "/vulnerabilities/CVE-2022-40754/54715", "specs": [ ">=2.3.0,<2.4.0b1" ], "v": ">=2.3.0,<2.4.0b1" }, { "advisory": "A vulnerability has been identified in versions of Airflow where, by using deferrable mode and a Kubernetes configuration file for authentication, the Airflow worker sends this configuration as an unencrypted dictionary to the triggerer, storing it in metadata. This process, coupled with certain Airflow versions, also results in the unmasked logging of the configuration dictionary in the triggerer service. Consequently, unauthorized individuals could potentially access and exploit the Kubernetes cluster using the exposed configuration details.", "cve": "CVE-2023-51702", "id": "pyup.io-65395", "more_info_path": "/vulnerabilities/CVE-2023-51702/65395", "specs": [ ">=2.3.0,<2.6.1" ], "v": ">=2.3.0,<2.6.1" }, { "advisory": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2). Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348.", "cve": "CVE-2023-46288", "id": "pyup.io-65796", "more_info_path": "/vulnerabilities/CVE-2023-46288/65796", "specs": [ ">=2.4.0,<2.7.0" ], "v": ">=2.4.0,<2.7.0" }, { "advisory": "Affected versions of Apache Airflow have a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model.", "cve": "CVE-2024-39877", "id": "pyup.io-72253", "more_info_path": "/vulnerabilities/CVE-2024-39877/72253", "specs": [ ">=2.4.0,<2.9.3" ], "v": ">=2.4.0,<2.9.3" }, { "advisory": "In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.\r\n\r\nThis vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive.\r\n\r\nThis issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.", "cve": "CVE-2023-35005", "id": "pyup.io-64198", "more_info_path": "/vulnerabilities/CVE-2023-35005/64198", "specs": [ ">=2.5.0,<2.6.2" ], "v": ">=2.5.0,<2.6.2" }, { "advisory": "Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG.\u00a0This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox. While this issue does not allow to exit of the browser sandbox or manipulation of the server-side data - more than the DAG author already has, it allows modification of what the user looking at the DAG details sees in the browser - which opens up all kinds of possibilities of misleading other users. Users of Apache Airflow are recommended to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability", "cve": "CVE-2023-47265", "id": "pyup.io-65188", "more_info_path": "/vulnerabilities/CVE-2023-47265/65188", "specs": [ ">=2.6.0,<2.8.0b1" ], "v": ">=2.6.0,<2.8.0b1" }, { "advisory": "Apache Airflow is vulnerable to unauthorized sensitive configuration information disclosure in select versions when the \"expose_config\" option is set to \"non-sensitive-only,\" despite being disabled by default. Users are advised to upgrade to a non-affected version to mitigate this issue.", "cve": "CVE-2023-45348", "id": "pyup.io-65389", "more_info_path": "/vulnerabilities/CVE-2023-45348/65389", "specs": [ ">=2.7.0,<2.7.2" ], "v": ">=2.7.0,<2.7.2" }, { "advisory": "Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation.\u00a0As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected", "cve": "CVE-2023-49920", "id": "pyup.io-65198", "more_info_path": "/vulnerabilities/CVE-2023-49920/65198", "specs": [ ">=2.7.0,<2.8.0" ], "v": ">=2.7.0,<2.8.0" }, { "advisory": "Apache Airflow affected versions has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.", "cve": "CVE-2024-28746", "id": "pyup.io-71633", "more_info_path": "/vulnerabilities/CVE-2024-28746/71633", "specs": [ ">=2.8.0,<2.8.3rc1" ], "v": ">=2.8.0,<2.8.3rc1" } ], "apache-airflow-backport-providers-amazon": [ { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2020-7753", "id": "pyup.io-49914", "more_info_path": "/vulnerabilities/CVE-2020-7753/49914", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-24776", "id": "pyup.io-49922", "more_info_path": "/vulnerabilities/CVE-2022-24776/49922", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37701", "id": "pyup.io-49915", "more_info_path": "/vulnerabilities/CVE-2021-37701/49915", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37712", "id": "pyup.io-49916", "more_info_path": "/vulnerabilities/CVE-2021-37712/49916", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-32805", "id": "pyup.io-49923", "more_info_path": "/vulnerabilities/CVE-2021-32805/49923", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-41265", "id": "pyup.io-49924", "more_info_path": "/vulnerabilities/CVE-2021-41265/49924", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-21659", "id": "pyup.io-49925", "more_info_path": "/vulnerabilities/CVE-2022-21659/49925", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49928", "more_info_path": "/vulnerabilities/PVE-2022-47833/49928", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", "cve": "CVE-2021-33026", "id": "pyup.io-49926", "more_info_path": "/vulnerabilities/CVE-2021-33026/49926", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-35936", "id": "pyup.io-49920", "more_info_path": "/vulnerabilities/CVE-2021-35936/49920", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37713", "id": "pyup.io-49917", "more_info_path": "/vulnerabilities/CVE-2021-37713/49917", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-23445", "id": "pyup.io-49918", "more_info_path": "/vulnerabilities/CVE-2021-23445/49918", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62919", "more_info_path": "/vulnerabilities/CVE-2023-25754/62919", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-29621", "id": "pyup.io-49921", "more_info_path": "/vulnerabilities/CVE-2021-29621/49921", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49929", "more_info_path": "/vulnerabilities/CVE-2022-29217/49929", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon <=2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-33502", "id": "pyup.io-49919", "more_info_path": "/vulnerabilities/CVE-2021-33502/49919", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (urllib3 == 1.25.11).", "cve": "CVE-2021-33503", "id": "pyup.io-49927", "more_info_path": "/vulnerabilities/CVE-2021-33503/49927", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-apache-beam": [ { "advisory": "apache-airflow-backport-providers-apache-beam 2021.3.13 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62920", "more_info_path": "/vulnerabilities/CVE-2023-25754/62920", "specs": [ "<=2021.3.13" ], "v": "<=2021.3.13" } ], "apache-airflow-backport-providers-apache-hive": [ { "advisory": "apache-airflow-backport-providers-apache-hive 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62921", "more_info_path": "/vulnerabilities/CVE-2023-25754/62921", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-apache-hive is affected by CVE-2023-28706.", "cve": "CVE-2023-28706", "id": "pyup.io-59570", "more_info_path": "/vulnerabilities/CVE-2023-28706/59570", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-apache-pinot": [ { "advisory": "apache-airflow-backport-providers-apache-pinot 2020.11.23 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62923", "more_info_path": "/vulnerabilities/CVE-2023-25754/62923", "specs": [ "<=2020.11.23" ], "v": "<=2020.11.23" } ], "apache-airflow-backport-providers-apache-spark": [ { "advisory": "Apache-airflow-backport-providers-apache-spark is affected by CVE-2023-28710.", "cve": "CVE-2023-28710", "id": "pyup.io-59572", "more_info_path": "/vulnerabilities/CVE-2023-28710/59572", "specs": [ "<4.0.1" ], "v": "<4.0.1" }, { "advisory": "Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection allowing reading files on the Airflow server.", "cve": "CVE-2023-40272", "id": "pyup.io-65223", "more_info_path": "/vulnerabilities/CVE-2023-40272/65223", "specs": [ "<4.1.3" ], "v": "<4.1.3" }, { "advisory": "Apache-airflow-backport-providers-apache-spark is affected by CVE-2023-40195: Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider.\r\nWhen the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users.\r\nhttps://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html", "cve": "CVE-2023-40195", "id": "pyup.io-63167", "more_info_path": "/vulnerabilities/CVE-2023-40195/63167", "specs": [ ">=0" ], "v": ">=0" } ], "apache-airflow-backport-providers-cncf-kubernetes": [ { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-41265", "id": "pyup.io-49940", "more_info_path": "/vulnerabilities/CVE-2021-41265/49940", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-35936", "id": "pyup.io-49936", "more_info_path": "/vulnerabilities/CVE-2021-35936/49936", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49944", "more_info_path": "/vulnerabilities/CVE-2022-29217/49944", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37712", "id": "pyup.io-49932", "more_info_path": "/vulnerabilities/CVE-2021-37712/49932", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49945", "more_info_path": "/vulnerabilities/PVE-2022-47833/49945", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-21659", "id": "pyup.io-49941", "more_info_path": "/vulnerabilities/CVE-2022-21659/49941", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-32805", "id": "pyup.io-49939", "more_info_path": "/vulnerabilities/CVE-2021-32805/49939", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-24776", "id": "pyup.io-49938", "more_info_path": "/vulnerabilities/CVE-2022-24776/49938", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37701", "id": "pyup.io-49931", "more_info_path": "/vulnerabilities/CVE-2021-37701/49931", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37713", "id": "pyup.io-49933", "more_info_path": "/vulnerabilities/CVE-2021-37713/49933", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-33502", "id": "pyup.io-49935", "more_info_path": "/vulnerabilities/CVE-2021-33502/49935", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", "cve": "CVE-2021-33026", "id": "pyup.io-49942", "more_info_path": "/vulnerabilities/CVE-2021-33026/49942", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62924", "more_info_path": "/vulnerabilities/CVE-2023-25754/62924", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-29621", "id": "pyup.io-49937", "more_info_path": "/vulnerabilities/CVE-2021-29621/49937", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2020-7753", "id": "pyup.io-49930", "more_info_path": "/vulnerabilities/CVE-2020-7753/49930", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (kubernetes == 11.0.0).", "cve": "CVE-2020-1747", "id": "pyup.io-50010", "more_info_path": "/vulnerabilities/CVE-2020-1747/50010", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (urllib3 == 1.25.11).", "cve": "CVE-2021-33503", "id": "pyup.io-49943", "more_info_path": "/vulnerabilities/CVE-2021-33503/49943", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-23445", "id": "pyup.io-49934", "more_info_path": "/vulnerabilities/CVE-2021-23445/49934", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-databricks": [ { "advisory": "apache-airflow-backport-providers-databricks 2020.11.23 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62925", "more_info_path": "/vulnerabilities/CVE-2023-25754/62925", "specs": [ "<=2020.11.23" ], "v": "<=2020.11.23" } ], "apache-airflow-backport-providers-datadog": [ { "advisory": "apache-airflow-backport-providers-datadog 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62926", "more_info_path": "/vulnerabilities/CVE-2023-25754/62926", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-dingding": [ { "advisory": "apache-airflow-backport-providers-dingding 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62927", "more_info_path": "/vulnerabilities/CVE-2023-25754/62927", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-discord": [ { "advisory": "apache-airflow-backport-providers-discord 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62928", "more_info_path": "/vulnerabilities/CVE-2023-25754/62928", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-docker": [ { "advisory": "apache-airflow-backport-providers-docker 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62929", "more_info_path": "/vulnerabilities/CVE-2023-25754/62929", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-elasticsearch": [ { "advisory": "apache-airflow-backport-providers-elasticsearch 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62930", "more_info_path": "/vulnerabilities/CVE-2023-25754/62930", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-email": [ { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-29621", "id": "pyup.io-49953", "more_info_path": "/vulnerabilities/CVE-2021-29621/49953", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49961", "more_info_path": "/vulnerabilities/PVE-2022-47833/49961", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-41265", "id": "pyup.io-49956", "more_info_path": "/vulnerabilities/CVE-2021-41265/49956", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37712", "id": "pyup.io-49948", "more_info_path": "/vulnerabilities/CVE-2021-37712/49948", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-24776", "id": "pyup.io-49954", "more_info_path": "/vulnerabilities/CVE-2022-24776/49954", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-35936", "id": "pyup.io-49952", "more_info_path": "/vulnerabilities/CVE-2021-35936/49952", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2020-7753", "id": "pyup.io-49946", "more_info_path": "/vulnerabilities/CVE-2020-7753/49946", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-32805", "id": "pyup.io-49955", "more_info_path": "/vulnerabilities/CVE-2021-32805/49955", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-21659", "id": "pyup.io-49957", "more_info_path": "/vulnerabilities/CVE-2022-21659/49957", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37713", "id": "pyup.io-49949", "more_info_path": "/vulnerabilities/CVE-2021-37713/49949", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", "cve": "CVE-2021-33026", "id": "pyup.io-49958", "more_info_path": "/vulnerabilities/CVE-2021-33026/49958", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-23445", "id": "pyup.io-49950", "more_info_path": "/vulnerabilities/CVE-2021-23445/49950", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37701", "id": "pyup.io-49947", "more_info_path": "/vulnerabilities/CVE-2021-37701/49947", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-33502", "id": "pyup.io-49951", "more_info_path": "/vulnerabilities/CVE-2021-33502/49951", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (urllib3 == 1.25.11).", "cve": "CVE-2021-33503", "id": "pyup.io-49959", "more_info_path": "/vulnerabilities/CVE-2021-33503/49959", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" }, { "advisory": "Apache-airflow-backport-providers-email 2020.6.24 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49960", "more_info_path": "/vulnerabilities/CVE-2022-29217/49960", "specs": [ "<=2020.6.24" ], "v": "<=2020.6.24" } ], "apache-airflow-backport-providers-exasol": [ { "advisory": "apache-airflow-backport-providers-exasol 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62932", "more_info_path": "/vulnerabilities/CVE-2023-25754/62932", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-facebook": [ { "advisory": "apache-airflow-backport-providers-facebook 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62933", "more_info_path": "/vulnerabilities/CVE-2023-25754/62933", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-google": [ { "advisory": "apache-airflow-backport-providers-google 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62934", "more_info_path": "/vulnerabilities/CVE-2023-25754/62934", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-grpc": [ { "advisory": "apache-airflow-backport-providers-grpc 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62935", "more_info_path": "/vulnerabilities/CVE-2023-25754/62935", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-hashicorp": [ { "advisory": "apache-airflow-backport-providers-hashicorp 2021.3.23 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62936", "more_info_path": "/vulnerabilities/CVE-2023-25754/62936", "specs": [ "<=2021.3.23" ], "v": "<=2021.3.23" } ], "apache-airflow-backport-providers-jdbc": [ { "advisory": "apache-airflow-backport-providers-jdbc 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62937", "more_info_path": "/vulnerabilities/CVE-2023-25754/62937", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-jenkins": [ { "advisory": "apache-airflow-backport-providers-jenkins 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62938", "more_info_path": "/vulnerabilities/CVE-2023-25754/62938", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-jira": [ { "advisory": "apache-airflow-backport-providers-jira 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62939", "more_info_path": "/vulnerabilities/CVE-2023-25754/62939", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-microsoft-azure": [ { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.13 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", "cve": "CVE-2021-33026", "id": "pyup.io-49974", "more_info_path": "/vulnerabilities/CVE-2021-33026/49974", "specs": [ "<=2021.3.13" ], "v": "<=2021.3.13" }, { "advisory": "apache-airflow-backport-providers-microsoft-azure 2021.3.13 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62940", "more_info_path": "/vulnerabilities/CVE-2023-25754/62940", "specs": [ "<=2021.3.13" ], "v": "<=2021.3.13" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37701", "id": "pyup.io-49963", "more_info_path": "/vulnerabilities/CVE-2021-37701/49963", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-33502", "id": "pyup.io-49967", "more_info_path": "/vulnerabilities/CVE-2021-33502/49967", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49977", "more_info_path": "/vulnerabilities/PVE-2022-47833/49977", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-32805", "id": "pyup.io-49971", "more_info_path": "/vulnerabilities/CVE-2021-32805/49971", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-24776", "id": "pyup.io-49970", "more_info_path": "/vulnerabilities/CVE-2022-24776/49970", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-21659", "id": "pyup.io-49973", "more_info_path": "/vulnerabilities/CVE-2022-21659/49973", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-41265", "id": "pyup.io-49972", "more_info_path": "/vulnerabilities/CVE-2021-41265/49972", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-35936", "id": "pyup.io-49968", "more_info_path": "/vulnerabilities/CVE-2021-35936/49968", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37712", "id": "pyup.io-49964", "more_info_path": "/vulnerabilities/CVE-2021-37712/49964", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37713", "id": "pyup.io-49965", "more_info_path": "/vulnerabilities/CVE-2021-37713/49965", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-23445", "id": "pyup.io-49966", "more_info_path": "/vulnerabilities/CVE-2021-23445/49966", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-29621", "id": "pyup.io-49969", "more_info_path": "/vulnerabilities/CVE-2021-29621/49969", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49976", "more_info_path": "/vulnerabilities/CVE-2022-29217/49976", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (urllib3 == 1.25.11).", "cve": "CVE-2021-33503", "id": "pyup.io-49975", "more_info_path": "/vulnerabilities/CVE-2021-33503/49975", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-microsoft-azure 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2020-7753", "id": "pyup.io-49962", "more_info_path": "/vulnerabilities/CVE-2020-7753/49962", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-microsoft-mssql": [ { "advisory": "apache-airflow-backport-providers-microsoft-mssql 2021.3.23 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62941", "more_info_path": "/vulnerabilities/CVE-2023-25754/62941", "specs": [ "<=2021.3.23" ], "v": "<=2021.3.23" } ], "apache-airflow-backport-providers-microsoft-winrm": [ { "advisory": "apache-airflow-backport-providers-microsoft-winrm 2021.3.23 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62942", "more_info_path": "/vulnerabilities/CVE-2023-25754/62942", "specs": [ "<=2021.3.23" ], "v": "<=2021.3.23" } ], "apache-airflow-backport-providers-mongo": [ { "advisory": "apache-airflow-backport-providers-mongo 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62943", "more_info_path": "/vulnerabilities/CVE-2023-25754/62943", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-mysql": [ { "advisory": "apache-airflow-backport-providers-mysql 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62944", "more_info_path": "/vulnerabilities/CVE-2023-25754/62944", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-neo4j": [ { "advisory": "apache-airflow-backport-providers-neo4j 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62945", "more_info_path": "/vulnerabilities/CVE-2023-25754/62945", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-odbc": [ { "advisory": "apache-airflow-backport-providers-odbc 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62946", "more_info_path": "/vulnerabilities/CVE-2023-25754/62946", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-openfaas": [ { "advisory": "apache-airflow-backport-providers-openfaas 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62947", "more_info_path": "/vulnerabilities/CVE-2023-25754/62947", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-opsgenie": [ { "advisory": "apache-airflow-backport-providers-opsgenie 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62948", "more_info_path": "/vulnerabilities/CVE-2023-25754/62948", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-oracle": [ { "advisory": "apache-airflow-backport-providers-oracle 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62949", "more_info_path": "/vulnerabilities/CVE-2023-25754/62949", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-pagerduty": [ { "advisory": "apache-airflow-backport-providers-pagerduty 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62950", "more_info_path": "/vulnerabilities/CVE-2023-25754/62950", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-papermill": [ { "advisory": "apache-airflow-backport-providers-papermill 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62951", "more_info_path": "/vulnerabilities/CVE-2023-25754/62951", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-plexus": [ { "advisory": "apache-airflow-backport-providers-plexus 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62952", "more_info_path": "/vulnerabilities/CVE-2023-25754/62952", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-postgres": [ { "advisory": "apache-airflow-backport-providers-postgres 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62953", "more_info_path": "/vulnerabilities/CVE-2023-25754/62953", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-presto": [ { "advisory": "apache-airflow-backport-providers-presto 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62954", "more_info_path": "/vulnerabilities/CVE-2023-25754/62954", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-qubole": [ { "advisory": "apache-airflow-backport-providers-qubole 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62955", "more_info_path": "/vulnerabilities/CVE-2023-25754/62955", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-redis": [ { "advisory": "apache-airflow-backport-providers-redis 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62957", "more_info_path": "/vulnerabilities/CVE-2023-25754/62957", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-salesforce": [ { "advisory": "apache-airflow-backport-providers-salesforce 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62958", "more_info_path": "/vulnerabilities/CVE-2023-25754/62958", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-segment": [ { "advisory": "apache-airflow-backport-providers-segment 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62959", "more_info_path": "/vulnerabilities/CVE-2023-25754/62959", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-sendgrid": [ { "advisory": "apache-airflow-backport-providers-sendgrid 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62960", "more_info_path": "/vulnerabilities/CVE-2023-25754/62960", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-sftp": [ { "advisory": "apache-airflow-backport-providers-sftp 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62961", "more_info_path": "/vulnerabilities/CVE-2023-25754/62961", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-singularity": [ { "advisory": "apache-airflow-backport-providers-singularity 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62962", "more_info_path": "/vulnerabilities/CVE-2023-25754/62962", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-slack": [ { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-41265", "id": "pyup.io-49988", "more_info_path": "/vulnerabilities/CVE-2021-41265/49988", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37701", "id": "pyup.io-49979", "more_info_path": "/vulnerabilities/CVE-2021-37701/49979", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-32805", "id": "pyup.io-49987", "more_info_path": "/vulnerabilities/CVE-2021-32805/49987", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49993", "more_info_path": "/vulnerabilities/PVE-2022-47833/49993", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-21659", "id": "pyup.io-49989", "more_info_path": "/vulnerabilities/CVE-2022-21659/49989", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-24776", "id": "pyup.io-49986", "more_info_path": "/vulnerabilities/CVE-2022-24776/49986", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37713", "id": "pyup.io-49981", "more_info_path": "/vulnerabilities/CVE-2021-37713/49981", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (urllib3 == 1.25.11).", "cve": "CVE-2021-33503", "id": "pyup.io-49991", "more_info_path": "/vulnerabilities/CVE-2021-33503/49991", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-35936", "id": "pyup.io-49984", "more_info_path": "/vulnerabilities/CVE-2021-35936/49984", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37712", "id": "pyup.io-49980", "more_info_path": "/vulnerabilities/CVE-2021-37712/49980", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-33502", "id": "pyup.io-49983", "more_info_path": "/vulnerabilities/CVE-2021-33502/49983", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62963", "more_info_path": "/vulnerabilities/CVE-2023-25754/62963", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", "cve": "CVE-2021-33026", "id": "pyup.io-49990", "more_info_path": "/vulnerabilities/CVE-2021-33026/49990", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-29621", "id": "pyup.io-49985", "more_info_path": "/vulnerabilities/CVE-2021-29621/49985", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49992", "more_info_path": "/vulnerabilities/CVE-2022-29217/49992", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2020-7753", "id": "pyup.io-49978", "more_info_path": "/vulnerabilities/CVE-2020-7753/49978", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-slack 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-23445", "id": "pyup.io-49982", "more_info_path": "/vulnerabilities/CVE-2021-23445/49982", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-smtp": [ { "advisory": "apache-airflow-backport-providers-smtp 2021.6.24 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62964", "more_info_path": "/vulnerabilities/CVE-2023-25754/62964", "specs": [ "<=2021.6.24" ], "v": "<=2021.6.24" } ], "apache-airflow-backport-providers-snowflake": [ { "advisory": "apache-airflow-backport-providers-snowflake 2021.3.13 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62965", "more_info_path": "/vulnerabilities/CVE-2023-25754/62965", "specs": [ "<=2021.3.13" ], "v": "<=2021.3.13" } ], "apache-airflow-backport-providers-ssh": [ { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37701", "id": "pyup.io-49995", "more_info_path": "/vulnerabilities/CVE-2021-37701/49995", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37713", "id": "pyup.io-49997", "more_info_path": "/vulnerabilities/CVE-2021-37713/49997", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-41265", "id": "pyup.io-50004", "more_info_path": "/vulnerabilities/CVE-2021-41265/50004", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-35936", "id": "pyup.io-50000", "more_info_path": "/vulnerabilities/CVE-2021-35936/50000", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-21659", "id": "pyup.io-50005", "more_info_path": "/vulnerabilities/CVE-2022-21659/50005", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-32805", "id": "pyup.io-50003", "more_info_path": "/vulnerabilities/CVE-2021-32805/50003", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-50009", "more_info_path": "/vulnerabilities/PVE-2022-47833/50009", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2022-24776", "id": "pyup.io-50002", "more_info_path": "/vulnerabilities/CVE-2022-24776/50002", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-37712", "id": "pyup.io-49996", "more_info_path": "/vulnerabilities/CVE-2021-37712/49996", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62966", "more_info_path": "/vulnerabilities/CVE-2023-25754/62966", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2020-7753", "id": "pyup.io-49994", "more_info_path": "/vulnerabilities/CVE-2020-7753/49994", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (flask-appbuilder == 2.3.4).", "cve": "CVE-2021-29621", "id": "pyup.io-50001", "more_info_path": "/vulnerabilities/CVE-2021-29621/50001", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-50008", "more_info_path": "/vulnerabilities/CVE-2022-29217/50008", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-33502", "id": "pyup.io-49999", "more_info_path": "/vulnerabilities/CVE-2021-33502/49999", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (urllib3 == 1.25.11).", "cve": "CVE-2021-33503", "id": "pyup.io-50007", "more_info_path": "/vulnerabilities/CVE-2021-33503/50007", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2021-23445", "id": "pyup.io-49998", "more_info_path": "/vulnerabilities/CVE-2021-23445/49998", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" }, { "advisory": "Apache-airflow-backport-providers-ssh 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", "cve": "CVE-2021-33026", "id": "pyup.io-50006", "more_info_path": "/vulnerabilities/CVE-2021-33026/50006", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-tableau": [ { "advisory": "apache-airflow-backport-providers-tableau 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62967", "more_info_path": "/vulnerabilities/CVE-2023-25754/62967", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-telegram": [ { "advisory": "apache-airflow-backport-providers-telegram 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62968", "more_info_path": "/vulnerabilities/CVE-2023-25754/62968", "specs": [ "<=2021.3.3" ], "v": "<=2021.3.3" } ], "apache-airflow-backport-providers-vertica": [ { "advisory": "apache-airflow-backport-providers-vertica 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62969", "more_info_path": "/vulnerabilities/CVE-2023-25754/62969", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-yandex": [ { "advisory": "apache-airflow-backport-providers-yandex 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62970", "more_info_path": "/vulnerabilities/CVE-2023-25754/62970", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-backport-providers-zendesk": [ { "advisory": "apache-airflow-backport-providers-zendesk 2021.3.17 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2023-25754", "id": "pyup.io-62971", "more_info_path": "/vulnerabilities/CVE-2023-25754/62971", "specs": [ "<=2021.3.17" ], "v": "<=2021.3.17" } ], "apache-airflow-providers-airbyte": [ { "advisory": "Apache-airflow-providers-airbyte 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49837", "more_info_path": "/vulnerabilities/CVE-2022-29217/49837", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-airbyte 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49836", "more_info_path": "/vulnerabilities/PVE-2022-47833/49836", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-airbyte 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49838", "more_info_path": "/vulnerabilities/PVE-2021-42852/49838", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-amazon": [ { "advisory": "Apache-airflow-providers-amazon 4.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49835", "more_info_path": "/vulnerabilities/PVE-2021-42852/49835", "specs": [ "<=4.0.0" ], "v": "<=4.0.0" }, { "advisory": "Apache-airflow-providers-amazon 4.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49833", "more_info_path": "/vulnerabilities/PVE-2022-47833/49833", "specs": [ "<=4.0.0" ], "v": "<=4.0.0" }, { "advisory": "Apache-airflow-providers-amazon 4.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49834", "more_info_path": "/vulnerabilities/CVE-2022-29217/49834", "specs": [ "<=4.0.0" ], "v": "<=4.0.0" }, { "advisory": "Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1.", "cve": "CVE-2023-25956", "id": "pyup.io-54663", "more_info_path": "/vulnerabilities/CVE-2023-25956/54663", "specs": [ ">=0,<7.2.1" ], "v": ">=0,<7.2.1" } ], "apache-airflow-providers-apache-drill": [ { "advisory": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider. This issue affects Apache Airflow Drill Provider before 2.3.2.\r\nhttps://github.com/apache/airflow/pull/30215", "cve": "CVE-2023-28707", "id": "pyup.io-59573", "more_info_path": "/vulnerabilities/CVE-2023-28707/59573", "specs": [ "<2.3.2" ], "v": "<2.3.2" }, { "advisory": "Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook allowing reading files on the Airflow server.", "cve": "CVE-2023-39553", "id": "pyup.io-65022", "more_info_path": "/vulnerabilities/CVE-2023-39553/65022", "specs": [ "<2.4.3" ], "v": "<2.4.3" } ], "apache-airflow-providers-apache-hdfs": [ { "advisory": "In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation\u00a0info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1", "cve": "CVE-2023-41267", "id": "pyup.io-65529", "more_info_path": "/vulnerabilities/CVE-2023-41267/65529", "specs": [ "<4.1.1" ], "v": "<4.1.1" }, { "advisory": "Apache-airflow-providers-apache-hdfs 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49818", "more_info_path": "/vulnerabilities/PVE-2022-47833/49818", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-apache-hdfs 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49820", "more_info_path": "/vulnerabilities/PVE-2021-42852/49820", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-apache-hdfs 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49819", "more_info_path": "/vulnerabilities/CVE-2022-29217/49819", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-apache-hive": [ { "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).", "cve": "CVE-2022-41131", "id": "pyup.io-72000", "more_info_path": "/vulnerabilities/CVE-2022-41131/72000", "specs": [ "<4.1.0" ], "v": "<4.1.0" }, { "advisory": "Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider before 6.0.0.", "cve": "CVE-2023-28706", "id": "pyup.io-59569", "more_info_path": "/vulnerabilities/CVE-2023-28706/59569", "specs": [ "<6.0.0" ], "v": "<6.0.0" }, { "advisory": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Apache Hive Provider: before 6.1.1. It was possible to bypass the security check to RCE via principal parameter. For this to be exploited it requires access to modifying the connection details.", "cve": "CVE-2023-35797", "id": "pyup.io-65023", "more_info_path": "/vulnerabilities/CVE-2023-35797/65023", "specs": [ "<6.1.1" ], "v": "<6.1.1" }, { "advisory": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. The fix for CVE-2023-35797 was incomplete: the proxy_user option can also inject semicolon.", "cve": "CVE-2023-37415", "id": "pyup.io-71999", "more_info_path": "/vulnerabilities/CVE-2023-37415/71999", "specs": [ "<6.1.2" ], "v": "<6.1.2" }, { "advisory": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.", "cve": "PVE-2024-99896", "id": "pyup.io-64994", "more_info_path": "/vulnerabilities/PVE-2024-99896/64994", "specs": [ "<6.1.2" ], "v": "<6.1.2" }, { "advisory": "Apache-airflow-providers-apache-hive 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49869", "more_info_path": "/vulnerabilities/PVE-2022-47833/49869", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-apache-hive 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49871", "more_info_path": "/vulnerabilities/PVE-2021-42852/49871", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-apache-hive 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49870", "more_info_path": "/vulnerabilities/CVE-2022-29217/49870", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider before 5.0.0.\r\nhttps://github.com/apache/airflow/pull/28101", "cve": "CVE-2022-46421", "id": "pyup.io-54602", "more_info_path": "/vulnerabilities/CVE-2022-46421/54602", "specs": [ ">=0,<5.0.0" ], "v": ">=0,<5.0.0" }, { "advisory": "Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3.", "cve": "CVE-2023-25696", "id": "pyup.io-54657", "more_info_path": "/vulnerabilities/CVE-2023-25696/54657", "specs": [ ">=0,<5.1.3" ], "v": ">=0,<5.1.3" } ], "apache-airflow-providers-apache-livy": [ { "advisory": "Apache-airflow-providers-apache-livy 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49890", "more_info_path": "/vulnerabilities/PVE-2022-47833/49890", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-apache-livy 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49892", "more_info_path": "/vulnerabilities/PVE-2021-42852/49892", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-apache-livy 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49891", "more_info_path": "/vulnerabilities/CVE-2022-29217/49891", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-apache-spark": [ { "advisory": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider. This issue affects Apache Airflow Spark Provider before 4.0.1.", "cve": "CVE-2023-28710", "id": "pyup.io-59571", "more_info_path": "/vulnerabilities/CVE-2023-28710/59571", "specs": [ "<4.0.1" ], "v": "<4.0.1" }, { "advisory": "Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection allowing reading files on the Airflow server.", "cve": "CVE-2023-40272", "id": "pyup.io-65224", "more_info_path": "/vulnerabilities/CVE-2023-40272/65224", "specs": [ "<4.1.3" ], "v": "<4.1.3" }, { "advisory": "Apache-airflow-providers-apache-spark 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49847", "more_info_path": "/vulnerabilities/PVE-2021-42852/49847", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-apache-spark 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49845", "more_info_path": "/vulnerabilities/PVE-2022-47833/49845", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-apache-spark 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49846", "more_info_path": "/vulnerabilities/CVE-2022-29217/49846", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-apache-spark is affected by CVE-2023-40195: Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider.\r\nWhen the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users.\r\nhttps://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html", "cve": "CVE-2023-40195", "id": "pyup.io-63166", "more_info_path": "/vulnerabilities/CVE-2023-40195/63166", "specs": [ ">=0" ], "v": ">=0" } ], "apache-airflow-providers-apache-sqoop": [ { "advisory": "Apache Airflow Sqoop Provider versions before 4.0.0 are affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via \u2018sqoop import --connect\u2019, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections.", "cve": "CVE-2023-27604", "id": "pyup.io-64556", "more_info_path": "/vulnerabilities/CVE-2023-27604/64556", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.\r\nhttps://github.com/apache/airflow/pull/29500", "cve": "CVE-2023-25693", "id": "pyup.io-54658", "more_info_path": "/vulnerabilities/CVE-2023-25693/54658", "specs": [ ">=0,<3.1.1" ], "v": ">=0,<3.1.1" } ], "apache-airflow-providers-celery": [ { "advisory": "Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information exposed in the logs not about accessing the logs", "cve": "CVE-2023-46215", "id": "pyup.io-71726", "more_info_path": "/vulnerabilities/CVE-2023-46215/71726", "specs": [ "<3.4.1" ], "v": "<3.4.1" }, { "advisory": "Apache-airflow-providers-celery 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49857", "more_info_path": "/vulnerabilities/PVE-2022-47833/49857", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-celery 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49858", "more_info_path": "/vulnerabilities/CVE-2022-29217/49858", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-celery 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49859", "more_info_path": "/vulnerabilities/PVE-2021-42852/49859", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-cloudant": [ { "advisory": "Apache-airflow-providers-cloudant 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49843", "more_info_path": "/vulnerabilities/CVE-2022-29217/49843", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-cloudant 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49844", "more_info_path": "/vulnerabilities/PVE-2021-42852/49844", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-cloudant 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49842", "more_info_path": "/vulnerabilities/PVE-2022-47833/49842", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-cncf-kubernetes": [ { "advisory": "Arbitrary code execution in Apache Airflow CNCF Kubernetes provider allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner.", "cve": "CVE-2023-33234", "id": "pyup.io-64194", "more_info_path": "/vulnerabilities/CVE-2023-33234/64194", "specs": [ ">=5.0.0,<7.0.0" ], "v": ">=5.0.0,<7.0.0" }, { "advisory": "A vulnerability has been identified in versions of Airflow where, by using deferrable mode and a Kubernetes configuration file for authentication, the Airflow worker sends this configuration as an unencrypted dictionary to the triggerer, storing it in metadata. This process, coupled with certain Airflow versions, also results in the unmasked logging of the configuration dictionary in the triggerer service. Consequently, unauthorized individuals could potentially access and exploit the Kubernetes cluster using the exposed configuration details.", "cve": "CVE-2023-51702", "id": "pyup.io-65396", "more_info_path": "/vulnerabilities/CVE-2023-51702/65396", "specs": [ ">=5.2.0,<7.0.0" ], "v": ">=5.2.0,<7.0.0" } ], "apache-airflow-providers-databricks": [ { "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49824", "more_info_path": "/vulnerabilities/PVE-2022-47833/49824", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49826", "more_info_path": "/vulnerabilities/PVE-2021-42852/49826", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49825", "more_info_path": "/vulnerabilities/CVE-2022-29217/49825", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-datadog": [ { "advisory": "Apache-airflow-providers-datadog 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49887", "more_info_path": "/vulnerabilities/PVE-2022-47833/49887", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-datadog 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49888", "more_info_path": "/vulnerabilities/CVE-2022-29217/49888", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-datadog 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49889", "more_info_path": "/vulnerabilities/PVE-2021-42852/49889", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-docker": [ { "advisory": "Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.\r\nhttps://hackerone.com/reports/1671140", "cve": "CVE-2022-38362", "id": "pyup.io-62534", "more_info_path": "/vulnerabilities/CVE-2022-38362/62534", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "Apache-airflow-providers-docker 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49817", "more_info_path": "/vulnerabilities/PVE-2021-42852/49817", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-docker 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49816", "more_info_path": "/vulnerabilities/CVE-2022-29217/49816", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-docker 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49815", "more_info_path": "/vulnerabilities/PVE-2022-47833/49815", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-ftp": [ { "advisory": "Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. The FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.create_default_context() during FTP_TLS instantiation is used as mitigation to validate the certificates properly.", "cve": "CVE-2024-29733", "id": "pyup.io-70645", "more_info_path": "/vulnerabilities/CVE-2024-29733/70645", "specs": [ "<3.7.0" ], "v": "<3.7.0" } ], "apache-airflow-providers-google": [ { "advisory": "apache-airflow-providers-google 8.1.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49884", "more_info_path": "/vulnerabilities/PVE-2022-47833/49884", "specs": [ "<=8.1.0" ], "v": "<=8.1.0" }, { "advisory": "Apache-airflow-providers-google 8.1.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49886", "more_info_path": "/vulnerabilities/PVE-2021-42852/49886", "specs": [ "<=8.1.0" ], "v": "<=8.1.0" }, { "advisory": "Apache-airflow-providers-google 8.1.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49885", "more_info_path": "/vulnerabilities/CVE-2022-29217/49885", "specs": [ "<=8.1.0" ], "v": "<=8.1.0" }, { "advisory": "Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.\r\nhttps://github.com/apache/airflow/pull/29499", "cve": "CVE-2023-25692", "id": "pyup.io-54664", "more_info_path": "/vulnerabilities/CVE-2023-25692/54664", "specs": [ ">=0,<8.10.0" ], "v": ">=0,<8.10.0" }, { "advisory": "Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.\r\nhttps://github.com/apache/airflow/pull/29497", "cve": "CVE-2023-25691", "id": "pyup.io-54665", "more_info_path": "/vulnerabilities/CVE-2023-25691/54665", "specs": [ ">=0,<8.10.0" ], "v": ">=0,<8.10.0" } ], "apache-airflow-providers-jdbc": [ { "advisory": "Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection\u2019s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission. This issue affects Apache Airflow JDBC Provider: before 4.0.0.", "cve": "CVE-2023-22886", "id": "pyup.io-62889", "more_info_path": "/vulnerabilities/CVE-2023-22886/62889", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "Apache-airflow-providers-jdbc 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49880", "more_info_path": "/vulnerabilities/PVE-2021-42852/49880", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-jdbc 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49879", "more_info_path": "/vulnerabilities/CVE-2022-29217/49879", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-jdbc 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49878", "more_info_path": "/vulnerabilities/PVE-2022-47833/49878", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-jenkins": [ { "advisory": "Apache-airflow-providers-jenkins 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49814", "more_info_path": "/vulnerabilities/PVE-2021-42852/49814", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-jenkins 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49812", "more_info_path": "/vulnerabilities/PVE-2022-47833/49812", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-jenkins 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49813", "more_info_path": "/vulnerabilities/CVE-2022-29217/49813", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-jira": [ { "advisory": "Apache-airflow-providers-jira 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49854", "more_info_path": "/vulnerabilities/PVE-2022-47833/49854", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-jira 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49856", "more_info_path": "/vulnerabilities/PVE-2021-42852/49856", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-jira 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49855", "more_info_path": "/vulnerabilities/CVE-2022-29217/49855", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-microsoft-azure": [ { "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49877", "more_info_path": "/vulnerabilities/PVE-2021-42852/49877", "specs": [ "<=4.0.0" ], "v": "<=4.0.0" }, { "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49875", "more_info_path": "/vulnerabilities/PVE-2022-47833/49875", "specs": [ "<=4.0.0" ], "v": "<=4.0.0" }, { "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49876", "more_info_path": "/vulnerabilities/CVE-2022-29217/49876", "specs": [ "<=4.0.0" ], "v": "<=4.0.0" } ], "apache-airflow-providers-microsoft-mssql": [ { "advisory": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\r\n\r\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\r\n\r\nIt is recommended to\u00a0upgrade to a version that is not affected", "cve": "CVE-2023-35798", "id": "pyup.io-64199", "more_info_path": "/vulnerabilities/CVE-2023-35798/64199", "specs": [ "<3.4.1" ], "v": "<3.4.1" }, { "advisory": "Apache-airflow-providers-microsoft-mssql 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49828", "more_info_path": "/vulnerabilities/CVE-2022-29217/49828", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-microsoft-mssql 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49829", "more_info_path": "/vulnerabilities/PVE-2021-42852/49829", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-microsoft-mssql 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49827", "more_info_path": "/vulnerabilities/PVE-2022-47833/49827", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-mongo": [ { "advisory": "Apache-airflow-providers-mongo 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49808", "more_info_path": "/vulnerabilities/PVE-2021-42852/49808", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-mongo 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49806", "more_info_path": "/vulnerabilities/PVE-2022-47833/49806", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-mongo 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49807", "more_info_path": "/vulnerabilities/CVE-2022-29217/49807", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "When SSL\u00a0was enabled for Mongo Hook, default settings included \"allow_insecure\" which caused that certificates were not validated. This was unexpected and undocumented.", "cve": "CVE-2024-25141", "id": "pyup.io-66701", "more_info_path": "/vulnerabilities/CVE-2024-25141/66701", "specs": [ ">=1.0.0,<4.0.0" ], "v": ">=1.0.0,<4.0.0" } ], "apache-airflow-providers-mysql": [ { "advisory": "Apache-airflow-providers-mysql 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49830", "more_info_path": "/vulnerabilities/PVE-2022-47833/49830", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-mysql 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49832", "more_info_path": "/vulnerabilities/PVE-2021-42852/49832", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-mysql 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49831", "more_info_path": "/vulnerabilities/CVE-2022-29217/49831", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider. This issue affects Apache Airflow before 2.5.1 and Apache Airflow MySQL Provider before 4.0.0.", "cve": "CVE-2023-22884", "id": "pyup.io-54621", "more_info_path": "/vulnerabilities/CVE-2023-22884/54621", "specs": [ ">=0,<4.0.0" ], "v": ">=0,<4.0.0" } ], "apache-airflow-providers-odbc": [ { "advisory": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\r\n\r\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\r\n\r\nIt is recommended to\u00a0upgrade to a version that is not affected", "cve": "CVE-2023-35798", "id": "pyup.io-64200", "more_info_path": "/vulnerabilities/CVE-2023-35798/64200", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0.", "cve": "CVE-2023-34395", "id": "pyup.io-64201", "more_info_path": "/vulnerabilities/CVE-2023-34395/64201", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "Apache-airflow-providers-odbc 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49895", "more_info_path": "/vulnerabilities/PVE-2021-42852/49895", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-odbc 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49893", "more_info_path": "/vulnerabilities/PVE-2022-47833/49893", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-odbc 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49894", "more_info_path": "/vulnerabilities/CVE-2022-29217/49894", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-oracle": [ { "advisory": "Apache-airflow-providers-oracle 3.1.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49866", "more_info_path": "/vulnerabilities/PVE-2022-47833/49866", "specs": [ "<=3.1.0" ], "v": "<=3.1.0" }, { "advisory": "Apache-airflow-providers-oracle 3.1.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49868", "more_info_path": "/vulnerabilities/PVE-2021-42852/49868", "specs": [ "<=3.1.0" ], "v": "<=3.1.0" }, { "advisory": "Apache-airflow-providers-oracle 3.1.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49867", "more_info_path": "/vulnerabilities/CVE-2022-29217/49867", "specs": [ "<=3.1.0" ], "v": "<=3.1.0" } ], "apache-airflow-providers-pagerduty": [ { "advisory": "Apache-airflow-providers-pagerduty 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49862", "more_info_path": "/vulnerabilities/PVE-2021-42852/49862", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-pagerduty 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49860", "more_info_path": "/vulnerabilities/PVE-2022-47833/49860", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-pagerduty 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49861", "more_info_path": "/vulnerabilities/CVE-2022-29217/49861", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-plexus": [ { "advisory": "Apache-airflow-providers-plexus 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49841", "more_info_path": "/vulnerabilities/PVE-2021-42852/49841", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-plexus 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49840", "more_info_path": "/vulnerabilities/CVE-2022-29217/49840", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-plexus 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49839", "more_info_path": "/vulnerabilities/PVE-2022-47833/49839", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-postgres": [ { "advisory": "Apache-airflow-providers-postgres 5.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49822", "more_info_path": "/vulnerabilities/CVE-2022-29217/49822", "specs": [ "<=5.0.0" ], "v": "<=5.0.0" }, { "advisory": "Apache-airflow-providers-postgres 5.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49821", "more_info_path": "/vulnerabilities/PVE-2022-47833/49821", "specs": [ "<=5.0.0" ], "v": "<=5.0.0" }, { "advisory": "Apache-airflow-providers-postgres 5.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49823", "more_info_path": "/vulnerabilities/PVE-2021-42852/49823", "specs": [ "<=5.0.0" ], "v": "<=5.0.0" } ], "apache-airflow-providers-presto": [ { "advisory": "Apache-airflow-providers-presto 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49863", "more_info_path": "/vulnerabilities/PVE-2022-47833/49863", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-presto 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49865", "more_info_path": "/vulnerabilities/PVE-2021-42852/49865", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-presto 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49864", "more_info_path": "/vulnerabilities/CVE-2022-29217/49864", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-redis": [ { "advisory": "Apache-airflow-providers-redis 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49872", "more_info_path": "/vulnerabilities/PVE-2022-47833/49872", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-redis 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49873", "more_info_path": "/vulnerabilities/CVE-2022-29217/49873", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-redis 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49874", "more_info_path": "/vulnerabilities/PVE-2021-42852/49874", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-sendgrid": [ { "advisory": "Apache-airflow-providers-sendgrid 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49809", "more_info_path": "/vulnerabilities/PVE-2022-47833/49809", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-sendgrid 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49811", "more_info_path": "/vulnerabilities/PVE-2021-42852/49811", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-sendgrid 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49810", "more_info_path": "/vulnerabilities/CVE-2022-29217/49810", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-sftp": [ { "advisory": "Apache-airflow-providers-sftp 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49901", "more_info_path": "/vulnerabilities/PVE-2021-42852/49901", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-sftp 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49900", "more_info_path": "/vulnerabilities/CVE-2022-29217/49900", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-sftp 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49899", "more_info_path": "/vulnerabilities/PVE-2022-47833/49899", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-slack": [ { "advisory": "Apache-airflow-providers-slack 5.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49851", "more_info_path": "/vulnerabilities/PVE-2022-47833/49851", "specs": [ "<=5.0.0" ], "v": "<=5.0.0" }, { "advisory": "Apache-airflow-providers-slack 5.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49853", "more_info_path": "/vulnerabilities/PVE-2021-42852/49853", "specs": [ "<=5.0.0" ], "v": "<=5.0.0" }, { "advisory": "Apache-airflow-providers-slack 5.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49852", "more_info_path": "/vulnerabilities/CVE-2022-29217/49852", "specs": [ "<=5.0.0" ], "v": "<=5.0.0" } ], "apache-airflow-providers-snowflake": [ { "advisory": "Apache-airflow-providers-snowflake 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49849", "more_info_path": "/vulnerabilities/CVE-2022-29217/49849", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-snowflake 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49850", "more_info_path": "/vulnerabilities/PVE-2021-42852/49850", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-snowflake 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49848", "more_info_path": "/vulnerabilities/PVE-2022-47833/49848", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-ssh": [ { "advisory": "Apache-airflow-providers-ssh 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49898", "more_info_path": "/vulnerabilities/PVE-2021-42852/49898", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-ssh 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49896", "more_info_path": "/vulnerabilities/PVE-2022-47833/49896", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-ssh 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49897", "more_info_path": "/vulnerabilities/CVE-2022-29217/49897", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-tableau": [ { "advisory": "Apache-airflow-providers-tableau 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49881", "more_info_path": "/vulnerabilities/PVE-2022-47833/49881", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-tableau 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49883", "more_info_path": "/vulnerabilities/PVE-2021-42852/49883", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-tableau 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49882", "more_info_path": "/vulnerabilities/CVE-2022-29217/49882", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-airflow-providers-telegram": [ { "advisory": "Apache-airflow-providers-telegram 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", "id": "pyup.io-49803", "more_info_path": "/vulnerabilities/PVE-2022-47833/49803", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-telegram 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", "id": "pyup.io-49805", "more_info_path": "/vulnerabilities/PVE-2021-42852/49805", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { "advisory": "Apache-airflow-providers-telegram 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", "id": "pyup.io-49804", "more_info_path": "/vulnerabilities/CVE-2022-29217/49804", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], "apache-beam": [ { "advisory": "Apache-beam 2.54.0", "cve": "PVE-2023-63060", "id": "pyup.io-63060", "more_info_path": "/vulnerabilities/PVE-2023-63060/63060", "specs": [ "<2.54.0" ], "v": "<2.54.0" } ], "apache-dolphinscheduler": [ { "advisory": "Prior to version 1.3.6, Apache DolphinScheduler had an issue where authorized users could exploit SQL injections in the data source center. However, this is only the case for MySQL data sources that use an internal login account password. The Python library PyDolphinScheduler generally follows the same versioning as its Java counterpart. This remains the case until November 7, 2022, or until PyDolphinScheduler reached version 4.0.0.\r\n\r\nhttps://dolphinscheduler.apache.org/python/main/index.html#version", "cve": "CVE-2021-27644", "id": "pyup.io-62671", "more_info_path": "/vulnerabilities/CVE-2021-27644/62671", "specs": [ "<1.3.6" ], "v": "<1.3.6" }, { "advisory": "Users have the ability to access any files through the log server. Apache-dolphinscheduler 2.0.5 (Python SDK) corresponds to DolphinScheduler version 2.0.5 Therefore, it is strongly recommended for users of Apache DolphinScheduler to update to version 2.0.6 or above. \r\n\r\nAlso known as: GHSA-vpgf-fgm8-gxr2", "cve": "CVE-2022-26884", "id": "pyup.io-62525", "more_info_path": "/vulnerabilities/CVE-2022-26884/62525", "specs": [ "<2.0.6" ], "v": "<2.0.6" }, { "advisory": "A vulnerability exists while utilizing tasks to view configuration files, leading to possible leak of database passwords. Apache-dolphinscheduler 2.0.5 (Python SDK) corresponds to DolphinScheduler version 2.0.5. It's advised to update to version 2.0.6 or beyond. \r\n\r\nAdvisory Alias: GHSA-jvc3-wjf6-7c6c", "cve": "CVE-2022-26885", "id": "pyup.io-62526", "more_info_path": "/vulnerabilities/CVE-2022-26885/62526", "specs": [ "<2.0.6" ], "v": "<2.0.6" }, { "advisory": "Apache-dolphinscheduler 3.0.0 (Python SDK) corresponds to DolphinScheduler version 3.0.0, which updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "cve": "CVE-2018-11307", "id": "pyup.io-50544", "more_info_path": "/vulnerabilities/CVE-2018-11307/50544", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "Apache-dolphinscheduler 3.0.0 (Python SDK) corresponds to DolphinScheduler version 3.0.0, which is vulnerable to path traversal.", "cve": "CVE-2022-34662", "id": "pyup.io-62760", "more_info_path": "/vulnerabilities/CVE-2022-34662/62760", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "Apache-dolphinscheduler 3.0.0 (Python SDK) corresponds to DolphinScheduler version 3.0.0, which updates its Maven dependency 'postgresql' to v42.3.4 to include security fixes.", "cve": "CVE-2022-26520", "id": "pyup.io-49234", "more_info_path": "/vulnerabilities/CVE-2022-26520/49234", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.0.2 works together with apache-dolphinscheduler (core) 3.0.2, that is vulnerable to improper validation of script alert plugin parameters, which could lead to remote command execution.", "cve": "CVE-2022-45875", "id": "pyup.io-62774", "more_info_path": "/vulnerabilities/CVE-2022-45875/62774", "specs": [ "<3.0.2" ], "v": "<3.0.2" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'h2' to v2.1.210 to include security fixes.", "cve": "CVE-2021-23463", "id": "pyup.io-51310", "more_info_path": "/vulnerabilities/CVE-2021-23463/51310", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'cron-utils' to v9.1.6 to include a security fix.", "cve": "CVE-2021-41269", "id": "pyup.io-51307", "more_info_path": "/vulnerabilities/CVE-2021-41269/51307", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that fixes a vulnerability in LDAP login.\r\nhttps://github.com/apache/dolphinscheduler/commit/17a9dd25fa0e80b048394f79db130f56eb8ef72f", "cve": "PVE-2022-51292", "id": "pyup.io-51292", "more_info_path": "/vulnerabilities/PVE-2022-51292/51292", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'logback-core' to v 1.2.11 to include security fixes.", "cve": "CVE-2021-42550", "id": "pyup.io-51313", "more_info_path": "/vulnerabilities/CVE-2021-42550/51313", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'h2' to v2.1.210 to include security fixes.", "cve": "CVE-2022-23221", "id": "pyup.io-51308", "more_info_path": "/vulnerabilities/CVE-2022-23221/51308", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'h2' to v2.1.210 to include security fixes.", "cve": "CVE-2021-42392", "id": "pyup.io-51309", "more_info_path": "/vulnerabilities/CVE-2021-42392/51309", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that adds validations of possible malicious keys.\r\nhttps://github.com/apache/dolphinscheduler/commit/5811b84fcc7cc0ff354cf8e871f36aa3ae61aa2a", "cve": "PVE-2022-51304", "id": "pyup.io-51304", "more_info_path": "/vulnerabilities/PVE-2022-51304/51304", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'commons-io' to v2.11.0 to include a security fix.", "cve": "CVE-2021-29425", "id": "pyup.io-51314", "more_info_path": "/vulnerabilities/CVE-2021-29425/51314", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'postgresql' to v42.4.1 to include a security fix.", "cve": "CVE-2022-31197", "id": "pyup.io-51311", "more_info_path": "/vulnerabilities/CVE-2022-31197/51311", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'hadoop' to v2.7.7 to include security fixes.", "cve": "CVE-2018-8009", "id": "pyup.io-51306", "more_info_path": "/vulnerabilities/CVE-2018-8009/51306", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'hive-jdbc' to v2.3.3 to include a security fix.", "cve": "CVE-2018-1282", "id": "pyup.io-51312", "more_info_path": "/vulnerabilities/CVE-2018-1282/51312", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler (Python API) 3.1.0 works together with apache-dolphinscheduler (core) 3.1.0, that updates its MAVEN dependency 'hadoop' to v2.7.7 to include security fixes.", "cve": "CVE-2017-15718", "id": "pyup.io-51305", "more_info_path": "/vulnerabilities/CVE-2017-15718/51305", "specs": [ "<3.1.0" ], "v": "<3.1.0" }, { "advisory": "Apache-dolphinscheduler 2.0.5 (Python SDK) corresponds to DolphinScheduler version 2.0.5, that fixes CVE-2022-25598:\r\nApache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks.", "cve": "CVE-2022-25598", "id": "pyup.io-54431", "more_info_path": "/vulnerabilities/CVE-2022-25598/54431", "specs": [ ">=0,<2.0.5" ], "v": ">=0,<2.0.5" } ], "apache-flink": [ { "advisory": "Apache-flink 1.14.2 updates its dependency 'log4j' to v2.16.0 to include security fixes.\r\nhttps://github.com/apache/flink/commit/361ce6591069b2f7317f1c181cdaf7965615415c", "cve": "CVE-2021-44228", "id": "pyup.io-43416", "more_info_path": "/vulnerabilities/CVE-2021-44228/43416", "specs": [ "<1.14.2" ], "v": "<1.14.2" }, { "advisory": "Apache-flink 1.14.2 updates its dependency 'log4j' to v2.16.0 to include security fixes.\r\nhttps://github.com/apache/flink/commit/361ce6591069b2f7317f1c181cdaf7965615415c", "cve": "CVE-2021-45046", "id": "pyup.io-43417", "more_info_path": "/vulnerabilities/CVE-2021-45046/43417", "specs": [ "<1.14.2" ], "v": "<1.14.2" }, { "advisory": "Apache-flink 1.14.3 updates its dependency 'log4j' to v2.17.1 to include security fixes.\r\nhttps://github.com/apache/flink/pull/18228/commits/f28e12599cfde7b41e341e4466fdbd2ad3604d82", "cve": "CVE-2021-45105", "id": "pyup.io-43436", "more_info_path": "/vulnerabilities/CVE-2021-45105/43436", "specs": [ "<1.14.3" ], "v": "<1.14.3" }, { "advisory": "Apache-flink 1.14.3 updates its dependency 'log4j' to v2.17.1 to include security fixes.\r\nhttps://github.com/apache/flink/pull/18228/commits/f28e12599cfde7b41e341e4466fdbd2ad3604d82", "cve": "CVE-2021-44832", "id": "pyup.io-44453", "more_info_path": "/vulnerabilities/CVE-2021-44832/44453", "specs": [ "<1.14.3" ], "v": "<1.14.3" } ], "apache-iotdb": [ { "advisory": "Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue.\r\nAlias:\r\nGHSA-g6vm-3ch8-c6jq", "cve": "CVE-2022-38369", "id": "pyup.io-62764", "more_info_path": "/vulnerabilities/CVE-2022-38369/62764", "specs": [ "<0.13.1" ], "v": "<0.13.1" }, { "advisory": "Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.", "cve": "CVE-2023-46226", "id": "pyup.io-70407", "more_info_path": "/vulnerabilities/CVE-2023-46226/70407", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { "advisory": "Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB. This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.4 of iotdb-web-workbench onwards.", "cve": "CVE-2023-30771", "id": "pyup.io-64184", "more_info_path": "/vulnerabilities/CVE-2023-30771/64184", "specs": [ "==0.13.3" ], "v": "==0.13.3" }, { "advisory": "Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.\r\n\r\nAlias(es):\r\nGHSA-g6hg-4v3c-6jq7\r\nPYSEC-2022-42972", "cve": "CVE-2022-43766", "id": "pyup.io-62772", "more_info_path": "/vulnerabilities/CVE-2022-43766/62772", "specs": [ ">=0.12.2,<=0.12.6", ">=0.13.0,<=0.13.2" ], "v": ">=0.12.2,<=0.12.6,>=0.13.0,<=0.13.2" } ], "apache-libcloud": [ { "advisory": "Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.", "cve": "CVE-2012-3446", "id": "pyup.io-25628", "more_info_path": "/vulnerabilities/CVE-2012-3446/25628", "specs": [ "<0.11.1" ], "v": "<0.11.1" }, { "advisory": "Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.", "cve": "CVE-2013-6480", "id": "pyup.io-25629", "more_info_path": "/vulnerabilities/CVE-2013-6480/25629", "specs": [ "<0.13.3" ], "v": "<0.13.3" }, { "advisory": "libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack.", "cve": "CVE-2010-4340", "id": "pyup.io-35343", "more_info_path": "/vulnerabilities/CVE-2010-4340/35343", "specs": [ "<0.4.1" ], "v": "<0.4.1" } ], "apache-skywalking": [ { "advisory": "This vulnerability in Apache SkyWalking affects versions before 8.1.0 with H2, MySQL, or TiDB storage and involves SQL injection risks in wildcard query cases.", "cve": "CVE-2020-13921", "id": "pyup.io-66880", "more_info_path": "/vulnerabilities/CVE-2020-13921/66880", "specs": [ ">=0,<8.1.0" ], "v": ">=0,<8.1.0" } ], "apache-submarine": [ { "advisory": "Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml https://nvd.nist.gov/vuln/detail/CVE-2022-1471. Apache Submarine uses JAXRS to define REST endpoints. In order to handle YAML requests (using application/yaml content-type), it defines a YamlEntityProvider entity provider that will process all incoming YAML requests. In order to unmarshal the request, the readFrom method is invoked, passing the entityStream containing the user-supplied data in `submarine-server/server-core/src/main/java/org/apache/submarine/server/utils/YamlUtils.java`. We have now fixed this issue in the new version by replacing to `jackson-dataformat-yaml`. This issue affects Apache Submarine: from 0.7.0 before 0.8.0.\u00a0Users are recommended to upgrade to version 0.8.0, which fixes this issue.If using the version smaller than 0.8.0 and not want to upgrade, you can try cherry-pick PR https://github.com/apache/submarine/pull/1054 and rebuild the submart-server image to fix this.", "cve": "CVE-2023-46302", "id": "pyup.io-70898", "more_info_path": "/vulnerabilities/CVE-2023-46302/70898", "specs": [ ">=0.7.0,<0.8.0" ], "v": ">=0.7.0,<0.8.0" } ], "apache-superset": [ { "advisory": "Apache-superset 0.14.0 improves the security scheme (#1587).", "cve": "PVE-2021-39494", "id": "pyup.io-39494", "more_info_path": "/vulnerabilities/PVE-2021-39494/39494", "specs": [ "<0.14.0" ], "v": "<0.14.0" }, { "advisory": "Apache-superset version 0.17.5 adds a csrf_token api endpoint.", "cve": "PVE-2021-41794", "id": "pyup.io-41794", "more_info_path": "/vulnerabilities/PVE-2021-41794/41794", "specs": [ "<0.17.5" ], "v": "<0.17.5" }, { "advisory": "Apache-superset 0.25.0 refactors security code into SupersetSecurityManager (#4565).", "cve": "PVE-2021-39488", "id": "pyup.io-39488", "more_info_path": "/vulnerabilities/PVE-2021-39488/39488", "specs": [ "<0.25.0" ], "v": "<0.25.0" }, { "advisory": "Apache-superset 0.28.0rc5 moves set/merge perm to security manager (#5684).", "cve": "PVE-2021-39485", "id": "pyup.io-39485", "more_info_path": "/vulnerabilities/PVE-2021-39485/39485", "specs": [ "<0.28.0rc5" ], "v": "<0.28.0rc5" }, { "advisory": "Apache-superset 0.29.0rc8 secures unsecured views and prevent regressions (#6553).", "cve": "PVE-2021-39484", "id": "pyup.io-39484", "more_info_path": "/vulnerabilities/PVE-2021-39484/39484", "specs": [ "<0.29.0rc8" ], "v": "<0.29.0rc8" }, { "advisory": "Apache-superset 0.31.0rc1 fixes dependencies with vulnerabilities (#6904).", "cve": "PVE-2021-39483", "id": "pyup.io-39483", "more_info_path": "/vulnerabilities/PVE-2021-39483/39483", "specs": [ "<0.31.0rc1" ], "v": "<0.31.0rc1" }, { "advisory": "Apache-superset 0.32.0rc1 makes it easier to redefine Alpha/Gamma (#7036) - this was a security concern. It also \r\nran 'npm audit fix' to address various vulnerabilities (#7263).", "cve": "PVE-2021-39482", "id": "pyup.io-39482", "more_info_path": "/vulnerabilities/PVE-2021-39482/39482", "specs": [ "<0.32.0rc1" ], "v": "<0.32.0rc1" }, { "advisory": "Apache-superset 0.32.0rc2.dev2 updates merge_perm and fixes the FAB method (#7355). These were both security issues.", "cve": "PVE-2021-39480", "id": "pyup.io-39480", "more_info_path": "/vulnerabilities/PVE-2021-39480/39480", "specs": [ "<0.32.0rc2.dev2" ], "v": "<0.32.0rc2.dev2" }, { "advisory": "Apache-superset 0.33.0rc1 adds Flask-Talisman (#7443) for security reasons.", "cve": "PVE-2021-39481", "id": "pyup.io-39481", "more_info_path": "/vulnerabilities/PVE-2021-39481/39481", "specs": [ "<0.33.0rc1" ], "v": "<0.33.0rc1" }, { "advisory": "Apache-superset 0.34.0 updates its dependency 'pyyaml' to v5.1 to include a security fix.", "cve": "CVE-2017-18342", "id": "pyup.io-45811", "more_info_path": "/vulnerabilities/CVE-2017-18342/45811", "specs": [ "<0.34.0" ], "v": "<0.34.0" }, { "advisory": "Apache-superset 0.34.0 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", "cve": "CVE-2018-20060", "id": "pyup.io-45814", "more_info_path": "/vulnerabilities/CVE-2018-20060/45814", "specs": [ "<0.34.0" ], "v": "<0.34.0" }, { "advisory": "Apache-superset 0.34.0 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", "cve": "CVE-2019-10906", "id": "pyup.io-39479", "more_info_path": "/vulnerabilities/CVE-2019-10906/39479", "specs": [ "<0.34.0" ], "v": "<0.34.0" }, { "advisory": "Apache-superset 0.34.0 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", "cve": "CVE-2019-10906", "id": "pyup.io-45813", "more_info_path": "/vulnerabilities/CVE-2019-10906/45813", "specs": [ "<0.34.0" ], "v": "<0.34.0" }, { "advisory": "Apache-superset 0.34.0 updates its dependency 'urllib3' to v1.24.3 to include security fixes.", "cve": "CVE-2019-11324", "id": "pyup.io-45812", "more_info_path": "/vulnerabilities/CVE-2019-11324/45812", "specs": [ "<0.34.0" ], "v": "<0.34.0" }, { "advisory": "Apache-superset 0.35.0 adds security for restricted metrics (#8175).", "cve": "PVE-2021-39478", "id": "pyup.io-39478", "more_info_path": "/vulnerabilities/PVE-2021-39478/39478", "specs": [ "<0.35.0" ], "v": "<0.35.0" }, { "advisory": "Apache-superset 0.35.1 updates its dependency 'dompurify' to v2.0.7 to include a security fix.", "cve": "CVE-2020-26870", "id": "pyup.io-39477", "more_info_path": "/vulnerabilities/CVE-2020-26870/39477", "specs": [ "<0.35.1" ], "v": "<0.35.1" }, { "advisory": "Apache-superset 0.35.2 bumps packages with security vulnerabilities (#8573), and bumps pyarrow to 0.15.1 due to CVE-2019-12408 (#8583).", "cve": "CVE-2019-12408", "id": "pyup.io-39476", "more_info_path": "/vulnerabilities/CVE-2019-12408/39476", "specs": [ "<0.35.2" ], "v": "<0.35.2" }, { "advisory": "Apache-superset 0.36.0 updates its NPM dependency 'serialize-javascript' to v2.1.2 to include security fixes.\r\nhttps://github.com/apache/superset/pull/9106/commits/788faad7f33e1b69afcee0f01c9fc7cdccb7f81f", "cve": "CVE-2019-16769", "id": "pyup.io-44577", "more_info_path": "/vulnerabilities/CVE-2019-16769/44577", "specs": [ "<0.36.0" ], "v": "<0.36.0" }, { "advisory": "Apache-superset 0.36.0 updates its NPM dependency 'serialize-javascript' to v2.1.2 to include security fixes.\r\nhttps://github.com/apache/superset/pull/9106/commits/788faad7f33e1b69afcee0f01c9fc7cdccb7f81f", "cve": "CVE-2019-16772", "id": "pyup.io-44578", "more_info_path": "/vulnerabilities/CVE-2019-16772/44578", "specs": [ "<0.36.0" ], "v": "<0.36.0" }, { "advisory": "Apache-superset 0.36.0 updates its NPM dependency 'chownr' to v1.1.1 to include a security fix.\r\nhttps://github.com/apache/superset/pull/9106/commits/788faad7f33e1b69afcee0f01c9fc7cdccb7f81f", "cve": "CVE-2017-18869", "id": "pyup.io-42732", "more_info_path": "/vulnerabilities/CVE-2017-18869/42732", "specs": [ "<0.36.0" ], "v": "<0.36.0" }, { "advisory": "Apache-superset 0.36.0 filters out markdown containing XSS.\r\nhttps://github.com/apache/superset/pull/9163", "cve": "PVE-2021-39475", "id": "pyup.io-39475", "more_info_path": "/vulnerabilities/PVE-2021-39475/39475", "specs": [ "<0.36.0" ], "v": "<0.36.0" }, { "advisory": "Apache-superset 0.37.0 includes various security-related improvements. It fixes regression in #9689 (9705), it fixes can_access with None because it crashed on builtin roles (#10039), it renames schemas_accessible_by_user (#10030), renames access methods (#10031), it updates assert logic (#10034), and it fixes the dbs/clusters perm (#10130).", "cve": "PVE-2021-39474", "id": "pyup.io-39474", "more_info_path": "/vulnerabilities/PVE-2021-39474/39474", "specs": [ "<0.37.0" ], "v": "<0.37.0" }, { "advisory": "Apache-superset 0.37.1 includes a fix for CVE-2020-13948: While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python\u2019s 'os' package in the web application process in versions < 0.37.1. It was thus possible for an authenticated user to list and access files, environment variables, and process information. Additionally it was possible to set environment variables for the current process, create and update files in folders writable by the web process, and execute arbitrary programs accessible by the web process. All other operations available to the 'os' package in Python were also available, even if not explicitly enumerated in this CVE.", "cve": "CVE-2020-13948", "id": "pyup.io-38793", "more_info_path": "/vulnerabilities/CVE-2020-13948/38793", "specs": [ "<0.37.1" ], "v": "<0.37.1" }, { "advisory": "Apache-superset 0.37.1 disallows uuid package on jinja1 (#10794). This is a security improvement.", "cve": "PVE-2021-39473", "id": "pyup.io-39473", "more_info_path": "/vulnerabilities/PVE-2021-39473/39473", "specs": [ "<0.37.1" ], "v": "<0.37.1" }, { "advisory": "Apache-superset 0.9.1 improved its security: Gamma role sees only its objects, and only owners and Admins can alter objects.", "cve": "PVE-2021-38193", "id": "pyup.io-38193", "more_info_path": "/vulnerabilities/PVE-2021-38193/38193", "specs": [ "<0.9.1" ], "v": "<0.9.1" }, { "advisory": "Apache-superset 1.0.0 applies owners security validation. It was missing from the new reports API.\r\nhttps://github.com/apache/superset/pull/12035", "cve": "PVE-2021-41203", "id": "pyup.io-41203", "more_info_path": "/vulnerabilities/PVE-2021-41203/41203", "specs": [ "<1.0.0" ], "v": "<1.0.0" }, { "advisory": "Apache-superset 1.2.0 updates NPM packages for security fixes.\r\nhttps://github.com/apache/superset/pull/13367", "cve": "CVE-2021-3807", "id": "pyup.io-45803", "more_info_path": "/vulnerabilities/CVE-2021-3807/45803", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { "advisory": "Apache-superset 1.2.0 updates NPM packages for security fixes.\r\nhttps://github.com/apache/superset/pull/13367", "cve": "CVE-2020-28477", "id": "pyup.io-41791", "more_info_path": "/vulnerabilities/CVE-2020-28477/41791", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { "advisory": "Apache-superset 2.0.1 improves SafeMarkdown HTML sanitization to prevent possible attacks.\r\nhttps://github.com/apache/superset/pull/21895", "cve": "PVE-2023-52798", "id": "pyup.io-52798", "more_info_path": "/vulnerabilities/PVE-2023-52798/52798", "specs": [ "<2.0.1" ], "v": "<2.0.1" }, { "advisory": "Apache-superset 2.0.1 disables HTML rendering in Toast by default.\r\nhttps://github.com/apache/superset/pull/21853", "cve": "PVE-2023-52807", "id": "pyup.io-52807", "more_info_path": "/vulnerabilities/PVE-2023-52807/52807", "specs": [ "<2.0.1" ], "v": "<2.0.1" }, { "advisory": "Apache-superset 2.1.0 includes a fix for an XSS vulnerability.\r\nhttps://github.com/apache/superset/pull/21822", "cve": "PVE-2023-59076", "id": "pyup.io-59076", "more_info_path": "/vulnerabilities/PVE-2023-59076/59076", "specs": [ "<2.1.0" ], "v": "<2.1.0" }, { "advisory": "Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version 2.1.2 or above and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.", "cve": "CVE-2023-42501", "id": "pyup.io-65226", "more_info_path": "/vulnerabilities/CVE-2023-42501/65226", "specs": [ "<2.1.1" ], "v": "<2.1.1" }, { "advisory": "Improper payload validation and an improper REST API response type made it possible for an authenticated malicious actor to store malicious code in Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint.\u00a0This issue affects Apache Superset versions before 2.1.2.", "cve": "CVE-2023-43701", "id": "pyup.io-65230", "more_info_path": "/vulnerabilities/CVE-2023-43701/65230", "specs": [ "<2.1.2" ], "v": "<2.1.2" }, { "advisory": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.", "cve": "CVE-2023-40610", "id": "pyup.io-65225", "more_info_path": "/vulnerabilities/CVE-2023-40610/65225", "specs": [ "<2.1.2" ], "v": "<2.1.2" }, { "advisory": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.", "cve": "CVE-2023-42502", "id": "pyup.io-65227", "more_info_path": "/vulnerabilities/CVE-2023-42502/65227", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "Apache-superset 3.0.0 updates its dependency 'flask_caching' to v1.11.1 to include a security fix.", "cve": "CVE-2021-33026", "id": "pyup.io-61921", "more_info_path": "/vulnerabilities/CVE-2021-33026/61921", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "An authenticated user with read permissions on database connection metadata could potentially access sensitive information such as the connection's username. This issue affects Apache Superset before 3.0.0.", "cve": "CVE-2023-42505", "id": "pyup.io-65229", "more_info_path": "/vulnerabilities/CVE-2023-42505/65229", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service. This issue affects Apache Superset: before 3.0.0", "cve": "CVE-2023-42504", "id": "pyup.io-65228", "more_info_path": "/vulnerabilities/CVE-2023-42504/65228", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "Apache-superset 3.0.0 updates its NPM dependency 'ansi-regex' to include a security fix.", "cve": "CVE-2021-3807", "id": "pyup.io-61908", "more_info_path": "/vulnerabilities/CVE-2021-3807/61908", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3.\u00a0An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.", "cve": "CVE-2023-49657", "id": "pyup.io-66702", "more_info_path": "/vulnerabilities/CVE-2023-49657/66702", "specs": [ "<3.0.3" ], "v": "<3.0.3" }, { "advisory": "An authenticated user could potentially access metadata for a data source they are not authorized to view by submitting a targeted REST API request.", "cve": "CVE-2024-28148", "id": "pyup.io-71839", "more_info_path": "/vulnerabilities/CVE-2024-28148/71839", "specs": [ "<3.1.2" ], "v": "<3.1.2" }, { "advisory": "Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. Suppose both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile. In that case, the attacker can execute a specific MySQL/MariaDB SQL command to read the server's files and insert their content on a MariaDB database table.", "cve": "CVE-2024-34693", "id": "pyup.io-71840", "more_info_path": "/vulnerabilities/CVE-2024-34693/71840", "specs": [ "<3.1.3", ">=4.0.0,<4.0.1" ], "v": "<3.1.3,>=4.0.0,<4.0.1" }, { "advisory": "An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows using the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.", "cve": "CVE-2024-39887", "id": "pyup.io-72252", "more_info_path": "/vulnerabilities/CVE-2024-39887/72252", "specs": [ "<4.0.2" ], "v": "<4.0.2" }, { "advisory": "When explicitly enabling the feature flag 'DASHBOARD_CACHE' (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", "cve": "CVE-2022-45438", "id": "pyup.io-54614", "more_info_path": "/vulnerabilities/CVE-2022-45438/54614", "specs": [ "<=1.5.2", "==2.0.0" ], "v": "<=1.5.2,==2.0.0" }, { "advisory": "A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag \"ALLOW_ADHOC_SUBQUERY\" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", "cve": "CVE-2022-41703", "id": "pyup.io-54626", "more_info_path": "/vulnerabilities/CVE-2022-41703/54626", "specs": [ "<=1.5.2", "==2.0.0" ], "v": "<=1.5.2,==2.0.0" }, { "advisory": "Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", "cve": "CVE-2022-43717", "id": "pyup.io-54616", "more_info_path": "/vulnerabilities/CVE-2022-43717/54616", "specs": [ "<=1.5.2", "==2.0.0" ], "v": "<=1.5.2,==2.0.0" }, { "advisory": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", "cve": "CVE-2022-43721", "id": "pyup.io-54615", "more_info_path": "/vulnerabilities/CVE-2022-43721/54615", "specs": [ "<=1.5.2", "==2.0.0" ], "v": "<=1.5.2,==2.0.0" }, { "advisory": "An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", "cve": "CVE-2022-43720", "id": "pyup.io-54625", "more_info_path": "/vulnerabilities/CVE-2022-43720/54625", "specs": [ "<=1.5.2", "==2.0.0" ], "v": "<=1.5.2,==2.0.0" }, { "advisory": "Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", "cve": "CVE-2022-43718", "id": "pyup.io-54611", "more_info_path": "/vulnerabilities/CVE-2022-43718/54611", "specs": [ "<=1.5.2", "==2.0.0" ], "v": "<=1.5.2,==2.0.0" }, { "advisory": "Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", "cve": "CVE-2022-43719", "id": "pyup.io-54612", "more_info_path": "/vulnerabilities/CVE-2022-43719/54612", "specs": [ "<=1.5.2", "==2.0.0" ], "v": "<=1.5.2,==2.0.0" }, { "advisory": "A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery\r\nattacks and query internal resources on behalf of the server where Superset\r\nis deployed. This vulnerability exists\u00a0in Apache Superset versions up to and including 2.0.1.", "cve": "CVE-2023-25504", "id": "pyup.io-62896", "more_info_path": "/vulnerabilities/CVE-2023-25504/62896", "specs": [ "<=2.0.1" ], "v": "<=2.0.1" }, { "advisory": "An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1", "cve": "CVE-2023-27525", "id": "pyup.io-62902", "more_info_path": "/vulnerabilities/CVE-2023-27525/62902", "specs": [ "<=2.0.1" ], "v": "<=2.0.1" }, { "advisory": "Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.", "cve": "CVE-2023-27524", "id": "pyup.io-62900", "more_info_path": "/vulnerabilities/CVE-2023-27524/62900", "specs": [ "<=2.0.1" ], "v": "<=2.0.1" }, { "advisory": "Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.", "cve": "CVE-2023-36388", "id": "pyup.io-64998", "more_info_path": "/vulnerabilities/CVE-2023-36388/64998", "specs": [ "<=2.1.0" ], "v": "<=2.1.0" }, { "advisory": "An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.", "cve": "CVE-2023-36387", "id": "pyup.io-65024", "more_info_path": "/vulnerabilities/CVE-2023-36387/65024", "specs": [ "<=2.1.0" ], "v": "<=2.1.0" }, { "advisory": "Improper data authorization check on Jinja templated queries in Apache Superset\u00a0up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.", "cve": "CVE-2023-27523", "id": "pyup.io-62898", "more_info_path": "/vulnerabilities/CVE-2023-27523/62898", "specs": [ "<=2.1.0" ], "v": "<=2.1.0" }, { "advisory": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0.", "cve": "CVE-2023-39264", "id": "pyup.io-64999", "more_info_path": "/vulnerabilities/CVE-2023-39264/64999", "specs": [ "<=2.1.0" ], "v": "<=2.1.0" }, { "advisory": "A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0.", "cve": "CVE-2023-27526", "id": "pyup.io-62904", "more_info_path": "/vulnerabilities/CVE-2023-27526/62904", "specs": [ "<=2.1.0" ], "v": "<=2.1.0" }, { "advisory": "Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like\u00a0sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0.", "cve": "CVE-2023-39265", "id": "pyup.io-65000", "more_info_path": "/vulnerabilities/CVE-2023-39265/65000", "specs": [ "<=2.1.0" ], "v": "<=2.1.0" }, { "advisory": "In Apache Incubator Superset before 0.31 user could query database metadata information from a database it has no access to, by using a specially crafted complex query.", "cve": "CVE-2019-12413", "id": "pyup.io-54144", "more_info_path": "/vulnerabilities/CVE-2019-12413/54144", "specs": [ ">=0,<0.31.0" ], "v": ">=0,<0.31.0" }, { "advisory": "In Apache Incubator Superset before 0.32, a user can view database names that it has no access to on a dropdown list in SQLLab.", "cve": "CVE-2019-12414", "id": "pyup.io-54140", "more_info_path": "/vulnerabilities/CVE-2019-12414/54140", "specs": [ ">=0,<0.32.0" ], "v": ">=0,<0.32.0" }, { "advisory": "Apache Superset versions before 0.34.0 are susceptible to a Cross-site Scripting (XSS) vulnerability that involves an issue through FAB list views.\r\nhttps://github.com/apache/superset/commit/b62d7e3e8eaa80e201af3141fb4fe26c39e1ff79", "cve": "PVE-2024-99800", "id": "pyup.io-66015", "more_info_path": "/vulnerabilities/PVE-2024-99800/66015", "specs": [ ">=0,<0.34.0" ], "v": ">=0,<0.34.0" }, { "advisory": "Apache-superset versions before 0.34.0 are vulnerable to Cross-site Scripting (XSS) attacks. This vulnerability arises when user descriptions containing arbitrary HTML tags are accepted without proper validation, including the creation of malicious links via the `javascript:` protocol. XSS attacks exploit these oversights to execute unauthorized code or scripts in the context of a user's session, potentially leading to session hijacking, sensitive information exposure, or malware delivery. The main defense against such attacks involves sanitizing input data to escape special characters and validating or filtering all user inputs before they are reflected to the user. Strategies such as implementing a Content Security Policy, disabling client-side scripts, and ensuring proper session management can help mitigate the risk of XSS vulnerabilities.\r\nhttps://github.com/apache/superset/commit/4ff17ffc8de30c3813a81c80cf38d89d9da7a73d", "cve": "PVE-2024-99799", "id": "pyup.io-66016", "more_info_path": "/vulnerabilities/PVE-2024-99799/66016", "specs": [ ">=0,<0.34.0" ], "v": ">=0,<0.34.0" }, { "advisory": "Cross-site Scripting (XSS) vulnerabilities have been detected in versions of apache-superset before 0.34.0, specifically through its Markup viz feature. XSS attacks manipulate a web application to execute malicious scripts on a client's browser, performing actions usually blocked by browser security, such as hijacking user sessions or exposing sensitive information. These attacks exploit the application\u2019s failure to sufficiently sanitize, validate, or escape user input, particularly special characters in dynamic content. Different XSS attacks include Stored, Reflected, DOM-based, and Mutated types, each with unique methods of injecting harmful code. To mitigate XSS risks, implementations should include sanitizing data inputs, encoding special characters, disabling client-side scripts where possible, redirecting invalid requests, detecting simultaneous logins, enforcing Content Security Policies, and understanding the security implications of third-party library usage.\r\nhttps://github.com/apache/superset/commit/0c5db55d55471c1c61c0750733733c157551b2d8", "cve": "PVE-2024-99797", "id": "pyup.io-66018", "more_info_path": "/vulnerabilities/PVE-2024-99797/66018", "specs": [ ">=0,<0.34.0" ], "v": ">=0,<0.34.0" }, { "advisory": "The vulnerability threatens the security of apache-superset before 0.35.1, arising from insecure default settings that allow unrestricted metrics.\r\nhttps://github.com/apache/superset/commit/05b67673c3fdb4c94e5af5bc2fe83f1b227d7d08", "cve": "PVE-2024-99801", "id": "pyup.io-66014", "more_info_path": "/vulnerabilities/PVE-2024-99801/66014", "specs": [ ">=0,<0.35.1" ], "v": ">=0,<0.35.1" }, { "advisory": "In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users\u2019 password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary methods on the database connection object for the Presto or Hive connection, allowing the user to bypass security controls internal to Superset. This vulnerability is present in every Apache Superset version < 0.37.2.", "cve": "CVE-2020-13952", "id": "pyup.io-54228", "more_info_path": "/vulnerabilities/CVE-2020-13952/54228", "specs": [ ">=0,<0.37.2" ], "v": ">=0,<0.37.2" }, { "advisory": "Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a div section and embedding in it a svg element with javascript code.", "cve": "CVE-2021-27907", "id": "pyup.io-54300", "more_info_path": "/vulnerabilities/CVE-2021-27907/54300", "specs": [ ">=0,<0.38.1" ], "v": ">=0,<0.38.1" }, { "advisory": "Apache Superset prior to 1.1.0 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.", "cve": "CVE-2021-28125", "id": "pyup.io-54265", "more_info_path": "/vulnerabilities/CVE-2021-28125/54265", "specs": [ ">=0,<1.1.0" ], "v": ">=0,<1.1.0" }, { "advisory": "Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page.", "cve": "CVE-2021-32609", "id": "pyup.io-54353", "more_info_path": "/vulnerabilities/CVE-2021-32609/54353", "specs": [ ">=0,<1.2.0" ], "v": ">=0,<1.2.0" }, { "advisory": "Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.", "cve": "CVE-2021-41971", "id": "pyup.io-54351", "more_info_path": "/vulnerabilities/CVE-2021-41971/54351", "specs": [ ">=0,<1.3.1" ], "v": ">=0,<1.3.1" }, { "advisory": "Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.", "cve": "CVE-2021-42250", "id": "pyup.io-54375", "more_info_path": "/vulnerabilities/CVE-2021-42250/54375", "specs": [ ">=0,<1.3.2" ], "v": ">=0,<1.3.2" }, { "advisory": "Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.", "cve": "CVE-2021-41972", "id": "pyup.io-54371", "more_info_path": "/vulnerabilities/CVE-2021-41972/54371", "specs": [ ">=0,<1.3.2" ], "v": ">=0,<1.3.2" }, { "advisory": "Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher.", "cve": "CVE-2021-44451", "id": "pyup.io-54171", "more_info_path": "/vulnerabilities/CVE-2021-44451/54171", "specs": [ ">=0,<1.4.0" ], "v": ">=0,<1.4.0" }, { "advisory": "Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue.", "cve": "CVE-2022-27479", "id": "pyup.io-54435", "more_info_path": "/vulnerabilities/CVE-2022-27479/54435", "specs": [ ">=0,<1.4.2" ], "v": ">=0,<1.4.2" }, { "advisory": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.", "cve": "CVE-2021-37839", "id": "pyup.io-54418", "more_info_path": "/vulnerabilities/CVE-2021-37839/54418", "specs": [ ">=0,<1.5.1" ], "v": ">=0,<1.5.1" }, { "advisory": "Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets.\u00a0\u00a0\r\nThis vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.", "cve": "CVE-2023-46104", "id": "pyup.io-65186", "more_info_path": "/vulnerabilities/CVE-2023-46104/65186", "specs": [ ">=0,<2.1.3", ">=3.0.0,<3.0.2" ], "v": ">=0,<2.1.3,>=3.0.0,<3.0.2" }, { "advisory": "A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement\u00a0would allow for SQL injection\u00a0in Apache Superset. This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.", "cve": "CVE-2023-49736", "id": "pyup.io-65196", "more_info_path": "/vulnerabilities/CVE-2023-49736/65196", "specs": [ ">=0,<2.1.3", ">=3.0.0,<3.0.2" ], "v": ">=0,<2.1.3,>=3.0.0,<3.0.2" }, { "advisory": "An authenticated Gamma user can create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts. This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue.", "cve": "CVE-2023-49734", "id": "pyup.io-65195", "more_info_path": "/vulnerabilities/CVE-2023-49734/65195", "specs": [ ">=0,<2.1.3", ">=3.0.0,<3.0.2" ], "v": ">=0,<2.1.3,>=3.0.0,<3.0.2" }, { "advisory": "Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.", "cve": "CVE-2024-24779", "id": "pyup.io-68494", "more_info_path": "/vulnerabilities/CVE-2024-24779/68494", "specs": [ ">=0,<3.0.4", ">=3.1.0,<3.1.1" ], "v": ">=0,<3.0.4,>=3.1.0,<3.1.1" }, { "advisory": "A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.", "cve": "CVE-2024-24772", "id": "pyup.io-68496", "more_info_path": "/vulnerabilities/CVE-2024-24772/68496", "specs": [ ">=0,<3.0.4", ">=3.1.0,<3.1.1" ], "v": ">=0,<3.0.4,>=3.1.0,<3.1.1" }, { "advisory": "Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1, which fixes the issue.", "cve": "CVE-2024-24773", "id": "pyup.io-68495", "more_info_path": "/vulnerabilities/CVE-2024-24773/68495", "specs": [ ">=0,<3.0.4", ">=3.1.0,<3.1.1" ], "v": ">=0,<3.0.4,>=3.1.0,<3.1.1" }, { "advisory": "A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.", "cve": "CVE-2024-26016", "id": "pyup.io-68490", "more_info_path": "/vulnerabilities/CVE-2024-26016/68490", "specs": [ ">=0,<3.0.4", ">=3.1.0,<3.1.1" ], "v": ">=0,<3.0.4,>=3.1.0,<3.1.1" }, { "advisory": "A vulnerability in various versions of Apache Superset allows authenticated users with alert creation privileges to execute a specially crafted SQL statement, leading to a database error. This error, improperly handled, could expose sensitive information in the alert's error log.", "cve": "CVE-2024-27315", "id": "pyup.io-68480", "more_info_path": "/vulnerabilities/CVE-2024-27315/68480", "specs": [ ">=0,<3.0.4", ">=3.1.0rc1,<3.1.1" ], "v": ">=0,<3.0.4,>=3.1.0rc1,<3.1.1" }, { "advisory": "An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability.", "cve": "CVE-2023-32672", "id": "pyup.io-64672", "more_info_path": "/vulnerabilities/CVE-2023-32672/64672", "specs": [ ">=0,<=2.1.0" ], "v": ">=0,<=2.1.0" }, { "advisory": "An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset.", "cve": "CVE-2020-1932", "id": "pyup.io-54193", "more_info_path": "/vulnerabilities/CVE-2020-1932/54193", "specs": [ ">=0.34.0,<0.35.2" ], "v": ">=0.34.0,<0.35.2" }, { "advisory": "An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API.\u00a0This issue affects Apache Superset version 1.3.0 up to 2.0.1.", "cve": "CVE-2023-30776", "id": "pyup.io-64173", "more_info_path": "/vulnerabilities/CVE-2023-30776/64173", "specs": [ ">=1.3.0,<=2.0.1" ], "v": ">=1.3.0,<=2.0.1" }, { "advisory": "Apache-superset 2.1.1 includes a fix for CVE-2023-37941: If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend.\r\nhttps://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h", "cve": "CVE-2023-37941", "id": "pyup.io-61038", "more_info_path": "/vulnerabilities/CVE-2023-37941/61038", "specs": [ ">=1.5.0,<=2.1.0" ], "v": ">=1.5.0,<=2.1.0" } ], "apache-trafficcontrol": [ { "advisory": "Apache Traffic Control 3.1.0 (Python client) supports Apache-trafficcontrol 6.1.0, that sets files with potential sensitive data with 0600 permissions, to avoid users other than ats or root can read them.\r\nhttps://github.com/apache/trafficcontrol/issues/6032", "cve": "PVE-2022-51294", "id": "pyup.io-51294", "more_info_path": "/vulnerabilities/PVE-2022-51294/51294", "specs": [ "<3.1.0" ], "v": "<3.1.0" } ], "apache-tvm": [ { "advisory": "Apache-tvm 0.6 updates its Maven dependency 'checkstyle' requirements to versions [8.18,) to include a security fix.", "cve": "CVE-2019-9658", "id": "pyup.io-48121", "more_info_path": "/vulnerabilities/CVE-2019-9658/48121", "specs": [ "<0.6" ], "v": "<0.6" } ], "api-client-pydantic": [ { "advisory": "Api-client-pydantic 1.1.0 updates its dependency 'urllib3' to v1.26.4 to include a security fix.", "cve": "CVE-2021-28363", "id": "pyup.io-45389", "more_info_path": "/vulnerabilities/CVE-2021-28363/45389", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "api-res-py": [ { "advisory": "Api-res-py 0.1 contains a backdoor due to the presence of the malicious 'request' dependency.\r\nhttps://www.bleepingcomputer.com/news/security/pypi-package-keep-mistakenly-included-a-password-stealer/", "cve": "CVE-2022-31313", "id": "pyup.io-49432", "more_info_path": "/vulnerabilities/CVE-2022-31313/49432", "specs": [ "==0.1" ], "v": "==0.1" } ], "apicolor": [ { "advisory": "Apicolor is a malicious package. It uses steganography to hide and install a backdoor in your system.\r\nhttps://www.darkreading.com/threat-intelligence/malicious-pypi-package-steganography-download-malware", "cve": "PVE-2023-53271", "id": "pyup.io-53271", "more_info_path": "/vulnerabilities/PVE-2023-53271/53271", "specs": [ ">=0" ], "v": ">=0" } ], "apidev-coop": [ { "advisory": "apidev-coop is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", "cve": "PVE-2021-34979", "id": "pyup.io-34979", "more_info_path": "/vulnerabilities/PVE-2021-34979/34979", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "apify": [ { "advisory": "Apify 2.1.4 addresses a critical bug related to WebGL injection. It was causing the system to be detected and blocked by certain fingerprinting systems with Kasada protection. This fix improves the system's compatibility with such systems, enhancing overall performance and reliability.\r\nhttps://github.com/apify/fingerprint-suite/pull/100\r\nhttps://github.com/apify/fingerprint-suite/commit/0c4d05ae0c6badc441a53578a0ecdecd933294cb", "cve": "PVE-2024-63511", "id": "pyup.io-63511", "more_info_path": "/vulnerabilities/PVE-2024-63511/63511", "specs": [ "<2.1.4" ], "v": "<2.1.4" } ], "apimatic-core": [ { "advisory": "Apimatic-core 0.2.0 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", "cve": "CVE-2022-40897", "id": "pyup.io-54870", "more_info_path": "/vulnerabilities/CVE-2022-40897/54870", "specs": [ "<0.2.0" ], "v": "<0.2.0" }, { "advisory": "Apimatic-core 0.2.3 updates its dependency 'requests' to version '2.31.0' to include a fix for an Information Exposure vulnerability.\r\nhttps://github.com/apimatic/core-lib-python/pull/40", "cve": "CVE-2023-32681", "id": "pyup.io-59862", "more_info_path": "/vulnerabilities/CVE-2023-32681/59862", "specs": [ "<0.2.3" ], "v": "<0.2.3" } ], "apimatic-requests-client-adapter": [ { "advisory": "Apimatic-requests-client-adapter 0.1.4 includes its dependency 'requests' to version '2.31.0' to include a fix for an Information Exposure vulnerability.\r\nhttps://github.com/apimatic/requests-client-adapter/pull/23\r\nhttps://github.com/apimatic/requests-client-adapter/commit/c8f0b7b71e1c3826492ce3aead3b81ed097eedf4", "cve": "CVE-2023-32681", "id": "pyup.io-60290", "more_info_path": "/vulnerabilities/CVE-2023-32681/60290", "specs": [ "<0.1.4" ], "v": "<0.1.4" } ], "apischema": [ { "advisory": "Apischema 0.17.0 deprecates arbitrary exceptions in deserialization to avoid leaking implementation details if unwanted exceptions are not properly catched.\r\nhttps://github.com/wyfo/apischema/issues/233", "cve": "PVE-2021-43741", "id": "pyup.io-43741", "more_info_path": "/vulnerabilities/PVE-2021-43741/43741", "specs": [ "<0.17.0" ], "v": "<0.17.0" } ], "apispec": [ { "advisory": "In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.", "cve": "CVE-2017-18342", "id": "pyup.io-42246", "more_info_path": "/vulnerabilities/CVE-2017-18342/42246", "specs": [ "<1.0.0b2" ], "v": "<1.0.0b2" } ], "apkleaks": [ { "advisory": "APKLeaks is an open-source project for scanning APK file for URIs, endpoints & secrets. APKLeaks prior to v2.0.3 allows remote attackers to execute arbitrary OS commands via package name inside application manifest. An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior through malicious package name. The problem is fixed in version v2.0.6-dev and above.", "cve": "CVE-2021-21386", "id": "pyup.io-42302", "more_info_path": "/vulnerabilities/CVE-2021-21386/42302", "specs": [ "<2.0.6" ], "v": "<2.0.6" } ], "appdaemon": [ { "advisory": "Appdaemon 3.0.4 uses yaml.Safeloader to work around a known security issue with PyYaml.", "cve": "PVE-2021-37096", "id": "pyup.io-37096", "more_info_path": "/vulnerabilities/PVE-2021-37096/37096", "specs": [ "<3.0.4" ], "v": "<3.0.4" } ], "appdaemontestframework": [ { "advisory": "Appdaemontestframework 2.0.1 updates the minimum requirement for its dependency 'requests' to >=2.20.0 to include a security fix.", "cve": "CVE-2018-18074", "id": "pyup.io-45791", "more_info_path": "/vulnerabilities/CVE-2018-18074/45791", "specs": [ "<2.0.1" ], "v": "<2.0.1" }, { "advisory": "Appdaemontestframework 2.0.1 updates the minimum requirement for its dependency 'pyyaml' to >=4.2b1 to include a security fix.", "cve": "CVE-2017-18342", "id": "pyup.io-37908", "more_info_path": "/vulnerabilities/CVE-2017-18342/37908", "specs": [ "<2.0.1" ], "v": "<2.0.1" }, { "advisory": "Appdaemontestframework 2.3.3 updates its dependency 'typed-ast ' to v1.4.0 to include security fixes.", "cve": "CVE-2019-19274", "id": "pyup.io-44970", "more_info_path": "/vulnerabilities/CVE-2019-19274/44970", "specs": [ "<2.3.3" ], "v": "<2.3.3" }, { "advisory": "Appdaemontestframework 2.3.3 updates its dependency 'urllib3' to v1.25.3 to include security fixes.", "cve": "CVE-2019-11324", "id": "pyup.io-44968", "more_info_path": "/vulnerabilities/CVE-2019-11324/44968", "specs": [ "<2.3.3" ], "v": "<2.3.3" }, { "advisory": "Appdaemontestframework 2.3.3 updates its dependency 'urllib3' to v1.25.3 to include security fixes.", "cve": "CVE-2019-11236", "id": "pyup.io-44969", "more_info_path": "/vulnerabilities/CVE-2019-11236/44969", "specs": [ "<2.3.3" ], "v": "<2.3.3" }, { "advisory": "Appdaemontestframework 2.3.3 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", "cve": "CVE-2019-10906", "id": "pyup.io-37907", "more_info_path": "/vulnerabilities/CVE-2019-10906/37907", "specs": [ "<2.3.3" ], "v": "<2.3.3" }, { "advisory": "Appdaemontestframework 2.3.3 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", "cve": "CVE-2019-19275", "id": "pyup.io-44971", "more_info_path": "/vulnerabilities/CVE-2019-19275/44971", "specs": [ "<2.3.3" ], "v": "<2.3.3" } ], "appfl": [ { "advisory": "Appfl 0.4.0 mitigates race condition vulnerabilities in its Globus Communication file system. The previous version allowed concurrent attempts by multiple clients to download the MNIST dataset and the global model to the same directories, leading to potential data corruption. This version introduces a pre-download script for the MNIST dataset and assigns unique output directories for each client, preventing simultaneous write operations to the same file and enhancing overall application robustness.\r\nhttps://github.com/APPFL/APPFL/pull/158", "cve": "PVE-2024-63217", "id": "pyup.io-63217", "more_info_path": "/vulnerabilities/PVE-2024-63217/63217", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], "apphelpers": [ { "advisory": "To secure the API access, apphelpers 0.9.2 adds the new options `groups_forbidden` and `groups_required`.", "cve": "PVE-2021-37151", "id": "pyup.io-37151", "more_info_path": "/vulnerabilities/PVE-2021-37151/37151", "specs": [ "<0.9.2" ], "v": "<0.9.2" } ], "appia": [ { "advisory": "Appia 5.3 removes the usage of hardcoded credentials in docker-compose.\r\nhttps://github.com/PlethoraChutney/Appia/commit/82c65d7dcfe1cc064abcb29980ed49e92488174a", "cve": "PVE-2022-52425", "id": "pyup.io-52425", "more_info_path": "/vulnerabilities/PVE-2022-52425/52425", "specs": [ "<5.3" ], "v": "<5.3" } ], "apprise": [ { "advisory": "Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. In affected versions users who use Apprise granting them access to the IFTTT plugin (which just comes out of the box) are subject to a denial of service attack on an inefficient regular expression. The vulnerable regular expression is [here](https://github.com/caronc/apprise/blob/0007eade20934ddef0aba38b8f1aad980cfff253/apprise/plugins/NotifyIFTTT.py#L356-L359). The problem has been patched in release version 0.9.5.1. Users who are unable to upgrade are advised to remove `apprise/plugins/NotifyIFTTT.py` to eliminate the service.", "cve": "CVE-2021-39229", "id": "pyup.io-54335", "more_info_path": "/vulnerabilities/CVE-2021-39229/54335", "specs": [ ">=0,<0.9.5.1" ], "v": ">=0,<0.9.5.1" } ], "appwrite": [ { "advisory": "Appwrite (SDK for Python) version 0.2.0 adds support for appwrite 0.8.0. Appwrite 0.7.1 fixed an XSS vulnerability in the appwrite console.", "cve": "PVE-2021-40600", "id": "pyup.io-40600", "more_info_path": "/vulnerabilities/PVE-2021-40600/40600", "specs": [ "<0.2.0" ], "v": "<0.2.0" }, { "advisory": "Appwrite (SDK for Python) version 0.4.0 adds support for appwrite 0.9.0. Appwrite 0.9.0 fixed a potential XSS injection on the console.", "cve": "PVE-2021-40934", "id": "pyup.io-40934", "more_info_path": "/vulnerabilities/PVE-2021-40934/40934", "specs": [ "<0.4.0" ], "v": "<0.4.0" }, { "advisory": "Appwrite (SDK for Python) version 0.5.0 adds support for appwrite 0.10.0. Appwrite 0.9.4 fixed a security vulnerability that exposes project ID's from other admin users.", "cve": "PVE-2021-41261", "id": "pyup.io-41261", "more_info_path": "/vulnerabilities/PVE-2021-41261/41261", "specs": [ "<0.5.0" ], "v": "<0.5.0" }, { "advisory": "Appwrite 0.5.1 supports appwrite API 0.11, which includes security fixes.\r\nhttps://github.com/appwrite/appwrite/pull/2777", "cve": "PVE-2022-45515", "id": "pyup.io-45515", "more_info_path": "/vulnerabilities/PVE-2022-45515/45515", "specs": [ "<0.5.1" ], "v": "<0.5.1" } ], "aptdaemon": [ { "advisory": "There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.", "cve": "CVE-2020-15703", "id": "pyup.io-70576", "more_info_path": "/vulnerabilities/CVE-2020-15703/70576", "specs": [ "<=1.1.1" ], "v": "<=1.1.1" } ], "aqtinstall": [ { "advisory": "Aqtinstall 2.1.0 uses SHA-256 checksums from trusted mirrors only.\r\nhttps://github.com/miurahr/aqtinstall/pull/493", "cve": "PVE-2022-48137", "id": "pyup.io-48137", "more_info_path": "/vulnerabilities/PVE-2022-48137/48137", "specs": [ "<2.1.0" ], "v": "<2.1.0" }, { "advisory": "Aqtinstall 2.1.0rc2 uses 'defusedxml' instead of 'xml.etree.ElementTree' to avoid XXE attacks.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0", "cve": "CVE-2013-1664", "id": "pyup.io-47852", "more_info_path": "/vulnerabilities/CVE-2013-1664/47852", "specs": [ "<2.1.0rc2" ], "v": "<2.1.0rc2" }, { "advisory": "Aqtinstall 2.1.0rc2 uses 'defusedxml' instead of 'xml.etree.ElementTree' to avoid XXE attacks.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0", "cve": "CVE-2013-1665", "id": "pyup.io-54874", "more_info_path": "/vulnerabilities/CVE-2013-1665/54874", "specs": [ "<2.1.0rc2" ], "v": "<2.1.0rc2" }, { "advisory": "Aqtinstall 2.1.0rc2 uses 'secrets' instead of 'random' module to generate cryptographically safe numbers.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0", "cve": "PVE-2022-47013", "id": "pyup.io-47013", "more_info_path": "/vulnerabilities/PVE-2022-47013/47013", "specs": [ "<2.1.0rc2" ], "v": "<2.1.0rc2" } ], "aquilify": [ { "advisory": "Aquilify version 1.12.0 has enhanced its CSRF middleware protection, strengthening defenses against potential security vulnerabilities.", "cve": "PVE-2024-65762", "id": "pyup.io-65762", "more_info_path": "/vulnerabilities/PVE-2024-65762/65762", "specs": [ "<1.12.0" ], "v": "<1.12.0" } ], "arches": [ { "advisory": "### Impact\nWith a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. \nAnyone running the impacted versions (<=6.1.1, 6.2.0, >=7.0.0, <=7.1.1) should upgrade as soon as possible.\n\n### Patches\nThe problem has been patched in the following versions: [6.1.2](https://pypi.org/project/arches/6.1.2/), [6.2.1](https://pypi.org/project/arches/6.2.1/), and [7.2.0](https://pypi.org/project/arches/7.2.0/)\nUsers are strongly urged to upgrade to the most recent relevant patch.\n\n### Workarounds\nThere are no workarounds.\n\n### General References \nhttps://www.w3schools.com/sql/sql_injection.asp\nhttps://en.wikipedia.org/wiki/SQL_injection\n\n### For more information\nPost any questions to the [Arches project forum](https://community.archesproject.org/).\n", "cve": "CVE-2022-41892", "id": "pyup.io-54561", "more_info_path": "/vulnerabilities/CVE-2022-41892/54561", "specs": [ ">=0,<6.1.2", ">=6.2.0,<6.2.1", ">=7.0.0,<7.2.0" ], "v": ">=0,<6.1.2,>=6.2.0,<6.2.1,>=7.0.0,<7.2.0" } ], "archi": [ { "advisory": "Archi 0.2.2 is bundled with libarchive 3.4.2. However, libarchive before version 3.4.3 is known to not be secure. See: .", "cve": "PVE-2021-37702", "id": "pyup.io-37702", "more_info_path": "/vulnerabilities/PVE-2021-37702/37702", "specs": [ "<=0.2.2" ], "v": "<=0.2.2" } ], "archinstall": [ { "advisory": "Archinstall 2.4.0.rc1 splits 'disk_layouts', 'creds' and 'conf' data into separate files to comply with security concerns when sharing user configurations publicly.", "cve": "PVE-2022-47799", "id": "pyup.io-47799", "more_info_path": "/vulnerabilities/PVE-2022-47799/47799", "specs": [ "<2.4.0.rc1" ], "v": "<2.4.0.rc1" } ], "archivebox": [ { "advisory": "Affected versions of Archivebox are vulnerable to Improper Authorization.", "cve": "PVE-2024-73588", "id": "pyup.io-73588", "more_info_path": "/vulnerabilities/PVE-2024-73588/73588", "specs": [ "<0.8.3rc" ], "v": "<0.8.3rc" }, { "advisory": "ArchiveBox is an open source self-hosted web archiving system. Any users who are using the `wget` extractor and view the content it outputs. The impact is potentially severe if you are logged in to the ArchiveBox admin site in the same browser session and view an archived malicious page designed to target your ArchiveBox instance. Malicious Javascript could potentially act using your logged-in admin credentials and add/remove/modify snapshots, add/remove/modify ArchiveBox users, and generally do anything an admin user could do. The impact is less severe for non-logged-in users, as malicious Javascript cannot *modify* any archives, but it can still *read* all the other archived content by fetching the snapshot index and iterating through it. Because all of ArchiveBox's archived content is served from the same host and port as the admin panel, when archived pages are viewed the JS executes in the same context as all the other archived pages (and the admin panel), defeating most of the browser's usual CORS/CSRF security protections and leading to this issue. A patch is being developed in https://github.com/ArchiveBox/ArchiveBox/issues/239. As a mitigation for this issue would be to disable the wget extractor by setting `archivebox config --set SAVE_WGET=False`, ensure you are always logged out, or serve only a [static HTML version](https://github.com/ArchiveBox/ArchiveBox/wiki/Publishing-Your-Archive#2-export-and-host-it-as-static-html) of your archive.", "cve": "CVE-2023-45815", "id": "pyup.io-65386", "more_info_path": "/vulnerabilities/CVE-2023-45815/65386", "specs": [ ">=0" ], "v": ">=0" } ], "archivy": [ { "advisory": "Archivy 1.0.1 includes a fix for a path traversal vulnerability.\r\nhttps://github.com/archivy/archivy/pull/201", "cve": "PVE-2023-59112", "id": "pyup.io-59112", "more_info_path": "/vulnerabilities/PVE-2023-59112/59112", "specs": [ "<1.0.1" ], "v": "<1.0.1" }, { "advisory": "Archivy 1.6.2 improves CSRF protection for delete actions.\r\nhttps://github.com/archivy/archivy/commit/796c3ae318eea183fc88c87ec5a27355b0f6a99d", "cve": "CVE-2021-4162", "id": "pyup.io-44511", "more_info_path": "/vulnerabilities/CVE-2021-4162/44511", "specs": [ "<1.6.2" ], "v": "<1.6.2" }, { "advisory": "Archivy 1.7.2 includes a fix for a path traversal vulnerability.\r\nhttps://github.com/archivy/archivy/commit/dedc5a0b214acf2a25e0300304dabb46def4eef1", "cve": "PVE-2023-59125", "id": "pyup.io-59125", "more_info_path": "/vulnerabilities/PVE-2023-59125/59125", "specs": [ "<1.7.2" ], "v": "<1.7.2" }, { "advisory": "Archivy prior to version 1.7.1 is vulnerable to open redirect.", "cve": "CVE-2022-0697", "id": "pyup.io-54269", "more_info_path": "/vulnerabilities/CVE-2022-0697/54269", "specs": [ ">=0,<1.7.1" ], "v": ">=0,<1.7.1" } ], "archmage": [ { "advisory": "Directory traversal vulnerability in arCHMage 0.2.4 allows remote attackers to write to arbitrary files via a .. (dot dot) in a CHM file.", "cve": "CVE-2015-1589", "id": "pyup.io-25630", "more_info_path": "/vulnerabilities/CVE-2015-1589/25630", "specs": [ "<0.3.1" ], "v": "<0.3.1" } ], "arcticdb": [ { "advisory": "Arcticdb 3.0.0 includes a fix for an information disclosure vulnerability: Azure and S3 write credentials are stored in plaintext.\r\nhttps://github.com/man-group/ArcticDB/issues/802", "cve": "PVE-2023-61148", "id": "pyup.io-61148", "more_info_path": "/vulnerabilities/PVE-2023-61148/61148", "specs": [ "<3.0.0" ], "v": "<3.0.0" } ], "argilla": [ { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", "cve": "CVE-2020-24025", "id": "pyup.io-52782", "more_info_path": "/vulnerabilities/CVE-2020-24025/52782", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", "cve": "CVE-2019-18799", "id": "pyup.io-52809", "more_info_path": "/vulnerabilities/CVE-2019-18799/52809", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", "cve": "CVE-2019-18797", "id": "pyup.io-52811", "more_info_path": "/vulnerabilities/CVE-2019-18797/52811", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", "cve": "CVE-2018-11694", "id": "pyup.io-52815", "more_info_path": "/vulnerabilities/CVE-2018-11694/52815", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", "cve": "CVE-2019-18798", "id": "pyup.io-52810", "more_info_path": "/vulnerabilities/CVE-2019-18798/52810", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", "cve": "CVE-2018-19839", "id": "pyup.io-52812", "more_info_path": "/vulnerabilities/CVE-2018-19839/52812", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", "cve": "CVE-2018-19827", "id": "pyup.io-52813", "more_info_path": "/vulnerabilities/CVE-2018-19827/52813", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", "cve": "CVE-2019-6284", "id": "pyup.io-52808", "more_info_path": "/vulnerabilities/CVE-2019-6284/52808", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", "cve": "CVE-2018-20822", "id": "pyup.io-52814", "more_info_path": "/vulnerabilities/CVE-2018-20822/52814", "specs": [ "<0.13.0" ], "v": "<0.13.0" } ], "argo-workflows": [ { "advisory": "Argo-workflows 5.0.0 (Python SDK) is compatible with Argo-workflows core v3.0.0, which updates its NPM dependency 'swagger-ui-react' to v3.29.0, that includes a version of 'lodash' that fixes a vulnerability.", "cve": "CVE-2020-8203", "id": "pyup.io-46474", "more_info_path": "/vulnerabilities/CVE-2020-8203/46474", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "Argo-workflows 5.0.0 (Python SDK) is compatible with Argo-workflows core v3.0.0, which includes a fix for an issue that allowed to list archived workflows that shouldn't be accessible.\r\nhttps://github.com/argoproj/argo-workflows/blob/7e9fc374a22c63fd5e09c322b37bd810f5d57a0e/sdks/python/README.md\r\nhttps://github.com/argoproj/argo-workflows/pull/2079", "cve": "PVE-2022-46479", "id": "pyup.io-46479", "more_info_path": "/vulnerabilities/PVE-2022-46479/46479", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "Argo-workflows 5.0.0 (Python SDK) is compatible with Argo-workflows core v3.0.0, which improves cookie security.\r\nhttps://github.com/argoproj/argo-workflows/issues/2759", "cve": "PVE-2022-46476", "id": "pyup.io-46476", "more_info_path": "/vulnerabilities/PVE-2022-46476/46476", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "Argo-workflows 5.0.0 (Python SDK) is compatible with Argo-workflows core v3.0.0, which fixes a XSS vulnerability.\r\nhttps://github.com/argoproj/argo-workflows/pull/3975", "cve": "PVE-2022-46473", "id": "pyup.io-46473", "more_info_path": "/vulnerabilities/PVE-2022-46473/46473", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "Argo-workflows 6.1.0rc1 (Python SDK) is compatible with Argo-workflow core v3.1.0rc1, which enforces TLS version >= 1.2.\r\nhttps://github.com/argoproj/argo-workflows/commit/199016a6bed5284df3ec5caebbef9f2d018a2d43", "cve": "PVE-2022-46465", "id": "pyup.io-46465", "more_info_path": "/vulnerabilities/PVE-2022-46465/46465", "specs": [ "<6.1.0rc1" ], "v": "<6.1.0rc1" }, { "advisory": "Argo-workflows 6.2.0rc1 (Python SDK) is compatible with Argo-workflow core v3.2.0rc1, that fixes security issues related to file closing and paths.\r\nhttps://github.com/argoproj/argo-workflows/commit/4fd38facbfb66b06ab0205b04f6e1f1e9943eb6a", "cve": "PVE-2022-46464", "id": "pyup.io-46464", "more_info_path": "/vulnerabilities/PVE-2022-46464/46464", "specs": [ "<6.2.0rc1" ], "v": "<6.2.0rc1" }, { "advisory": "Argo-workflows 6.3.0rc1 (Python SDK) is compatible with Argo-workflow core v3.3.0rc1, that updates its NPM dependency 'prismjs' to v1.26 to include a security fix.\r\nhttps://github.com/argoproj/argo-workflows/issues/7599\r\nhttps://github.com/argoproj/argo-workflows/commit/2e343eb7f1328c8ec242116d38bb7e651703ea26", "cve": "CVE-2021-3801", "id": "pyup.io-46463", "more_info_path": "/vulnerabilities/CVE-2021-3801/46463", "specs": [ "<6.3.0rc1" ], "v": "<6.3.0rc1" }, { "advisory": "Argo-workflows 6.3.0rc9 (Python SDK) is compatible with Argo-workflow core v3.3.0rc9, that fixes a directory traversal vulnerability.\r\nhttps://github.com/argoproj/argo-workflows/commit/f9c7ab58e20fda8922fa00e9d468bda89031887a", "cve": "PVE-2022-46461", "id": "pyup.io-46461", "more_info_path": "/vulnerabilities/PVE-2022-46461/46461", "specs": [ "<6.3.0rc9" ], "v": "<6.3.0rc9" }, { "advisory": "Argo-workflows 6.3.10 and 6.4.4 (Python SDK) are compatible with Argo-workflows core v3.3.10 and v3.4.4, that update 'kubectl' to v1.24.8 to fix vulnerabilities.\r\nhttps://github.com/argoproj/argo-workflows/commit/fd31eb811160c62f16b5aef002bf232235e0d2c6\r\nhttps://github.com/argoproj/argo-workflows/issues/10006", "cve": "CVE-2021-25740", "id": "pyup.io-53017", "more_info_path": "/vulnerabilities/CVE-2021-25740/53017", "specs": [ "<6.3.10", ">=6.4.0rc1,<6.4.4" ], "v": "<6.3.10,>=6.4.0rc1,<6.4.4" }, { "advisory": "Argo-workflows 6.3.10 and 6.4.4 (Python SDK) are compatible with Argo-workflows core v3.3.10 and v3.4.4, that update 'kubectl' to v1.24.8 to fix vulnerabilities.\r\nhttps://github.com/argoproj/argo-workflows/commit/fd31eb811160c62f16b5aef002bf232235e0d2c6\r\nhttps://github.com/argoproj/argo-workflows/issues/10006", "cve": "CVE-2022-3172", "id": "pyup.io-53058", "more_info_path": "/vulnerabilities/CVE-2022-3172/53058", "specs": [ "<6.3.10", ">=6.4.0rc1,<6.4.4" ], "v": "<6.3.10,>=6.4.0rc1,<6.4.4" }, { "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates Maven dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/481137c259b05c6a5b3c0e3adab1649c2b512364", "cve": "CVE-2021-35517", "id": "pyup.io-50689", "more_info_path": "/vulnerabilities/CVE-2021-35517/50689", "specs": [ "<6.3.9" ], "v": "<6.3.9" }, { "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates Maven dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/481137c259b05c6a5b3c0e3adab1649c2b512364", "cve": "CVE-2020-8908", "id": "pyup.io-50685", "more_info_path": "/vulnerabilities/CVE-2020-8908/50685", "specs": [ "<6.3.9" ], "v": "<6.3.9" }, { "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates Maven dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/481137c259b05c6a5b3c0e3adab1649c2b512364", "cve": "CVE-2021-22569", "id": "pyup.io-50686", "more_info_path": "/vulnerabilities/CVE-2021-22569/50686", "specs": [ "<6.3.9" ], "v": "<6.3.9" }, { "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates NPM dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/d874c1a87b65b300b2a4c93032bd2970d6f91d8f", "cve": "CVE-2022-24785", "id": "pyup.io-50683", "more_info_path": "/vulnerabilities/CVE-2022-24785/50683", "specs": [ "<6.3.9" ], "v": "<6.3.9" }, { "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates Maven dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/481137c259b05c6a5b3c0e3adab1649c2b512364", "cve": "CVE-2020-28052", "id": "pyup.io-50691", "more_info_path": "/vulnerabilities/CVE-2020-28052/50691", "specs": [ "<6.3.9" ], "v": "<6.3.9" }, { "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates NPM dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/d874c1a87b65b300b2a4c93032bd2970d6f91d8f", "cve": "CVE-2021-23648", "id": "pyup.io-50680", "more_info_path": "/vulnerabilities/CVE-2021-23648/50680", "specs": [ "<6.3.9" ], "v": "<6.3.9" }, { "advisory": "Argo-workflows 6.4.0rc1 (Python SDK) is compatible with Argo-workflows core v3.4.0rc1, that fixes a potential XSS vulnerability.\r\nhttps://github.com/argoproj/argo-workflows/pull/8289/commits/e78b1c9b840ea89a28e03d8aa0d5f9f1629c0c86", "cve": "PVE-2022-50679", "id": "pyup.io-50679", "more_info_path": "/vulnerabilities/PVE-2022-50679/50679", "specs": [ "<6.4.0rc1" ], "v": "<6.4.0rc1" }, { "advisory": "Argo-workflows 6.4.7 (Python SDK) is compatible with Argo-workflows core v3.4.7, which upgrades docker to v20.10.24 to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/pull/10868", "cve": "CVE-2023-28842", "id": "pyup.io-54996", "more_info_path": "/vulnerabilities/CVE-2023-28842/54996", "specs": [ "<6.4.7" ], "v": "<6.4.7" }, { "advisory": "Argo-workflows 6.4.7 (Python SDK) is compatible with Argo-workflows core v3.4.7, which updates UI NPM dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/pull/10842", "cve": "CVE-2021-4279", "id": "pyup.io-54997", "more_info_path": "/vulnerabilities/CVE-2021-4279/54997", "specs": [ "<6.4.7" ], "v": "<6.4.7" }, { "advisory": "Argo-workflows 6.4.7 (Python SDK) is compatible with Argo-workflows core v3.4.7, which upgrades docker to v20.10.24 to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/pull/10868", "cve": "CVE-2023-28841", "id": "pyup.io-54995", "more_info_path": "/vulnerabilities/CVE-2023-28841/54995", "specs": [ "<6.4.7" ], "v": "<6.4.7" }, { "advisory": "Argo-workflows 6.4.7 (Python SDK) is compatible with Argo-workflows core v3.4.7, which upgrades docker to v20.10.24 to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/pull/10868", "cve": "CVE-2023-28840", "id": "pyup.io-54979", "more_info_path": "/vulnerabilities/CVE-2023-28840/54979", "specs": [ "<6.4.7" ], "v": "<6.4.7" }, { "advisory": "Argo-workflows 6.5.0 (Python SDK) is compatible with Argo-workflows core v3.5.0, which fixes gRPC and HTTP2 high-severity vulnerabilities.\r\nhttps://github.com/argoproj/argo-workflows/pull/11986", "cve": "CVE-2023-44487", "id": "pyup.io-61812", "more_info_path": "/vulnerabilities/CVE-2023-44487/61812", "specs": [ "<6.5.0" ], "v": "<6.5.0" } ], "aries-cloudagent": [ { "advisory": "Affected versions of Aries-cloudagent are receiving unauthenticated DIDComm messages from connections in the invitation state.", "cve": "PVE-2024-72483", "id": "pyup.io-72483", "more_info_path": "/vulnerabilities/PVE-2024-72483/72483", "specs": [ "<0.11.2" ], "v": "<0.11.2" }, { "advisory": "Aries-cloudagent 0.12.0 upgrades its readthedocs-sphinx-search from 0.1.1 to 1.3.2 in response to GHSA-xgfm-fjx6-62mj: This vulnerability could have let attackers insert arbitrary HTML into search results via a crafted search query, due to inadequate escaping of user content.", "cve": "PVE-2024-67615", "id": "pyup.io-67615", "more_info_path": "/vulnerabilities/PVE-2024-67615/67615", "specs": [ "<0.12.0" ], "v": "<0.12.0" }, { "advisory": "Aries-cloudagent is affected by a Insufficient Verification of Data Authenticity vulnerability. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation 'document.proof' was not factored into the final 'verified' value ('true'/'false') on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own.\r\nhttps://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm", "cve": "CVE-2024-21669", "id": "pyup.io-64225", "more_info_path": "/vulnerabilities/CVE-2024-21669/64225", "specs": [ ">=0.7.0,<0.10.5", ">=0.11.0rc1,<0.11.0" ], "v": ">=0.7.0,<0.10.5,>=0.11.0rc1,<0.11.0" } ], "arjun": [ { "advisory": "Arjun 2.1.5 includes fixes for catastrophic backtracking vulnerabilities.\r\nhttps://github.com/s0md3v/Arjun/commit/0f5be57c3f82e6004f1224f9c797f2fca838493c", "cve": "PVE-2023-62351", "id": "pyup.io-62351", "more_info_path": "/vulnerabilities/PVE-2023-62351/62351", "specs": [ "<2.1.5" ], "v": "<2.1.5" } ], "arrayfire": [ { "advisory": "An issue was discovered in the arrayfire crate before 3.6.0 for Rust. Addition of the repr() attribute to an enum is mishandled, leading to memory corruption.", "cve": "CVE-2018-20998", "id": "pyup.io-54024", "more_info_path": "/vulnerabilities/CVE-2018-20998/54024", "specs": [ ">=0,<3.6.0" ], "v": ">=0,<3.6.0" } ], "arrendatools.plantillas": [ { "advisory": "Arrendatools.plantillas version 0.4.3 updates the plantilla to automatically escape content, setting autoscape to True.\r\nhttps://github.com/hokus15/ArrendaToolsPlantillas/commit/75878a8a5a2e505f8aaa7b86e2b764a42034d940", "cve": "PVE-2024-66926", "id": "pyup.io-66926", "more_info_path": "/vulnerabilities/PVE-2024-66926/66926", "specs": [ "<0.4.3" ], "v": "<0.4.3" } ], "arrnounced": [ { "advisory": "Arrnounced 0.4 replaces XML parser with defusedxml to prevent XML attacks.\r\nhttps://github.com/weannounce/arrnounced/commit/5a1d186b32162b317b1762b8602342b0b3050bda", "cve": "CVE-2013-1665", "id": "pyup.io-43754", "more_info_path": "/vulnerabilities/CVE-2013-1665/43754", "specs": [ "<0.4" ], "v": "<0.4" }, { "advisory": "Arrnounced 0.4 replaces XML parser with defusedxml to prevent XML attacks.\r\nhttps://github.com/weannounce/arrnounced/commit/5a1d186b32162b317b1762b8602342b0b3050bda", "cve": "CVE-2013-1664", "id": "pyup.io-54877", "more_info_path": "/vulnerabilities/CVE-2013-1664/54877", "specs": [ "<0.4" ], "v": "<0.4" } ], "arrow-pd-parser": [ { "advisory": "Arrow-pd-parser 1.3.0 updates its dependency 'numpy' to v1.23.1 to include security fixes.", "cve": "CVE-2021-41496", "id": "pyup.io-50592", "more_info_path": "/vulnerabilities/CVE-2021-41496/50592", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { "advisory": "Arrow-pd-parser 1.3.0 updates its dependency 'numpy' to v1.23.1 to include security fixes.", "cve": "CVE-2021-34141", "id": "pyup.io-50586", "more_info_path": "/vulnerabilities/CVE-2021-34141/50586", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { "advisory": "Arrow-pd-parser 1.3.0 updates its dependency 'numpy' to v1.23.1 to include security fixes.", "cve": "CVE-2021-41495", "id": "pyup.io-50591", "more_info_path": "/vulnerabilities/CVE-2021-41495/50591", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { "advisory": "Arrow-pd-parser 2.0.0 updates its dependency 'pyarrow' to versions \">=14.0.0\" to include a security fix.", "cve": "CVE-2023-47248", "id": "pyup.io-62350", "more_info_path": "/vulnerabilities/CVE-2023-47248/62350", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "artifact-lab-3-package-24ddbc49": [ { "advisory": "The OpenSSF Package Analysis project identified 'artifact-lab-3-package-24ddbc49' @ 0.7.0 (pypi) as malicious.", "cve": "PVE-2024-73971", "id": "pyup.io-73971", "more_info_path": "/vulnerabilities/PVE-2024-73971/73971", "specs": [ "<=0", ">=0" ], "v": "<=0,>=0" } ], "artifact-lab-3-package-3eef6c2c": [ { "advisory": "The artifact-lab-3-package-3eef6c2c has been flagged as malicious due to communication with a domain linked to unauthorized activities, potentially compromising system security. The package contains malicious code, raising concerns about its integrity. Immediate action is required to remove this package and replace it with a trusted alternative to prevent unauthorized access and safeguard sensitive information.", "cve": "PVE-2024-72964", "id": "pyup.io-72964", "more_info_path": "/vulnerabilities/PVE-2024-72964/72964", "specs": [ ">=0", "<=0" ], "v": ">=0,<=0" } ], "artifact-lab-3-package-4c04b1a2": [ { "advisory": "Artifact-lab-3-package-4c04b1a2 communicates with a domain associated with malicious activity.", "cve": "PVE-2024-73279", "id": "pyup.io-73279", "more_info_path": "/vulnerabilities/PVE-2024-73279/73279", "specs": [ ">=0", "<=0" ], "v": ">=0,<=0" } ], "aryi": [ { "advisory": "Aryi is a malicious package. It steals users' credit card numbers and Discord tokens.\r\nhttps://www.bleepingcomputer.com/news/security/pypi-packages-caught-stealing-credit-card-numbers-discord-tokens/", "cve": "PVE-2022-45478", "id": "pyup.io-45478", "more_info_path": "/vulnerabilities/PVE-2022-45478/45478", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "asciidoc": [ { "advisory": "Asciidoc 8.6.6 removes the use of 'eval()' on untrusted input to disallow malicious code execution.", "cve": "PVE-2021-39514", "id": "pyup.io-39514", "more_info_path": "/vulnerabilities/PVE-2021-39514/39514", "specs": [ "<8.6.6" ], "v": "<8.6.6" } ], "asgi-csrf": [ { "advisory": "Cookie values in asgi-csrf 0.3 are now signed to prevent subdomain attacks. See also: .", "cve": "PVE-2021-38376", "id": "pyup.io-38376", "more_info_path": "/vulnerabilities/PVE-2021-38376/38376", "specs": [ "<0.3" ], "v": "<0.3" } ], "askbot": [ { "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Askbot before 0.7.49 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) tag or (2) user search forms.", "cve": "CVE-2014-2236", "id": "pyup.io-70425", "more_info_path": "/vulnerabilities/CVE-2014-2236/70425", "specs": [ "<0.7.49" ], "v": "<0.7.49" }, { "advisory": "Cross-site scripting (XSS) vulnerability in Askbot before 0.7.49 allows remote attackers to inject arbitrary web script or HTML via vectors related to the question search form.", "cve": "CVE-2014-2235", "id": "pyup.io-70426", "more_info_path": "/vulnerabilities/CVE-2014-2235/70426", "specs": [ "<0.7.49" ], "v": "<0.7.49" } ], "aspeak": [ { "advisory": "Aspeak 6.0.0 updates its dependency 'openssl' to version '0.10.55' to include a security fix.\r\nhttps://github.com/kxxt/aspeak/pull/76\r\nhttps://github.com/kxxt/aspeak/commit/17cbe32ed4c17bc57683688390691686946a4cbc\r\nhttps://github.com/advisories/GHSA-xcf7-rvmh-g6q4", "cve": "PVE-2023-59242", "id": "pyup.io-59242", "more_info_path": "/vulnerabilities/PVE-2023-59242/59242", "specs": [ "<6.0.0" ], "v": "<6.0.0" }, { "advisory": "Aspeak 6.0.1 updates CARGO dependencies to resolve a vulnerability affecting 'atty'.\r\nhttps://github.com/advisories/GHSA-g98v-hv3f-hcfr\r\nhttps://github.com/kxxt/aspeak/issues/79", "cve": "PVE-2023-61556", "id": "pyup.io-61556", "more_info_path": "/vulnerabilities/PVE-2023-61556/61556", "specs": [ "<6.0.1" ], "v": "<6.0.1" } ], "aspen": [ { "advisory": "Aspen 0.39 fixes two security bugs related to CRLF injection - https://github.com/gratipay/security-qf35us/issues/1", "cve": "PVE-2021-36873", "id": "pyup.io-36873", "more_info_path": "/vulnerabilities/PVE-2021-36873/36873", "specs": [ "<0.39" ], "v": "<0.39" }, { "advisory": "Aspen 0.42 protects against URL redirection attacks.\r\nhttps://github.com/AspenWeb/aspen.py/commit/3c98f54b431d1325f92923144027b942bf679896", "cve": "PVE-2021-36872", "id": "pyup.io-36872", "more_info_path": "/vulnerabilities/PVE-2021-36872/36872", "specs": [ "<0.42" ], "v": "<0.42" }, { "advisory": "Directory traversal vulnerability in Aspen before 0.22 allows remote attackers to read arbitrary files via a .. (dot dot) to the default URI.", "cve": "CVE-2013-2619", "id": "pyup.io-65806", "more_info_path": "/vulnerabilities/CVE-2013-2619/65806", "specs": [ ">=0.9.18,<0.22" ], "v": ">=0.9.18,<0.22" } ], "asterix-decoder": [ { "advisory": "Croatia Control Asterix 2.8.1 (python_v0.7.2) has a heap-based buffer over-read, with additional details to be disclosed at a later date.", "cve": "CVE-2021-44144", "id": "pyup.io-54135", "more_info_path": "/vulnerabilities/CVE-2021-44144/54135", "specs": [ ">=0,<0.7.2" ], "v": ">=0,<0.7.2" } ], "astrometry-net-client": [ { "advisory": "Astrometry-net-client 0.2.9 updates its dependency 'cryptography' to v38.0.3 to include security fixes.", "cve": "CVE-2022-3786", "id": "pyup.io-51919", "more_info_path": "/vulnerabilities/CVE-2022-3786/51919", "specs": [ "<0.2.9" ], "v": "<0.2.9" }, { "advisory": "Astrometry-net-client 0.2.9 updates its dependency 'cryptography' to v38.0.3 to include security fixes.", "cve": "CVE-2022-3602", "id": "pyup.io-52051", "more_info_path": "/vulnerabilities/CVE-2022-3602/52051", "specs": [ "<0.2.9" ], "v": "<0.2.9" } ], "astropy": [ { "advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", "cve": "CVE-2018-3848", "id": "pyup.io-35810", "more_info_path": "/vulnerabilities/CVE-2018-3848/35810", "specs": [ "<3.0.1" ], "v": "<3.0.1" }, { "advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", "cve": "CVE-2018-3846", "id": "pyup.io-48550", "more_info_path": "/vulnerabilities/CVE-2018-3846/48550", "specs": [ "<3.0.1" ], "v": "<3.0.1" }, { "advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", "cve": "CVE-2018-3849", "id": "pyup.io-48548", "more_info_path": "/vulnerabilities/CVE-2018-3849/48548", "specs": [ "<3.0.1" ], "v": "<3.0.1" }, { "advisory": "Astropy 3.0.1 updates cfitsio to v3.43: NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43. NOTE: this CVE refers to the issues not covered by CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849. One example is ftp_status in drvrnet.c mishandling a long string beginning with a '4' character.", "cve": "CVE-2019-1010060", "id": "pyup.io-70530", "more_info_path": "/vulnerabilities/CVE-2019-1010060/70530", "specs": [ "<3.0.1" ], "v": "<3.0.1" }, { "advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", "cve": "CVE-2018-3847", "id": "pyup.io-48549", "more_info_path": "/vulnerabilities/CVE-2018-3847/48549", "specs": [ "<3.0.1" ], "v": "<3.0.1" }, { "advisory": "Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue. See CVE-2023-41334.", "cve": "CVE-2023-41334", "id": "pyup.io-66947", "more_info_path": "/vulnerabilities/CVE-2023-41334/66947", "specs": [ "<5.3.3" ], "v": "<5.3.3" }, { "advisory": "Astropy 5.1.1 and 5.0.5 update its JS dependency 'jquery' to v3.6.0 to include security fixes.", "cve": "CVE-2020-11022", "id": "pyup.io-52131", "more_info_path": "/vulnerabilities/CVE-2020-11022/52131", "specs": [ ">=5.1rc1,<5.1.1", "<5.0.5" ], "v": ">=5.1rc1,<5.1.1,<5.0.5" }, { "advisory": "Astropy 5.1.1 and 5.0.5 update its JS dependency 'jquery' to v3.6.0 to include security fixes.", "cve": "CVE-2020-11023", "id": "pyup.io-52172", "more_info_path": "/vulnerabilities/CVE-2020-11023/52172", "specs": [ ">=5.1rc1,<5.1.1", "<5.0.5" ], "v": ">=5.1rc1,<5.1.1,<5.0.5" } ], "async-batcher": [ { "advisory": "Async-batcher's update to a newer version of scikit-learn addresses CVE-2024-5206.", "cve": "CVE-2024-5206", "id": "pyup.io-73033", "more_info_path": "/vulnerabilities/CVE-2024-5206/73033", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Async-batcher's update to a newer version of idna addresses CVE-2024-3651.", "cve": "CVE-2024-3651", "id": "pyup.io-73013", "more_info_path": "/vulnerabilities/CVE-2024-3651/73013", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Async-batcher's update to a newer version of aiohttp addresses CVE-2024-27306.", "cve": "CVE-2024-27306", "id": "pyup.io-73032", "more_info_path": "/vulnerabilities/CVE-2024-27306/73032", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Async-batcher's update to a newer version of setuptools addresses CVE-2024-6345.", "cve": "CVE-2024-6345", "id": "pyup.io-73034", "more_info_path": "/vulnerabilities/CVE-2024-6345/73034", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Async-batcher's update to newer versions of aioboto3 and urllib3 addresses CVE-2024-37891.", "cve": "CVE-2024-37891", "id": "pyup.io-73035", "more_info_path": "/vulnerabilities/CVE-2024-37891/73035", "specs": [ "<0.2.1" ], "v": "<0.2.1" } ], "async-firebase": [ { "advisory": "Async-firebase version 3.6.2 has updated its cryptography dependency to version 42.0.4 in response to the security vulnerability identified as CVE-2023-4807.", "cve": "CVE-2023-4807", "id": "pyup.io-65746", "more_info_path": "/vulnerabilities/CVE-2023-4807/65746", "specs": [ "<3.6.2" ], "v": "<3.6.2" } ], "async-search-client": [ { "advisory": "Async-search-client 0.5.1 updates the 'pydantic' dependency from 1.8.1 to 1.8.2 to fix a security vulnerability.", "cve": "CVE-2021-29510", "id": "pyup.io-40437", "more_info_path": "/vulnerabilities/CVE-2021-29510/40437", "specs": [ "<0.5.1" ], "v": "<0.5.1" } ], "async-tkinter-loop": [ { "advisory": "Async-tkinter-loop 0.3.0 updates its dependency 'pillow' requirement to '^9.0.1' to include security fixes.", "cve": "CVE-2022-22816", "id": "pyup.io-49243", "more_info_path": "/vulnerabilities/CVE-2022-22816/49243", "specs": [ "<0.3.0" ], "v": "<0.3.0" }, { "advisory": "Async-tkinter-loop 0.3.0 updates its dependency 'pillow' requirement to '^9.0.1' to include security fixes.", "cve": "CVE-2022-22815", "id": "pyup.io-49244", "more_info_path": "/vulnerabilities/CVE-2022-22815/49244", "specs": [ "<0.3.0" ], "v": "<0.3.0" }, { "advisory": "Async-tkinter-loop 0.3.0 updates its dependency 'pillow' requirement to '^9.0.1' to include security fixes.", "cve": "CVE-2022-24303", "id": "pyup.io-49242", "more_info_path": "/vulnerabilities/CVE-2022-24303/49242", "specs": [ "<0.3.0" ], "v": "<0.3.0" }, { "advisory": "Async-tkinter-loop 0.3.0 updates its dependency 'pillow' requirement to '^9.0.1' to include security fixes.", "cve": "CVE-2022-22817", "id": "pyup.io-49245", "more_info_path": "/vulnerabilities/CVE-2022-22817/49245", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "asyncio-proxy": [ { "advisory": "Asyncio-proxy is a malicious package. It requires 'aiotoolbox', that contains a custom script in setup.py that downloads malicious and obfuscated code.\r\nhttps://inspector.pypi.io/project/asyncio-proxy/1.2.2/packages/65/31/70c74eca514cbcce0cde8f2b42c7b534e42bad946cd9c0aa28774f982f47/asyncio-proxy-1.2.2.tar.gz/asyncio-proxy-1.2.2/asyncio_proxy.egg-info/requires.txt#line.1", "cve": "PVE-2023-53560", "id": "pyup.io-53561", "more_info_path": "/vulnerabilities/PVE-2023-53560/53561", "specs": [ ">=0" ], "v": ">=0" } ], "asyncpg": [ { "advisory": "Asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder.", "cve": "CVE-2020-17446", "id": "pyup.io-42281", "more_info_path": "/vulnerabilities/CVE-2020-17446/42281", "specs": [ "<0.21.0" ], "v": "<0.21.0" } ], "asyncssh": [ { "advisory": "An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.", "cve": "CVE-2023-46446", "id": "pyup.io-65384", "more_info_path": "/vulnerabilities/CVE-2023-46446/65384", "specs": [ "<2.14.1" ], "v": "<2.14.1" }, { "advisory": "An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack.", "cve": "CVE-2023-46445", "id": "pyup.io-65385", "more_info_path": "/vulnerabilities/CVE-2023-46445/65385", "specs": [ "<2.14.1" ], "v": "<2.14.1" }, { "advisory": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms.", "cve": "CVE-2023-48795", "id": "pyup.io-65192", "more_info_path": "/vulnerabilities/CVE-2023-48795/65192", "specs": [ "<2.14.2" ], "v": "<2.14.2" }, { "advisory": "Asyncssh 2.5.0 added a configurable maximum line length when the editor is in use to avoid potential denial-of-service attacks.\r\nhttps://github.com/ronf/asyncssh/commit/d0f0725371a5082f1b88b5c23b438c0edf07846a", "cve": "PVE-2021-39350", "id": "pyup.io-39350", "more_info_path": "/vulnerabilities/PVE-2021-39350/39350", "specs": [ "<2.5.0" ], "v": "<2.5.0" }, { "advisory": "The SSH server implementation of AsyncSSH before 1.12.1 does not properly check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step.", "cve": "CVE-2018-7749", "id": "pyup.io-54029", "more_info_path": "/vulnerabilities/CVE-2018-7749/54029", "specs": [ ">=0,<1.12.1" ], "v": ">=0,<1.12.1" } ], "asyncua": [ { "advisory": "Asyncua 0.9.96 includes a fix for CVE-2023-26150: Improper Authentication such that it is possible to access Address Space without encryption and authentication. **Note:** This issue is a result of missing checks for services that require an active session.\r\nhttps://github.com/FreeOpcUa/opcua-asyncio/issues/1014", "cve": "CVE-2023-26150", "id": "pyup.io-61570", "more_info_path": "/vulnerabilities/CVE-2023-26150/61570", "specs": [ "<0.9.96" ], "v": "<0.9.96" }, { "advisory": "Asyncua 0.9.96 includes a fix for CVE-2023-26151: Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.\r\nhttps://github.com/FreeOpcUa/opcua-asyncio/commit/f6603daa34a93a658f0e176cb0b9ee5a6643b262", "cve": "CVE-2023-26151", "id": "pyup.io-61571", "more_info_path": "/vulnerabilities/CVE-2023-26151/61571", "specs": [ "<0.9.96" ], "v": "<0.9.96" }, { "advisory": "Asyncua 0.9.96 includes a fix for CVE-2022-25304: Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.\r\nhttps://github.com/FreeOpcUa/opcua-asyncio/commit/01c7acf047887b62d979cd4373d370e72a4b9057", "cve": "CVE-2022-25304", "id": "pyup.io-50830", "more_info_path": "/vulnerabilities/CVE-2022-25304/50830", "specs": [ "<0.9.96" ], "v": "<0.9.96" } ], "atlasapi": [ { "advisory": "Atlasapi 2.0.5 updates its dependency 'pygments' to v2.7.4 to include security fixes.", "cve": "CVE-2021-20270", "id": "pyup.io-51548", "more_info_path": "/vulnerabilities/CVE-2021-20270/51548", "specs": [ "<2.0.5" ], "v": "<2.0.5" }, { "advisory": "Atlasapi 2.0.5 updates its dependency 'sphinx' to v3.0.4 to include security fixes.", "cve": "CVE-2020-11023", "id": "pyup.io-51568", "more_info_path": "/vulnerabilities/CVE-2020-11023/51568", "specs": [ "<2.0.5" ], "v": "<2.0.5" }, { "advisory": "Atlasapi 2.0.5 updates its dependency 'sphinx' to v3.0.4 to include security fixes.", "cve": "CVE-2020-11022", "id": "pyup.io-51567", "more_info_path": "/vulnerabilities/CVE-2020-11022/51567", "specs": [ "<2.0.5" ], "v": "<2.0.5" }, { "advisory": "Atlasapi 2.0.5 updates its dependency 'pygments' to v2.7.4 to include security fixes.", "cve": "CVE-2021-27291", "id": "pyup.io-51566", "more_info_path": "/vulnerabilities/CVE-2021-27291/51566", "specs": [ "<2.0.5" ], "v": "<2.0.5" } ], "atproto": [ { "advisory": "Atproto 0.0.30 downgrades 'sphinxext-opengraph' to avoid including vulnerable dependencies, like pillow 9.5.0.\r\nhttps://github.com/MarshalX/atproto/pull/179", "cve": "CVE-2023-4863", "id": "pyup.io-62187", "more_info_path": "/vulnerabilities/CVE-2023-4863/62187", "specs": [ "<0.0.30" ], "v": "<0.0.30" } ], "att-iot-gateway": [ { "advisory": "Att-iot-gateway before 0.4.0 uses a insecure HTTP connection.", "cve": "PVE-2021-34257", "id": "pyup.io-34257", "more_info_path": "/vulnerabilities/PVE-2021-34257/34257", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], "attic": [ { "advisory": "attic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to \"unencrypted / without key file\".", "cve": "CVE-2015-4082", "id": "pyup.io-54103", "more_info_path": "/vulnerabilities/CVE-2015-4082/54103", "specs": [ ">=0,<0.15" ], "v": ">=0,<0.15" } ], "attpc-spyral": [ { "advisory": "The Attpc-spyral project has upgraded JupyterLab from version 4.1.6 to 4.2.5 to address the security vulnerability identified as CVE-2024-43805.", "cve": "CVE-2024-43805", "id": "pyup.io-73454", "more_info_path": "/vulnerabilities/CVE-2024-43805/73454", "specs": [ "<0.5.0" ], "v": "<0.5.0" } ], "aubio": [ { "advisory": "In aubio 0.4.6, a divide-by-zero error exists in the function new_aubio_source_wavread() in source_wavread.c, which may lead to DoS when playing a crafted audio file.", "cve": "CVE-2017-17054", "id": "pyup.io-53942", "more_info_path": "/vulnerabilities/CVE-2017-17054/53942", "specs": [ ">=0,<0.4.7" ], "v": ">=0,<0.4.7" }, { "advisory": "An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubio_pitch_set_unit in pitch/pitch.c, as demonstrated by aubionotes.", "cve": "CVE-2018-14522", "id": "pyup.io-54008", "more_info_path": "/vulnerabilities/CVE-2018-14522/54008", "specs": [ ">=0,<0.4.7" ], "v": ">=0,<0.4.7" }, { "advisory": "An issue was discovered in aubio 0.4.6. A buffer over-read can occur in new_aubio_pitchyinfft in pitch/pitchyinfft.c, as demonstrated by aubionotes.", "cve": "CVE-2018-14523", "id": "pyup.io-54006", "more_info_path": "/vulnerabilities/CVE-2018-14523/54006", "specs": [ ">=0,<0.4.7" ], "v": ">=0,<0.4.7" }, { "advisory": "An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubio_source_avcodec_readframe in io/source_avcodec.c, as demonstrated by aubiomfcc.", "cve": "CVE-2018-14521", "id": "pyup.io-54007", "more_info_path": "/vulnerabilities/CVE-2018-14521/54007", "specs": [ ">=0,<0.4.7" ], "v": ">=0,<0.4.7" }, { "advisory": "The swri_audio_convert function in audioconvert.c in FFmpeg libswresample through 3.0.101, as used in FFmpeg 3.4.1, aubio 0.4.6, and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted audio file.", "cve": "CVE-2017-17555", "id": "pyup.io-53945", "more_info_path": "/vulnerabilities/CVE-2017-17555/53945", "specs": [ ">=0,<0.4.7" ], "v": ">=0,<0.4.7" }, { "advisory": "A NULL pointer dereference (DoS) Vulnerability was found in the function aubio_source_avcodec_readframe in io/source_avcodec.c of aubio 0.4.6, which may lead to DoS when playing a crafted audio file.", "cve": "CVE-2017-17554", "id": "pyup.io-53944", "more_info_path": "/vulnerabilities/CVE-2017-17554/53944", "specs": [ ">=0,<0.4.7" ], "v": ">=0,<0.4.7" }, { "advisory": "aubio v0.4.0 to v0.4.8 has a new_aubio_onset NULL pointer dereference.", "cve": "CVE-2018-19802", "id": "pyup.io-54019", "more_info_path": "/vulnerabilities/CVE-2018-19802/54019", "specs": [ ">=0.4.0,<0.4.9" ], "v": ">=0.4.0,<0.4.9" }, { "advisory": "aubio v0.4.0 to v0.4.8 has a NULL pointer dereference in new_aubio_filterbank via invalid n_filters.", "cve": "CVE-2018-19801", "id": "pyup.io-54018", "more_info_path": "/vulnerabilities/CVE-2018-19801/54018", "specs": [ ">=0.4.0,<0.4.9" ], "v": ">=0.4.0,<0.4.9" }, { "advisory": "aubio v0.4.0 to v0.4.8 has a Buffer Overflow in new_aubio_tempo.", "cve": "CVE-2018-19800", "id": "pyup.io-54016", "more_info_path": "/vulnerabilities/CVE-2018-19800/54016", "specs": [ ">=0.4.0,<0.4.9" ], "v": ">=0.4.0,<0.4.9" } ], "aucmedi": [ { "advisory": "Aucmedi 0.7.2 updates its dependency 'protobuf' to v3.20.2 to include a security fix.", "cve": "CVE-2022-1941", "id": "pyup.io-51287", "more_info_path": "/vulnerabilities/CVE-2022-1941/51287", "specs": [ "<0.7.2" ], "v": "<0.7.2" }, { "advisory": "Aucmedi version 0.9.0 upgrades its Pillow dependency to version 10.2.0 from 9.3.0 in response to CVE-2023-50447.", "cve": "CVE-2023-50447", "id": "pyup.io-65619", "more_info_path": "/vulnerabilities/CVE-2023-50447/65619", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "audaugio": [ { "advisory": "Audagio and prior versions ship with vulnerable dependencies (SoX == 1.3.3).\r\nIn SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a.\r\nhttps://github.com/BrianMargolis/AudAugio/blob/master/requirements.txt", "cve": "CVE-2022-31651", "id": "pyup.io-62530", "more_info_path": "/vulnerabilities/CVE-2022-31651/62530", "specs": [ "<0.0.2a0" ], "v": "<0.0.2a0" }, { "advisory": "In SoX 14.4.2, there is a floating-point exception in lsx_aiffstartwrite in aiff.c in libsox.a.", "cve": "CVE-2022-31650", "id": "pyup.io-62529", "more_info_path": "/vulnerabilities/CVE-2022-31650/62529", "specs": [ "<0.0.2a0" ], "v": "<0.0.2a0" } ], "auditree-framework": [ { "advisory": "Auditree-framework 1.19.0 fixes minor security issues found by the 'bandit'.", "cve": "PVE-2021-40445", "id": "pyup.io-40445", "more_info_path": "/vulnerabilities/PVE-2021-40445/40445", "specs": [ "<1.19.0" ], "v": "<1.19.0" } ], "augmenty": [ { "advisory": "Augmenty 1.0.0 upgrades the dependency pydantic version from >=1.7.4,!=1.8,!=1.8.1,<1.9.0 to >=1.8.2,<1.9.0. \r\nhttps://data.safetycli.com/packages/pypi/pydantic/versions\r\nhttps://github.com/KennethEnevoldsen/augmenty/commit/34821e38d3004919922a56c04ad43450550c2591", "cve": "PVE-2023-62782", "id": "pyup.io-62782", "more_info_path": "/vulnerabilities/PVE-2023-62782/62782", "specs": [ "<1.0.0" ], "v": "<1.0.0" } ], "aumbry": [ { "advisory": "Aumbry 0.10.0 includes a security patch for the function 'parse' in 'aumbry/formats/yml.py'. It used the unsafe yaml.load(), that allows instantiation of arbitrary objects. Consider yaml.safe_load().\r\nhttps://github.com/pyarmory/aumbry/commit/5b1cd2e4296d3cfb10a6d1bd02cd5b4ecb0f0bcd", "cve": "CVE-2017-18342", "id": "pyup.io-41307", "more_info_path": "/vulnerabilities/CVE-2017-18342/41307", "specs": [ "<0.10.0" ], "v": "<0.10.0" }, { "advisory": "Aumbry 0.10.0 and prior uses yaml.full_load(), which is vulnerable to CVE-2020-14343.", "cve": "CVE-2020-14343", "id": "pyup.io-41759", "more_info_path": "/vulnerabilities/CVE-2020-14343/41759", "specs": [ "<=0.10.0" ], "v": "<=0.10.0" } ], "austin-tui": [ { "advisory": "Austin-tui 1.1.1 updates its dependency 'lxml' to v4.6.5 to include a security fix.", "cve": "CVE-2021-43818", "id": "pyup.io-43620", "more_info_path": "/vulnerabilities/CVE-2021-43818/43620", "specs": [ "<1.1.1" ], "v": "<1.1.1" } ], "authbwc": [ { "advisory": "Authbwc 0.1.4 fixes an issue with the way the HTTP session user permissions were loaded. This vulnerability made it possible for a user to gain the permissions of the user logged in previously. The user would have had to be sharing the same http session for this access to have been gained.", "cve": "PVE-2021-25631", "id": "pyup.io-25631", "more_info_path": "/vulnerabilities/PVE-2021-25631/25631", "specs": [ "<0.1.4" ], "v": "<0.1.4" }, { "advisory": "authbwc before 0.3.1 has a vulnerability in the password reset process that allowed users to log in when inactive.\r\nhttps://github.com/blazelibs/authbwc/commit/452f9651309ae5933d22c6f5aedf044ab7f05368", "cve": "PVE-2021-34836", "id": "pyup.io-34836", "more_info_path": "/vulnerabilities/PVE-2021-34836/34836", "specs": [ "<0.3.1" ], "v": "<0.3.1" } ], "authentication-factory": [ { "advisory": "Authentication-factory has been updated to use certifi package version 2024.7.4 to address a vulnerability identified as CVE-2024-39689.", "cve": "CVE-2024-39689", "id": "pyup.io-72218", "more_info_path": "/vulnerabilities/CVE-2024-39689/72218", "specs": [ "<0.0.5" ], "v": "<0.0.5" } ], "authlib": [ { "advisory": "Authlib 0.15.4 includes a security fix when jwt claims is None.\r\nhttps://github.com/lepture/authlib/commit/262c37268c77a5da8fae80710a93d2d65a373ab7", "cve": "PVE-2022-51634", "id": "pyup.io-51634", "more_info_path": "/vulnerabilities/PVE-2022-51634/51634", "specs": [ "<0.15.4" ], "v": "<0.15.4" }, { "advisory": "Authlib 1.1.0 includes a fix for CVE-2022-39174.\r\nhttps://github.com/lepture/authlib/commit/3a382780907226d99c09606aac78e29fe5bd3bf6", "cve": "CVE-2022-39174", "id": "pyup.io-51646", "more_info_path": "/vulnerabilities/CVE-2022-39174/51646", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Authlib 1.1.0 includes a fix for CVE-2022-39175.\r\nhttps://github.com/lepture/authlib/commit/80b0808263c6ce88335532b78e62bf2522593390", "cve": "CVE-2022-39175", "id": "pyup.io-51645", "more_info_path": "/vulnerabilities/CVE-2022-39175/51645", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Affected versions of Authlib have an algorithm confusion vulnerability in asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663.", "cve": "CVE-2024-37568", "id": "pyup.io-71636", "more_info_path": "/vulnerabilities/CVE-2024-37568/71636", "specs": [ "<1.3.1" ], "v": "<1.3.1" } ], "auto-optional": [ { "advisory": "Auto-optional 0.3.2 updates its dependency 'mkdocs' to v1.2.3 to include a security fix.", "cve": "CVE-2021-40978", "id": "pyup.io-44586", "more_info_path": "/vulnerabilities/CVE-2021-40978/44586", "specs": [ "<0.3.2" ], "v": "<0.3.2" } ], "auto-surprise": [ { "advisory": "Auto-surprise 0.1.7 updates its dependency 'pygments' to v2.7.4 to include security fixes.", "cve": "CVE-2021-20270", "id": "pyup.io-44807", "more_info_path": "/vulnerabilities/CVE-2021-20270/44807", "specs": [ "<0.1.7" ], "v": "<0.1.7" }, { "advisory": "Auto-surprise 0.1.7 updates its dependency 'pyyaml' to v5.4 to include a security fix.", "cve": "CVE-2020-14343", "id": "pyup.io-44809", "more_info_path": "/vulnerabilities/CVE-2020-14343/44809", "specs": [ "<0.1.7" ], "v": "<0.1.7" }, { "advisory": "Auto-surprise 0.1.7 updates its dependency 'jinja2' to v2.11.3 to include a security fix.", "cve": "CVE-2020-28493", "id": "pyup.io-40146", "more_info_path": "/vulnerabilities/CVE-2020-28493/40146", "specs": [ "<0.1.7" ], "v": "<0.1.7" }, { "advisory": "Auto-surprise 0.1.7 updates its dependency 'pygments' to v2.7.4 to include security fixes.", "cve": "CVE-2021-27291", "id": "pyup.io-44808", "more_info_path": "/vulnerabilities/CVE-2021-27291/44808", "specs": [ "<0.1.7" ], "v": "<0.1.7" } ], "autobahn": [ { "advisory": "In autobahn before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.", "cve": "PVE-2021-25632", "id": "pyup.io-25632", "more_info_path": "/vulnerabilities/PVE-2021-25632/25632", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Autobahn 0.6.4 fixes a security issue related to a WAMP-CRA timing attack very, very unlikely to be exploitable.\r\nhttps://github.com/advisories/GHSA-xm8r-5wh6-f46f", "cve": "PVE-2021-25633", "id": "pyup.io-25633", "more_info_path": "/vulnerabilities/PVE-2021-25633/25633", "specs": [ "<0.6.4" ], "v": "<0.6.4" }, { "advisory": "Autobahn|Python before 20.12.3 allows redirect header injection. See CVE-2020-35678.", "cve": "CVE-2020-35678", "id": "pyup.io-39363", "more_info_path": "/vulnerabilities/CVE-2020-35678/39363", "specs": [ "<20.12.3" ], "v": "<20.12.3" } ], "autocrop": [ { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", "cve": "CVE-2020-5313", "id": "pyup.io-42933", "more_info_path": "/vulnerabilities/CVE-2020-5313/42933", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", "cve": "CVE-2020-15999", "id": "pyup.io-42851", "more_info_path": "/vulnerabilities/CVE-2020-15999/42851", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", "cve": "CVE-2020-11538", "id": "pyup.io-42934", "more_info_path": "/vulnerabilities/CVE-2020-11538/42934", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", "cve": "CVE-2020-35655", "id": "pyup.io-42940", "more_info_path": "/vulnerabilities/CVE-2020-35655/42940", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", "cve": "CVE-2020-35654", "id": "pyup.io-42938", "more_info_path": "/vulnerabilities/CVE-2020-35654/42938", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", "cve": "CVE-2020-5310", "id": "pyup.io-42932", "more_info_path": "/vulnerabilities/CVE-2020-5310/42932", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", "cve": "CVE-2020-10379", "id": "pyup.io-42935", "more_info_path": "/vulnerabilities/CVE-2020-10379/42935", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", "cve": "CVE-2020-10994", "id": "pyup.io-42937", "more_info_path": "/vulnerabilities/CVE-2020-10994/42937", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", "cve": "CVE-2020-10378", "id": "pyup.io-42936", "more_info_path": "/vulnerabilities/CVE-2020-10378/42936", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Autocrop 1.1.1 updates the minimum requirement of its dependency 'pillow' to v8.1.0 to include security fixes.", "cve": "CVE-2020-35653", "id": "pyup.io-42939", "more_info_path": "/vulnerabilities/CVE-2020-35653/42939", "specs": [ "<1.1.1" ], "v": "<1.1.1" } ], "autogen": [ { "advisory": "The affected version of Autogen has a security flaw that allows code execution via code_execution_config, which is fixed by setting code_execution_config to False instead of None.", "cve": "PVE-2024-73068", "id": "pyup.io-73068", "more_info_path": "/vulnerabilities/PVE-2024-73068/73068", "specs": [ "<0.2.11" ], "v": "<0.2.11" } ], "autogluon": [ { "advisory": "Autogluon 0.4.1 updates its dependency 'pillow' minimum requirement to v9.0.1 to include security fixes.", "cve": "CVE-2022-22817", "id": "pyup.io-48597", "more_info_path": "/vulnerabilities/CVE-2022-22817/48597", "specs": [ "<0.4.1" ], "v": "<0.4.1" }, { "advisory": "Autogluon 0.4.1 updates its dependency 'pillow' minimum requirement to v9.0.1 to include security fixes.", "cve": "CVE-2022-24303", "id": "pyup.io-48619", "more_info_path": "/vulnerabilities/CVE-2022-24303/48619", "specs": [ "<0.4.1" ], "v": "<0.4.1" }, { "advisory": "Autogluon 0.5.3 updates its dependency 'transformers' requirement to \">=4.23.0,<4.24.0\" to include security fixes.", "cve": "PVE-2022-51450", "id": "pyup.io-51940", "more_info_path": "/vulnerabilities/PVE-2022-51450/51940", "specs": [ "<0.5.3" ], "v": "<0.5.3" }, { "advisory": "Autogluon 0.5.3 updates its dependency 'transformers' requirement to \">=4.23.0,<4.24.0\" to include security fixes.", "cve": "CVE-2022-1941", "id": "pyup.io-51994", "more_info_path": "/vulnerabilities/CVE-2022-1941/51994", "specs": [ "<0.5.3" ], "v": "<0.5.3" }, { "advisory": "Autogluon 0.6.0 uses yaml.safe_load() to avoid a code execution vulnerability.\r\nhttps://github.com/autogluon/autogluon/pull/1987", "cve": "CVE-2017-18342", "id": "pyup.io-51918", "more_info_path": "/vulnerabilities/CVE-2017-18342/51918", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Autogluon 0.6.1 updates its dependency 'pillow' requirement to '>=9.3.0' to include security fixes.", "cve": "CVE-2022-45198", "id": "pyup.io-52534", "more_info_path": "/vulnerabilities/CVE-2022-45198/52534", "specs": [ "<0.6.1" ], "v": "<0.6.1" }, { "advisory": "Autogluon 0.6.1 updates its dependency 'pillow' requirement to '>=9.3.0' to include security fixes.", "cve": "CVE-2022-24303", "id": "pyup.io-52411", "more_info_path": "/vulnerabilities/CVE-2022-24303/52411", "specs": [ "<0.6.1" ], "v": "<0.6.1" }, { "advisory": "Autogluon 0.6.2 updates its dependency 'torch' to v0.13.1 to include a security fix.", "cve": "CVE-2022-45907", "id": "pyup.io-52772", "more_info_path": "/vulnerabilities/CVE-2022-45907/52772", "specs": [ "<0.6.2" ], "v": "<0.6.2" }, { "advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.", "cve": "CVE-2021-45046", "id": "pyup.io-48622", "more_info_path": "/vulnerabilities/CVE-2021-45046/48622", "specs": [ ">=0.4.0,<0.4.1" ], "v": ">=0.4.0,<0.4.1" }, { "advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.", "cve": "CVE-2021-44832", "id": "pyup.io-48624", "more_info_path": "/vulnerabilities/CVE-2021-44832/48624", "specs": [ ">=0.4.0,<0.4.1" ], "v": ">=0.4.0,<0.4.1" }, { "advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.", "cve": "PVE-2021-42426", "id": "pyup.io-48620", "more_info_path": "/vulnerabilities/PVE-2021-42426/48620", "specs": [ ">=0.4.0,<0.4.1" ], "v": ">=0.4.0,<0.4.1" }, { "advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.", "cve": "CVE-2021-45105", "id": "pyup.io-48623", "more_info_path": "/vulnerabilities/CVE-2021-45105/48623", "specs": [ ">=0.4.0,<0.4.1" ], "v": ">=0.4.0,<0.4.1" }, { "advisory": "Autogluon 0.4.1 updates its dependency 'ray' minimum requirement to v1.10.0 to include security fixes.", "cve": "CVE-2021-44228", "id": "pyup.io-48621", "more_info_path": "/vulnerabilities/CVE-2021-44228/48621", "specs": [ ">=0.4.0,<0.4.1" ], "v": ">=0.4.0,<0.4.1" }, { "advisory": "The autogluon.multimodal module has a vulnerability due to the incorrect neutralization of special elements utilized in an operating system command. This issue is identified as an 'OS Command Injection'.", "cve": "PVE-2023-99929", "id": "pyup.io-61945", "more_info_path": "/vulnerabilities/PVE-2023-99929/61945", "specs": [ ">=0.4.0,<0.4.3", ">=0.5.0,<0.5.2" ], "v": ">=0.4.0,<0.4.3,>=0.5.0,<0.5.2" }, { "advisory": "Autogluon 0.5.2 and 0.4.3 use yaml.safe_load() to prevent a code injection vulnerability.\r\nhttps://github.com/awslabs/autogluon/commit/23a37e74e58d03055c84a1b89c5af6c3db296b5e", "cve": "PVE-2022-50305", "id": "pyup.io-50305", "more_info_path": "/vulnerabilities/PVE-2022-50305/50305", "specs": [ ">=0.5.0a0,<0.5.2", "<0.4.3" ], "v": ">=0.5.0a0,<0.5.2,<0.4.3" } ], "autogluon-multimodal": [ { "advisory": "The autogluon.multimodal module has a vulnerability due to the incorrect neutralization of special elements utilized in an operating system command. This issue is identified as an 'OS Command Injection'.", "cve": "PVE-2023-99930", "id": "pyup.io-61944", "more_info_path": "/vulnerabilities/PVE-2023-99930/61944", "specs": [ ">=0.4.0,<0.4.3", ">=0.5.0,<0.5.2" ], "v": ">=0.4.0,<0.4.3,>=0.5.0,<0.5.2" } ], "autogluon.multimodal": [ { "advisory": "Autogluon.multimodal 0.4.3 and 0.5.2 include a security fix: Unsafe yaml deserialization in autogluon.multimodal.\r\nhttps://github.com/autogluon/autogluon/security/advisories/GHSA-6h2x-4gjf-jc5w", "cve": "CVE-2017-18342", "id": "pyup.io-55170", "more_info_path": "/vulnerabilities/CVE-2017-18342/55170", "specs": [ ">=0.4.0,<0.4.3", ">=0.5.0,<0.5.2" ], "v": ">=0.4.0,<0.4.3,>=0.5.0,<0.5.2" } ], "automationhat": [ { "advisory": "Automationhat version 0.2.0 improves thread safety by making ads1015.read() function thread-safe, particularly when \"auto_lights\" is activated. Previously, asynchronous reads from the \"update_lights\" thread interfered with main thread ADC reads, leading to random erroneous readings.", "cve": "PVE-2024-70556", "id": "pyup.io-70556", "more_info_path": "/vulnerabilities/PVE-2024-70556/70556", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "automatoes": [ { "advisory": "Automatoes 0.9.7 updates its dependency 'cryptography' to v3.4.4 to include a security fix.", "cve": "CVE-2020-36242", "id": "pyup.io-52585", "more_info_path": "/vulnerabilities/CVE-2020-36242/52585", "specs": [ "<0.9.7" ], "v": "<0.9.7" } ], "autonicer": [ { "advisory": "Autonicer 1.2.1 updates its dependency 'certifi' to v2022.12.7 to include a security fix.", "cve": "CVE-2022-23491", "id": "pyup.io-52774", "more_info_path": "/vulnerabilities/CVE-2022-23491/52774", "specs": [ "<1.2.1" ], "v": "<1.2.1" } ], "av": [ { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-27841", "id": "pyup.io-45831", "more_info_path": "/vulnerabilities/CVE-2020-27841/45831", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2019-12973", "id": "pyup.io-45830", "more_info_path": "/vulnerabilities/CVE-2019-12973/45830", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-27824", "id": "pyup.io-45832", "more_info_path": "/vulnerabilities/CVE-2020-27824/45832", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [gnutls].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2021-20232", "id": "pyup.io-45836", "more_info_path": "/vulnerabilities/CVE-2021-20232/45836", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-27845", "id": "pyup.io-45833", "more_info_path": "/vulnerabilities/CVE-2020-27845/45833", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-8112", "id": "pyup.io-45822", "more_info_path": "/vulnerabilities/CVE-2020-8112/45822", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [wavpack].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-35738", "id": "pyup.io-45838", "more_info_path": "/vulnerabilities/CVE-2020-35738/45838", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-27814", "id": "pyup.io-45826", "more_info_path": "/vulnerabilities/CVE-2020-27814/45826", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-15389", "id": "pyup.io-45828", "more_info_path": "/vulnerabilities/CVE-2020-15389/45828", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-6851", "id": "pyup.io-45827", "more_info_path": "/vulnerabilities/CVE-2020-6851/45827", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [gmp].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2021-43618", "id": "pyup.io-45837", "more_info_path": "/vulnerabilities/CVE-2021-43618/45837", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-27843", "id": "pyup.io-45829", "more_info_path": "/vulnerabilities/CVE-2020-27843/45829", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-27842", "id": "pyup.io-45834", "more_info_path": "/vulnerabilities/CVE-2020-27842/45834", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-27823", "id": "pyup.io-45825", "more_info_path": "/vulnerabilities/CVE-2020-27823/45825", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2020-27844", "id": "pyup.io-45824", "more_info_path": "/vulnerabilities/CVE-2020-27844/45824", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [gnutls].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", "cve": "CVE-2021-20231", "id": "pyup.io-45835", "more_info_path": "/vulnerabilities/CVE-2021-20231/45835", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { "advisory": "Av 9.1.0 updates 'FFmpeg' binary wheels to fix security vulnerabilities.\r\nhttps://github.com/PyAV-Org/PyAV/commit/9cbe441d637be15d5b4b57211a7df3958c3c0a02", "cve": "CVE-2022-23308", "id": "pyup.io-47836", "more_info_path": "/vulnerabilities/CVE-2022-23308/47836", "specs": [ "<9.1.0" ], "v": "<9.1.0" }, { "advisory": "Av 9.1.0 updates 'FFmpeg' binary wheels to fix security vulnerabilities.\r\nhttps://github.com/PyAV-Org/PyAV/commit/9cbe441d637be15d5b4b57211a7df3958c3c0a02", "cve": "CVE-2018-10393", "id": "pyup.io-47835", "more_info_path": "/vulnerabilities/CVE-2018-10393/47835", "specs": [ "<9.1.0" ], "v": "<9.1.0" }, { "advisory": "Av 9.1.0 updates 'FFmpeg' binary wheels to fix security vulnerabilities.\r\nhttps://github.com/PyAV-Org/PyAV/commit/9cbe441d637be15d5b4b57211a7df3958c3c0a02", "cve": "CVE-2020-26682", "id": "pyup.io-47837", "more_info_path": "/vulnerabilities/CVE-2020-26682/47837", "specs": [ "<9.1.0" ], "v": "<9.1.0" }, { "advisory": "Av 9.1.0 updates 'FFmpeg' binary wheels to fix security vulnerabilities.\r\nhttps://github.com/PyAV-Org/PyAV/commit/9cbe441d637be15d5b4b57211a7df3958c3c0a02", "cve": "CVE-2018-10392", "id": "pyup.io-47802", "more_info_path": "/vulnerabilities/CVE-2018-10392/47802", "specs": [ "<9.1.0" ], "v": "<9.1.0" } ], "avocado-framework": [ { "advisory": "avocado-framework 0.17.0 fixes a temporary dir issue, that had potential security implications.", "cve": "PVE-2021-34679", "id": "pyup.io-34679", "more_info_path": "/vulnerabilities/PVE-2021-34679/34679", "specs": [ "<0.17.0" ], "v": "<0.17.0" }, { "advisory": "Avocado-framework version 104.0 replaces the deprecated tmpfile.mktemp function, which has been known for security vulnerabilities since Python 2.3, with the more secure tmpdir method.\r\nhttps://github.com/avocado-framework/avocado/commit/f4ffe822232bfa2a0567fb82a7b178dec0f6f371", "cve": "PVE-2024-66798", "id": "pyup.io-66798", "more_info_path": "/vulnerabilities/PVE-2024-66798/66798", "specs": [ "<104.0" ], "v": "<104.0" }, { "advisory": "Avocado-framework 37.0 allows for proper checks of host keys to avoid man-in-the-middle attacks which could lead to connecting and sending credentials to the wrong machine.", "cve": "PVE-2021-34678", "id": "pyup.io-34678", "more_info_path": "/vulnerabilities/PVE-2021-34678/34678", "specs": [ "<37.0" ], "v": "<37.0" } ], "avogadro": [ { "advisory": "Avogadro 1.97 switches to a new clang-tidy script for secure pull-request comments.\r\nhttps://github.com/OpenChemistry/avogadrolibs/pull/988", "cve": "PVE-2022-50249", "id": "pyup.io-50249", "more_info_path": "/vulnerabilities/PVE-2022-50249/50249", "specs": [ "<1.97" ], "v": "<1.97" } ], "awkward": [ { "advisory": "Awkward 0.10.1 closes a security hole and backward incompatibility in `awkward.persist.whitelist` handling.", "cve": "PVE-2021-37154", "id": "pyup.io-37154", "more_info_path": "/vulnerabilities/PVE-2021-37154/37154", "specs": [ "<0.10.1" ], "v": "<0.10.1" } ], "aws-analytics-reference-architecture": [ { "advisory": "Aws-analytics-reference-architecture 1.1.1 updates its dependency 'xmldom' to v0.7.0 to include a security fix.", "cve": "CVE-2021-32796", "id": "pyup.io-41196", "more_info_path": "/vulnerabilities/CVE-2021-32796/41196", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Aws-analytics-reference-architecture 1.8.8 updates its dependency 'log4j' and its references to v2.17.0 to fix critical security vulnerabilities.\r\nhttps://github.com/aws-samples/aws-analytics-reference-architecture/commit/c2c18615602c48f19be5a34dde6a8569f2fdfe0d", "cve": "CVE-2021-44228", "id": "pyup.io-43972", "more_info_path": "/vulnerabilities/CVE-2021-44228/43972", "specs": [ "<1.8.8" ], "v": "<1.8.8" }, { "advisory": "Aws-analytics-reference-architecture 1.8.8 updates its dependency 'log4j' and its references to v2.17.0 to fix critical security vulnerabilities.\r\nhttps://github.com/aws-samples/aws-analytics-reference-architecture/commit/c2c18615602c48f19be5a34dde6a8569f2fdfe0d", "cve": "CVE-2021-45105", "id": "pyup.io-44480", "more_info_path": "/vulnerabilities/CVE-2021-45105/44480", "specs": [ "<1.8.8" ], "v": "<1.8.8" }, { "advisory": "Aws-analytics-reference-architecture 1.8.8 updates its dependency 'log4j' and its references to v2.17.0 to fix critical security vulnerabilities.\r\nhttps://github.com/aws-samples/aws-analytics-reference-architecture/commit/c2c18615602c48f19be5a34dde6a8569f2fdfe0d", "cve": "CVE-2021-45046", "id": "pyup.io-44479", "more_info_path": "/vulnerabilities/CVE-2021-45046/44479", "specs": [ "<1.8.8" ], "v": "<1.8.8" }, { "advisory": "Aws-analytics-reference-architecture 2.4.1 updates its Maven dependency \"hadoop-common\" to v2.10.2 to include a security fix.", "cve": "CVE-2022-25168", "id": "pyup.io-51165", "more_info_path": "/vulnerabilities/CVE-2022-25168/51165", "specs": [ "<2.4.1" ], "v": "<2.4.1" }, { "advisory": "Aws-analytics-reference-architecture 1.14.1 and prior includes a version of 'log4j' affected by a medium severity vulnerability.", "cve": "CVE-2021-44832", "id": "pyup.io-44481", "more_info_path": "/vulnerabilities/CVE-2021-44832/44481", "specs": [ "<=1.14.1" ], "v": "<=1.14.1" } ], "aws-encryption-sdk": [ { "advisory": "Aws-encryption-sdk versions 1.9.0 and 2.2.0 improve the decryption process to handle signature and message validation vulnerabilities.\r\nhttps://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-x5h4-9gqw-942j", "cve": "PVE-2021-41848", "id": "pyup.io-41848", "more_info_path": "/vulnerabilities/PVE-2021-41848/41848", "specs": [ "<1.9.0", ">=2.0.0,<2.2.0" ], "v": "<1.9.0,>=2.0.0,<2.2.0" }, { "advisory": "Aws-encryption-sdk 2.0.0 includes a fix for CVE-2020-8897: A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting.\r\nhttps://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf", "cve": "CVE-2020-8897", "id": "pyup.io-39129", "more_info_path": "/vulnerabilities/CVE-2020-8897/39129", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "aws-encryption-sdk-cli": [ { "advisory": "Aws-encryption-sdk-cli 1.8.0 and 2.1.0 include a security fix: CLI does not correctly implement strict mode.\r\nhttps://github.com/advisories/GHSA-2xwp-m7mq-7q3r", "cve": "PVE-2023-55097", "id": "pyup.io-55097", "more_info_path": "/vulnerabilities/PVE-2023-55097/55097", "specs": [ "<1.8.0", ">=2.0.0,<2.1.0" ], "v": "<1.8.0,>=2.0.0,<2.1.0" }, { "advisory": "Aws-encryption-sdk-cli versions 1.9.0 and 2.2.0 address several low severity issues related to streaming signed messages and restricting processing of certain types of invalid messages. See https://github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-89v2-g37m-g3ff", "cve": "PVE-2021-42633", "id": "pyup.io-42633", "more_info_path": "/vulnerabilities/PVE-2021-42633/42633", "specs": [ "<1.9.0", ">=2.0.0,<2.2.0" ], "v": "<1.9.0,>=2.0.0,<2.2.0" }, { "advisory": "Aws-encryption-sdk-cli 4.1.0 no longer supports Python 3.5. The mentioned Python version doesn't receive security updates anymore.", "cve": "CVE-2020-27619", "id": "pyup.io-42631", "more_info_path": "/vulnerabilities/CVE-2020-27619/42631", "specs": [ "<4.1.0" ], "v": "<4.1.0" } ], "aws-kinesis-consumer": [ { "advisory": "Aws-kinesis-consumer 1.4.0 updates its dependency 'urllib3' to v1.26.4 to include a security fix.", "cve": "CVE-2021-28363", "id": "pyup.io-47023", "more_info_path": "/vulnerabilities/CVE-2021-28363/47023", "specs": [ "<1.4.0" ], "v": "<1.4.0" }, { "advisory": "Aws-kinesis-consumer 1.4.1 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", "cve": "CVE-2021-33503", "id": "pyup.io-47022", "more_info_path": "/vulnerabilities/CVE-2021-33503/47022", "specs": [ "<1.4.1" ], "v": "<1.4.1" } ], "aws-login0tool": [ { "advisory": "Aws-login0tool is a typosquatting package. It installs a trojan in your system that leaks your data.\r\nhttps://medium.com/ochrona/3-new-malicious-packages-found-on-pypi-a6bbb14b5e2", "cve": "PVE-2022-45441", "id": "pyup.io-45441", "more_info_path": "/vulnerabilities/PVE-2022-45441/45441", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "aws-parallelcluster": [ { "advisory": "Aws-parallelcluster 2.4.0 removes AWS credentials from the ``parallelcluster`` config file for a better security posture. Credentials can now be set up following the canonical procedure used for the aws cli.", "cve": "PVE-2021-37211", "id": "pyup.io-37211", "more_info_path": "/vulnerabilities/PVE-2021-37211/37211", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Aws-parallelcluster 3.1.1 limits privileges associated with IAM Policies created within the cluster.\r\nhttps://github.com/aws/aws-parallelcluster/pull/3678", "cve": "PVE-2022-44934", "id": "pyup.io-44934", "more_info_path": "/vulnerabilities/PVE-2022-44934/44934", "specs": [ "<3.1.1" ], "v": "<3.1.1" }, { "advisory": "Aws-parallelcluster 3.2.1 updates Python from 3.7.10 to 3.7.13 to include a fix for CVE-2021-3737.", "cve": "CVE-2021-3737", "id": "pyup.io-51655", "more_info_path": "/vulnerabilities/CVE-2021-3737/51655", "specs": [ "<3.2.1" ], "v": "<3.2.1" } ], "aws-parallelcluster-node": [ { "advisory": "Aws-parallelcluster-node 3.5.0 adds validators to prevent malicious string injection.\r\nhttps://github.com/aws/aws-parallelcluster-node/commit/47012a17bd053211841e5fc37922164434623689", "cve": "PVE-2023-53391", "id": "pyup.io-53391", "more_info_path": "/vulnerabilities/PVE-2023-53391/53391", "specs": [ "<3.5.0" ], "v": "<3.5.0" } ], "aws-s3-tools": [ { "advisory": "Aws-s3-tools 0.1.0 and prior use 'ujson==5.1.0', that has an unfixed vulnerability fully affecting availability.\r\nhttps://github.com/ultrajson/ultrajson/pull/504", "cve": "CVE-2021-45958", "id": "pyup.io-44797", "more_info_path": "/vulnerabilities/CVE-2021-45958/44797", "specs": [ "<=0.1.0" ], "v": "<=0.1.0" } ], "aws-sam-cli": [ { "advisory": "The AWS Serverless Application Model (SAM) CLI, an open-source tool for building and deploying serverless applications on AWS, has a vulnerability in affected versions. When using the DockerBuildArgs parameter, sensitive data specified there may be exposed in clear text via STDERR during the sam build command. This could potentially reveal secrets to unauthorized parties. AWS recommends upgrading to SAM CLI v1.122.0 or later, which includes a patch for this issue. Users should review their logs if they've used DockerBuildArgs and consider rotating any potentially exposed secrets.", "cve": "PVE-2024-73183", "id": "pyup.io-73183", "more_info_path": "/vulnerabilities/PVE-2024-73183/73183", "specs": [ "<1.122.0" ], "v": "<1.122.0" }, { "advisory": "Aws-sam-cli 1.51.0 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/aws/aws-sam-cli/pull/3905", "cve": "PVE-2023-59624", "id": "pyup.io-59624", "more_info_path": "/vulnerabilities/PVE-2023-59624/59624", "specs": [ "<1.51.0" ], "v": "<1.51.0" } ], "aws-v4signer": [ { "advisory": "Aws-v4signer version 0.6 updates its dependency 'pyyaml' to v5.4 to include security fixes.", "cve": "CVE-2020-14343", "id": "pyup.io-49033", "more_info_path": "/vulnerabilities/CVE-2020-14343/49033", "specs": [ "<0.6" ], "v": "<0.6" }, { "advisory": "Aws-v4signer version 0.6 updates its dependency 'pyyaml' to v5.4 to include security fixes.", "cve": "CVE-2020-1747", "id": "pyup.io-49034", "more_info_path": "/vulnerabilities/CVE-2020-1747/49034", "specs": [ "<0.6" ], "v": "<0.6" }, { "advisory": "Aws-v4signer version 0.6 updates its dependency 'pylint' to v2.5.3 to include a security fix.", "cve": "PVE-2021-38224", "id": "pyup.io-49035", "more_info_path": "/vulnerabilities/PVE-2021-38224/49035", "specs": [ "<0.6" ], "v": "<0.6" }, { "advisory": "Aws-v4signer version 0.6 updates its dependency 'pyyaml' to v5.4 to include security fixes.", "cve": "CVE-2019-20477", "id": "pyup.io-42019", "more_info_path": "/vulnerabilities/CVE-2019-20477/42019", "specs": [ "<0.6" ], "v": "<0.6" } ], "awsapilib": [ { "advisory": "Awsapilib 0.5.1 checks if the CSRF token retrieved has no value.\r\nhttps://github.com/schubergphilis/awsapilib/commit/73008b21d6995da2bd5e533fb0ed4216ca9d505b", "cve": "PVE-2022-48281", "id": "pyup.io-48281", "more_info_path": "/vulnerabilities/PVE-2022-48281/48281", "specs": [ "<0.5.1" ], "v": "<0.5.1" } ], "awscl": [ { "advisory": "Awscl is a malicious package, pytosquatting the popular package 'awscli'. It contains a base64 encoded payload in '__init__.py' file that retrieves your current username, platform and IP information.", "cve": "PVE-2023-53219", "id": "pyup.io-53219", "more_info_path": "/vulnerabilities/PVE-2023-53219/53219", "specs": [ ">=0" ], "v": ">=0" } ], "awscli": [ { "advisory": "awscli 1.11.83 fixes a possible security issue where files could be downloaded to a directory outside the destination directory if the key contained relative paths when downloading files recursively.\r\nhttps://github.com/aws/aws-cli/commit/6080bb0b302b59149a305bfa0a6a7c92a07d1ea5", "cve": "PVE-2021-34627", "id": "pyup.io-34627", "more_info_path": "/vulnerabilities/PVE-2021-34627/34627", "specs": [ "<1.11.83" ], "v": "<1.11.83" }, { "advisory": "Awscli 1.16.213 includes a fix for a Race Condition vulnerability on Windows clients.\r\nhttps://github.com/aws/aws-cli/issues/4247", "cve": "PVE-2023-59546", "id": "pyup.io-59546", "more_info_path": "/vulnerabilities/PVE-2023-59546/59546", "specs": [ "<1.16.213" ], "v": "<1.16.213" }, { "advisory": "Awscli 1.27.90 includes a fix for a potential low-serverity ReDoS vulnerability: An attacker being able to craft a malicious nuget.config file can cause ReDoS, when a user performs Nuget or Dotnet login.\r\nhttps://github.com/aws/aws-cli/commit/68ad24c36b4e3f6936e3d1dc76fda39d2d1fe764", "cve": "PVE-2023-58911", "id": "pyup.io-58911", "more_info_path": "/vulnerabilities/PVE-2023-58911/58911", "specs": [ "<1.27.90" ], "v": "<1.27.90" } ], "awsclie": [ { "advisory": "Awsclie is a malicious package, pytosquatting the popular package 'awscli'. It contains a base64 encoded payload in '__init__.py' file that retrieves your current username, platform and IP information.", "cve": "PVE-2023-53253", "id": "pyup.io-53253", "more_info_path": "/vulnerabilities/PVE-2023-53253/53253", "specs": [ ">=0" ], "v": ">=0" } ], "awsclii": [ { "advisory": "Awsclii is a malicious package, pytosquatting the popular package 'awscli'. It contains a base64 encoded payload in '__init__.py' file that retrieves your current username, platform and IP information.", "cve": "PVE-2023-53252", "id": "pyup.io-53252", "more_info_path": "/vulnerabilities/PVE-2023-53252/53252", "specs": [ ">=0" ], "v": ">=0" } ], "awscrt": [ { "advisory": "Awscrt 0.13.5 updates modules to fix a DoS vulnerability related to OpenSSL.\r\nhttps://github.com/awslabs/aws-crt-python/commit/35650740c87eed174a2e0d7f98b8f5b8fd23848f", "cve": "CVE-2022-0778", "id": "pyup.io-46418", "more_info_path": "/vulnerabilities/CVE-2022-0778/46418", "specs": [ "<0.13.5" ], "v": "<0.13.5" }, { "advisory": "Awscrt 0.16.11 ships with AWS-LC v1.5.0, which includes fix for CVE-2023-0286.", "cve": "CVE-2023-0286", "id": "pyup.io-59059", "more_info_path": "/vulnerabilities/CVE-2023-0286/59059", "specs": [ "<0.16.11" ], "v": "<0.16.11" } ], "awsiotsdk": [ { "advisory": "Awsiotsdk 1.5.18 includes a fix for CVE-2021-40828: Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows.", "cve": "CVE-2021-40828", "id": "pyup.io-42780", "more_info_path": "/vulnerabilities/CVE-2021-40828/42780", "specs": [ "<1.5.18" ], "v": "<1.5.18" }, { "advisory": "Awsiotsdk 1.6.1 includes a fix for CVE-2021-40830: The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system\u2019s default trust-store. Attackers with access to a host\u2019s trust stores or able to compromise a certificate authority already in the host's trust-store (note: the attacker must also be able to spoof DNS in this case), may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust-store to correct this issue.\r\nhttps://github.com/aws/aws-iot-device-sdk-python-v2", "cve": "CVE-2021-40830", "id": "pyup.io-42782", "more_info_path": "/vulnerabilities/CVE-2021-40830/42782", "specs": [ "<1.6.1" ], "v": "<1.6.1" }, { "advisory": "Awsiotsdk 1.6.1 includes a fix for CVE-2021-40829: Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS.", "cve": "CVE-2021-40829", "id": "pyup.io-42781", "more_info_path": "/vulnerabilities/CVE-2021-40829/42781", "specs": [ "<1.6.1" ], "v": "<1.6.1" }, { "advisory": "Awsiotsdk 1.7.0 includes a fix for CVE-2021-40831: The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been \u201coverridden\u201d. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system\u2019s default trust-store. Attackers with access to a host\u2019s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to address this behavior.", "cve": "CVE-2021-40831", "id": "pyup.io-42783", "more_info_path": "/vulnerabilities/CVE-2021-40831/42783", "specs": [ "<1.7.0" ], "v": "<1.7.0" } ], "awsipranges": [ { "advisory": "Awsipranges 0.3.3 updates its dependency 'aiohttp' to v3.7.4 to include a security fix.", "cve": "CVE-2021-21330", "id": "pyup.io-44941", "more_info_path": "/vulnerabilities/CVE-2021-21330/44941", "specs": [ "<0.3.3" ], "v": "<0.3.3" }, { "advisory": "Awsipranges 0.3.3 updates its dependency 'ipython' to v7.31.1 to include a security fix.", "cve": "CVE-2022-21699", "id": "pyup.io-44947", "more_info_path": "/vulnerabilities/CVE-2022-21699/44947", "specs": [ "<0.3.3" ], "v": "<0.3.3" } ], "awxkit": [ { "advisory": "Awkit 4.0.0 includes a fix for CVE-2019-3869: When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges.\r\nhttps://github.com/ansible/awx/commit/2129f1208597d5c84478df48e0770e7b81b658ec", "cve": "CVE-2019-3869", "id": "pyup.io-42339", "more_info_path": "/vulnerabilities/CVE-2019-3869/42339", "specs": [ "<4.0.0" ], "v": "<4.0.0" } ], "azure-cli": [ { "advisory": "Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the '&' or '|' symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.", "cve": "CVE-2022-39327", "id": "pyup.io-54575", "more_info_path": "/vulnerabilities/CVE-2022-39327/54575", "specs": [ ">=0,<2.40.0" ], "v": ">=0,<2.40.0" } ], "azure-cli-ml-preview": [ { "advisory": "Azure-cli-ml-preview is a malicious package, typosquatting. It aims at targeting Azure environments.\r\nhttps://blog.sonatype.com/careful-out-there-open-source-attacks-continue-to-be-on-the-uptick", "cve": "PVE-2022-47808", "id": "pyup.io-47808", "more_info_path": "/vulnerabilities/PVE-2022-47808/47808", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "azure-cli-ml-private-preview": [ { "advisory": "Azure-cli-ml-private-preview is a malicious package, typosquatting. It aims at targeting Azure environments.\r\nhttps://blog.sonatype.com/careful-out-there-open-source-attacks-continue-to-be-on-the-uptick", "cve": "PVE-2022-47810", "id": "pyup.io-47810", "more_info_path": "/vulnerabilities/PVE-2022-47810/47810", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "azure-functions": [ { "advisory": "Version 1.0.11184 of Azure Functions resolves a race condition in logging operations. This update ensures consistent and reliable log entries, even when multiple functions write simultaneously.\r\nhttps://github.com/Azure/azure-webjobs-sdk/pull/1319/commits/b6893d484fc77c893458ce3201a042ce7ae3d456", "cve": "PVE-2024-63814", "id": "pyup.io-63814", "more_info_path": "/vulnerabilities/PVE-2024-63814/63814", "specs": [ "<1.0.11184" ], "v": "<1.0.11184" } ], "azure-identity": [ { "advisory": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.", "cve": "CVE-2024-35255", "id": "pyup.io-71690", "more_info_path": "/vulnerabilities/CVE-2024-35255/71690", "specs": [ "<1.16.1" ], "v": "<1.16.1" } ], "azure-smtp-relay": [ { "advisory": "Azure-smtp-relay version 1.0.6 has updated its aiosmtpd dependency to version 1.4.5 to address the security vulnerability identified in CVE-2024-27305.", "cve": "CVE-2024-27305", "id": "pyup.io-68073", "more_info_path": "/vulnerabilities/CVE-2024-27305/68073", "specs": [ "<1.0.6" ], "v": "<1.0.6" } ], "azureml-contrib-jupyterrun": [ { "advisory": "Azureml-contrib-jupyterrun is a malicious package, typosquatting. It aims at targeting Azure environments.\r\nhttps://blog.sonatype.com/careful-out-there-open-source-attacks-continue-to-be-on-the-uptick", "cve": "PVE-2022-47806", "id": "pyup.io-47806", "more_info_path": "/vulnerabilities/PVE-2022-47806/47806", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "azureml-contrib-optimization": [ { "advisory": "Azureml-contrib-optimization is a malicious package, typosquatting. It aims at targeting Azure environments.\r\nhttps://blog.sonatype.com/careful-out-there-open-source-attacks-continue-to-be-on-the-uptick", "cve": "PVE-2022-47811", "id": "pyup.io-47811", "more_info_path": "/vulnerabilities/PVE-2022-47811/47811", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "azureml-contrib-reports": [ { "advisory": "Azureml-contrib-reports is a malicious package, typosquatting. It aims at targeting Azure environments.\r\nhttps://blog.sonatype.com/careful-out-there-open-source-attacks-continue-to-be-on-the-uptick", "cve": "PVE-2022-47807", "id": "pyup.io-47807", "more_info_path": "/vulnerabilities/PVE-2022-47807/47807", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "b-cfn-custom-api-key-authorizer": [ { "advisory": "B-cfn-custom-api-key-authorizer 2.0.0 hashes api secrets to avoid leaks if the database is breached.", "cve": "PVE-2022-48259", "id": "pyup.io-48259", "more_info_path": "/vulnerabilities/PVE-2022-48259/48259", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "b2": [ { "advisory": "B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. The command line tool saves API keys (and bucket name-to-id mapping) in a local database file (`$XDG_CONFIG_HOME/b2/account_info`, `~/.b2_account_info` or a user-defined path) when `b2 authorize-account` is first run. This happens regardless of whether a valid key is provided or not. When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory is readable by a local attacker and the user did not yet run `b2 authorize-account` then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Users that have not yet run `b2 authorize-account` should upgrade to B2 Command-Line Tool v3.2.1 before running it. Users that have run `b2 authorize-account` are safe if at the time of the file creation no other local users had read access to the local configuration file. Users that have run `b2 authorize-account` where the designated path could be opened by another local user should upgrade to B2 Command-Line Tool v3.2.1 and remove the database and regenerate all application keys. Note that `b2 clear-account` does not remove the database file and it should not be used to ensure that all open handles to the file are invalidated. If B2 Command-Line Tool cannot be upgraded to v3.2.1 due to a dependency conflict, a binary release can be used instead. Alternatively a new version could be installed within a virtualenv, or the permissions can be changed to prevent local users from opening the database file.", "cve": "CVE-2022-23653", "id": "pyup.io-54274", "more_info_path": "/vulnerabilities/CVE-2022-23653/54274", "specs": [ ">=0,<3.2.1" ], "v": ">=0,<3.2.1" } ], "b2sdk": [ { "advisory": "B2sdk 1.14.1 includes a fix for CVE-2022-23651: Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. SDK users of the SqliteAccountInfo format are vulnerable while users of the InMemoryAccountInfo format are safe. The SqliteAccountInfo saves API keys (and bucket name-to-id mapping) in a local database file ($XDG_CONFIG_HOME/b2/account_info, ~/.b2_account_info or a user-defined path). When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory containing the file is readable by a local attacker then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Consumers of this SDK who rely on it to save data using SqliteAccountInfo class should upgrade to the latest version of the SDK. Those who believe a local user might have opened a handle using this race condition, should remove the affected database files and regenerate all application keys.\r\nhttps://github.com/Backblaze/b2-sdk-python/security/advisories/GHSA-p867-fxfr-ph2w", "cve": "CVE-2022-23651", "id": "pyup.io-45392", "more_info_path": "/vulnerabilities/CVE-2022-23651/45392", "specs": [ "<=1.14.0" ], "v": "<=1.14.0" } ], "babel": [ { "advisory": "Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.\r\nhttps://github.com/python-babel/babel/pull/782", "cve": "CVE-2021-42771", "id": "pyup.io-42203", "more_info_path": "/vulnerabilities/CVE-2021-42771/42203", "specs": [ "<2.9.1" ], "v": "<2.9.1" } ], "backend-ai": [ { "advisory": "Backend.ai 19.03.0b1 supports running multiple managers on the same host by randomizing internal IPC socket addresses. This also improves the security a little.", "cve": "PVE-2021-39087", "id": "pyup.io-39087", "more_info_path": "/vulnerabilities/PVE-2021-39087/39087", "specs": [ "<19.03.0b1" ], "v": "<19.03.0b1" }, { "advisory": "Backend.ai 19.03.0rc1 supports authentication with etcd and Redis for better security.", "cve": "PVE-2021-39086", "id": "pyup.io-39086", "more_info_path": "/vulnerabilities/PVE-2021-39086/39086", "specs": [ "<19.03.0rc1" ], "v": "<19.03.0rc1" }, { "advisory": "Backend.ai 19.09.0rc4 includes image import. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon. Importing as service-port only image support will be added in future releases. Additionally, it includes a privilege escalation fix because domain-admins could run sessions on behalf of super-admins in the same domain.", "cve": "PVE-2021-38675", "id": "pyup.io-38675", "more_info_path": "/vulnerabilities/PVE-2021-38675/38675", "specs": [ "<19.09.0rc4" ], "v": "<19.09.0rc4" } ], "backend-ai-client": [ { "advisory": "Backend.ai-client version 21.09.0a1 updates its dependency 'PyYaml' to v5.4.1 to include a security fix.", "cve": "CVE-2020-14343", "id": "pyup.io-41219", "more_info_path": "/vulnerabilities/CVE-2020-14343/41219", "specs": [ "<21.09.0a1" ], "v": "<21.09.0a1" } ], "backend-ai-manager": [ { "advisory": "Backend.ai-manager 19.09.0rc4 fixes privilege escalation because domain-admins could run sessions on behalf of super-admins in the same domain. It also introduces Image import (171) - currently this is limited to import Python-based kernels only. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon. Importing as service-port only image support will be added in future releases.", "cve": "PVE-2021-37531", "id": "pyup.io-37531", "more_info_path": "/vulnerabilities/PVE-2021-37531/37531", "specs": [ "<19.09.0rc4" ], "v": "<19.09.0rc4" } ], "backend-ai-webserver": [ { "advisory": "Backend.ai-webserver 22.03.0a1 prevents too many login attempts.\r\nhttps://github.com/lablup/backend.ai-webserver/pull/29", "cve": "PVE-2022-46407", "id": "pyup.io-46407", "more_info_path": "/vulnerabilities/PVE-2022-46407/46407", "specs": [ "<22.03.0a1" ], "v": "<22.03.0a1" } ], "backend.ai-manager": [ { "advisory": "Backend.ai-manager 21.03.0 fixes a potential vulnerability: a remote code execution risk associated with the YAML file loading process. This update introduces `yaml.safe_load()` for all YAML loader invocations.\r\nhttps://github.com/lablup/backend.ai-manager/pull/395/commits/844ef52aa6f9fa4e7aac231eedabb7fd7425f967", "cve": "PVE-2024-64058", "id": "pyup.io-64058", "more_info_path": "/vulnerabilities/PVE-2024-64058/64058", "specs": [ "<21.03.0" ], "v": "<21.03.0" } ], "baeutifulsoup4": [ { "advisory": "Baeutifulsoup4 is a malicious package. It injects obfuscated JS code that replaces crypto addresses in developer clipboards.", "cve": "PVE-2022-51735", "id": "pyup.io-51735", "more_info_path": "/vulnerabilities/PVE-2022-51735/51735", "specs": [ ">0" ], "v": ">0" } ], "bakercm": [ { "advisory": "Bakercm 0.4.4 updates its dependency 'pycryptodome' to v3.6.6 to include a security fix.", "cve": "CVE-2018-15560", "id": "pyup.io-36651", "more_info_path": "/vulnerabilities/CVE-2018-15560/36651", "specs": [ "<0.4.4" ], "v": "<0.4.4" } ], "bandersnatch": [ { "advisory": "Bandersnatch 1.6 includes a fix for a potential race condition vulnerability.\r\nhttps://github.com/pypa/bandersnatch/commit/59ceeeef16da461861b8b4b8b6910c9c2434558e", "cve": "PVE-2023-61428", "id": "pyup.io-61428", "more_info_path": "/vulnerabilities/PVE-2023-61428/61428", "specs": [ "<1.6" ], "v": "<1.6" } ], "bandit": [ { "advisory": "Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes.", "cve": "CVE-2017-18342", "id": "pyup.io-45736", "more_info_path": "/vulnerabilities/CVE-2017-18342/45736", "specs": [ "<1.6.3" ], "v": "<1.6.3" }, { "advisory": "Bandit 1.6.3 updates its dependency 'pyyaml' to v5.3.1 to include security fixes.", "cve": "CVE-2020-1747", "id": "pyup.io-39277", "more_info_path": "/vulnerabilities/CVE-2020-1747/39277", "specs": [ "<1.6.3" ], "v": "<1.6.3" }, { "advisory": "Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing SQL queries, potentially enabling the execution of arbitrary SQL code.\r\nhttps://github.com/PyCQA/bandit/pull/1044/commits/d909043ba20853c90a7cad4a5b58a180f6937bf8", "cve": "PVE-2024-64484", "id": "pyup.io-64484", "more_info_path": "/vulnerabilities/PVE-2024-64484/64484", "specs": [ "<1.7.7" ], "v": "<1.7.7" } ], "barbican": [ { "advisory": "Barbican 12.0.2, 13.0.1 and 14.0.1 include a fix for CVE-2022-3100: This issue allows an access policy bypass via a query string when accessing the API.\r\nhttps://github.com/openstack/barbican/commit/6112c302375bf3d4c27303d12beec52ce2a82a2b", "cve": "CVE-2022-3100", "id": "pyup.io-52879", "more_info_path": "/vulnerabilities/CVE-2022-3100/52879", "specs": [ "<12.0.2", ">=13.0.0.0rc1,<13.0.1", ">=14.0.0.0rc1,<14.0.1" ], "v": "<12.0.2,>=13.0.0.0rc1,<13.0.1,>=14.0.0.0rc1,<14.0.1" }, { "advisory": "Barbican 14.0.0.0rc1 includes a fix for CVE-2022-23451: An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.\r\nhttps://github.com/openstack/barbican/commit/7d270bacbe29a90a10f1855abc3b50dac0f08022", "cve": "CVE-2022-23451", "id": "pyup.io-50929", "more_info_path": "/vulnerabilities/CVE-2022-23451/50929", "specs": [ "<14.0.0.0rc1" ], "v": "<14.0.0.0rc1" }, { "advisory": "Barbican 14.0.0.0rc1 includes a fix for CVE-2022-23452: An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.\r\nhttps://review.opendev.org/c/openstack/barbican/+/814200", "cve": "CVE-2022-23452", "id": "pyup.io-50879", "more_info_path": "/vulnerabilities/CVE-2022-23452/50879", "specs": [ "<14.0.0.0rc1" ], "v": "<14.0.0.0rc1" }, { "advisory": "Barbican 17.0.0.0rc1 and prior versions are affected by CVE-2023-1636: A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2181765", "cve": "CVE-2023-1636", "id": "pyup.io-61408", "more_info_path": "/vulnerabilities/CVE-2023-1636/61408", "specs": [ "<=17.0.0.0rc1" ], "v": "<=17.0.0.0rc1" }, { "advisory": "Barbican 17.0.0.0rc1 and prior versions are affected by CVE-2023-1633: A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2181761", "cve": "CVE-2023-1633", "id": "pyup.io-61407", "more_info_path": "/vulnerabilities/CVE-2023-1633/61407", "specs": [ "<=17.0.0.0rc1" ], "v": "<=17.0.0.0rc1" } ], "barman": [ { "advisory": "Barman 2.11 removes the strict superuser requirement for PG 10+. As of PostgreSQL 10 it is possible to execute \r\nbackups without superuser privileges, which is actually the recommended method for security reasons. Non-superuser backups need to grant some privileges to the user used by Barman to connect to PostgreSQL, as documented in the 21-preliminary_steps.en.md section.\r\n\r\nIt also ensures each postgres connection has an empty search_path. This is the only safe option when there is no information about how secure the search path is on the target database. This is done by appending \"options=-csearch_path=\" to any conninfo string.", "cve": "PVE-2021-38502", "id": "pyup.io-38502", "more_info_path": "/vulnerabilities/PVE-2021-38502/38502", "specs": [ "<2.11" ], "v": "<2.11" } ], "bas-air-unit-network-dataset": [ { "advisory": "Bas-air-unit-network-dataset 0.3.0 updates its dependency 'certifi' to v2023.11.17 to include a security fix.", "cve": "CVE-2023-37920", "id": "pyup.io-62496", "more_info_path": "/vulnerabilities/CVE-2023-37920/62496", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "baseplate": [ { "advisory": "Baseplate 0.19.0 includes support for fetching secrets in a secure, auditable, manner from Hashicorp Vault. A sidecar daemon manages the infrastructure-level authentication with Vault and fetches secrets to a file on disk. Helpers in Baseplate then allow your application to fetch these secrets efficiently from the sidecar daemon with some helpful conventions for versioning/key rotation. This is now the right way to get secret tokens into your application going forward. See: .", "cve": "PVE-2021-38349", "id": "pyup.io-38349", "more_info_path": "/vulnerabilities/PVE-2021-38349/38349", "specs": [ "<0.19.0" ], "v": "<0.19.0" }, { "advisory": "Authentication tokens in baseplate 0.22.0 provided by the authentication service can now be automatically propagated between services when making Thrift calls. This allows internal services to securely and accurately understand on whose behalf a given request is being made so they can decide if the requester is authorized for a particular action. The context is passed implicitly, in request headers, so no extra parameters need be added to service IDLs. Baseplate provides APIs for validating and accessing the tokens from within request context and will automatically pass upstream credentials to downstream services without extra work.", "cve": "PVE-2021-38348", "id": "pyup.io-38348", "more_info_path": "/vulnerabilities/PVE-2021-38348/38348", "specs": [ "<0.22.0" ], "v": "<0.22.0" }, { "advisory": "Baseplate 0.24.0 includes a EdgeRequestContext/AuthenticationToken unification. This isn't a new addition, but a **breaking** rework of authentication context in Baseplate. Authentication token propagation and access is now fully integrated into the edge request context. Authentication tokens are propagated inside the edge context header and the API for applications built on Baseplate is unified. See below for details on how to use this.", "cve": "PVE-2021-38347", "id": "pyup.io-38347", "more_info_path": "/vulnerabilities/PVE-2021-38347/38347", "specs": [ "<0.24.0" ], "v": "<0.24.0" }, { "advisory": "Services often need to securely store username/password pairs. Baseplate 0.30.0 has a convention for doing so called a credential secret. In addition, the sqlalchemy integration now uses this new credential type and you can expect other integrations to do so in the future. See also: .", "cve": "PVE-2021-38346", "id": "pyup.io-38346", "more_info_path": "/vulnerabilities/PVE-2021-38346/38346", "specs": [ "<0.30.0" ], "v": "<0.30.0" } ], "basketball-reference-web-scraper": [ { "advisory": "Basketball-reference-web-scraper 4.2.2 includes upgrades the `urllib3` library to `1.25.2` due to a security vulnerability with versions less than `1.24.2`.", "cve": "PVE-2021-37123", "id": "pyup.io-37123", "more_info_path": "/vulnerabilities/PVE-2021-37123/37123", "specs": [ "<4.2.2" ], "v": "<4.2.2" }, { "advisory": "Basketball-reference-web-scraper 4.2.3 updates urllib3 to 1.24.3 to avoid a security vulnerability.", "cve": "CVE-2019-11324", "id": "pyup.io-37195", "more_info_path": "/vulnerabilities/CVE-2019-11324/37195", "specs": [ "<4.2.3" ], "v": "<4.2.3" } ], "basxconnect": [ { "advisory": "Basxconnect 0.3.54 fixes a missing CSRF token issue.\r\nhttps://github.com/basxsoftwareassociation/basxconnect/commit/6d5809b78dcf033e4f0ca30e305dd3a382f56709", "cve": "PVE-2021-42928", "id": "pyup.io-42928", "more_info_path": "/vulnerabilities/PVE-2021-42928/42928", "specs": [ "<0.3.54" ], "v": "<0.3.54" } ], "bauh": [ { "advisory": "Bauh 0.10.3 prevents command injection through the search mechanism.\r\nhttps://github.com/vinifmor/bauh/issues/266", "cve": "PVE-2022-49145", "id": "pyup.io-49145", "more_info_path": "/vulnerabilities/PVE-2022-49145/49145", "specs": [ "<0.10.3" ], "v": "<0.10.3" } ], "baybe": [ { "advisory": "Baybe 0.4.1 updates its dependency 'scipy' to v1.10.1 to include a security fix.", "cve": "CVE-2023-25399", "id": "pyup.io-62619", "more_info_path": "/vulnerabilities/CVE-2023-25399/62619", "specs": [ "<0.4.1" ], "v": "<0.4.1" }, { "advisory": "Baybe 0.8.2 has updated its onnx dependency to version 1.16.0 or newer to address the security issue CVE-2024-27319.", "cve": "CVE-2024-27318", "id": "pyup.io-66984", "more_info_path": "/vulnerabilities/CVE-2024-27318/66984", "specs": [ "<0.8.2" ], "v": "<0.8.2" }, { "advisory": "Baybe 0.8.2 has updated its onnx dependency to version 1.16.0 or newer to address the security issue CVE-2024-27318.", "cve": "CVE-2024-27318", "id": "pyup.io-66978", "more_info_path": "/vulnerabilities/CVE-2024-27318/66978", "specs": [ "<0.8.2" ], "v": "<0.8.2" } ], "bayesian-testing": [ { "advisory": "Bayesian-testing 0.2.2 updates its dependency 'jupyter-server' to v1.16.0 to include a security fix.", "cve": "CVE-2022-24757", "id": "pyup.io-47846", "more_info_path": "/vulnerabilities/CVE-2022-24757/47846", "specs": [ "<0.2.2" ], "v": "<0.2.2" }, { "advisory": "Bayesian-testing 0.2.2 updates its dependency 'ipython' to v7.32.0 to include a security fix.", "cve": "CVE-2022-21699", "id": "pyup.io-47840", "more_info_path": "/vulnerabilities/CVE-2022-21699/47840", "specs": [ "<0.2.2" ], "v": "<0.2.2" }, { "advisory": "Bayesian-testing 0.2.3 updates its dependency 'jupyter-server' to v1.18.1 to include a security fix.", "cve": "CVE-2022-29241", "id": "pyup.io-50161", "more_info_path": "/vulnerabilities/CVE-2022-29241/50161", "specs": [ "<0.2.3" ], "v": "<0.2.3" }, { "advisory": "Bayesian-testing 0.5.5 updates its dependency 'certifi' to version '2023.07.22' to include a fix for a vulnerability.\r\nhttps://github.com/Matt52/bayesian-testing/commit/1e05416c8670426b3bc8e4386da998deaa66833e", "cve": "CVE-2023-37920", "id": "pyup.io-60517", "more_info_path": "/vulnerabilities/CVE-2023-37920/60517", "specs": [ "<0.5.5" ], "v": "<0.5.5" }, { "advisory": "Bayesian-testing 0.5.5 updates its dependency 'requests' to version '2.31.0' to include a fix for an Information Exposure vulnerability.\r\nhttps://github.com/Matt52/bayesian-testing/commit/1e05416c8670426b3bc8e4386da998deaa66833e", "cve": "CVE-2023-32681", "id": "pyup.io-60524", "more_info_path": "/vulnerabilities/CVE-2023-32681/60524", "specs": [ "<0.5.5" ], "v": "<0.5.5" }, { "advisory": "Bayesian-testing 0.5.5 updates its dependency 'pygments' to version '2.16.1' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/Matt52/bayesian-testing/commit/1e05416c8670426b3bc8e4386da998deaa66833e", "cve": "CVE-2022-40896", "id": "pyup.io-60523", "more_info_path": "/vulnerabilities/CVE-2022-40896/60523", "specs": [ "<0.5.5" ], "v": "<0.5.5" }, { "advisory": "Bayesian-testing 0.5.6 updates its dependency 'urllib3' to v2.0.7 to include a security fix.", "cve": "CVE-2023-45803", "id": "pyup.io-62261", "more_info_path": "/vulnerabilities/CVE-2023-45803/62261", "specs": [ "<0.5.6" ], "v": "<0.5.6" }, { "advisory": "Bayesian-testing version 0.6.2 updates its `idna` dependency from version 3.6 to 3.7 due to CVE-2024-3651.", "cve": "CVE-2024-3651", "id": "pyup.io-71044", "more_info_path": "/vulnerabilities/CVE-2024-3651/71044", "specs": [ "<0.6.2" ], "v": "<0.6.2" } ], "bbcode": [ { "advisory": "Bbcode 1.0.18 escapes quotes to prevent XSS.\r\nhttps://github.com/dcwatson/bbcode/issues/4\r\nhttps://github.com/dcwatson/bbcode/commit/e23f5ae9f9e42a9988a52b8b39815593c264f3ce", "cve": "PVE-2021-25634", "id": "pyup.io-25634", "more_info_path": "/vulnerabilities/PVE-2021-25634/25634", "specs": [ "<1.0.18" ], "v": "<1.0.18" }, { "advisory": "Bbcode versions before 1.0.9 are vulnerable to cross-site scripting (XSS) attacks because they fail to escape certain symbols, such as double quotes (\"), single quotes ('), commas (,), and periods (.). XSS attacks allow attackers to execute malicious scripts in users' browsers by inserting unescaped characters into web applications, which do not validate or sanitize these inputs. This can lead to a range of malicious activities, including session hijacking, exposure of sensitive information, and malware delivery. There are several types of XSS attacks, including Stored (where malicious code is stored on the server and executed when a user interacts with it), Reflected (where the user is tricked into clicking a malicious link that sends a request to a vulnerable site, which then reflects the attack back to the user), DOM-based (where the attack is delivered via client-side rendered pages), and Mutated (where injected code is modified by the browser to become malicious).\r\nhttps://github.com/dcwatson/bbcode/commit/116cb2067003e6c6f679ed3a34e9e00a97a332cf", "cve": "PVE-2024-99802", "id": "pyup.io-66013", "more_info_path": "/vulnerabilities/PVE-2024-99802/66013", "specs": [ ">=0,<1.0.9" ], "v": ">=0,<1.0.9" } ], "bcfg2": [ { "advisory": "The server in Bcfg2 1.1.2 and earlier, and 1.2 prerelease, allows remote attackers to execute arbitrary commands via shell metacharacters in data received from a client.", "cve": "CVE-2011-3211", "id": "pyup.io-62023", "more_info_path": "/vulnerabilities/CVE-2011-3211/62023", "specs": [ "<=1.1.2", "==1.2.0pre1", "==1.2.0pre2", "==1.2.0pre3" ], "v": "<=1.1.2,==1.2.0pre1,==1.2.0pre2,==1.2.0pre3" }, { "advisory": "The Trigger plugin in bcfg2 1.2.x before 1.2.3 allows remote attackers with root access to the client to execute arbitrary commands via shell metacharacters in the UUID field to the server process (bcfg2-server).", "cve": "CVE-2012-3366", "id": "pyup.io-65836", "more_info_path": "/vulnerabilities/CVE-2012-3366/65836", "specs": [ ">=1.2,<1.2.3" ], "v": ">=1.2,<1.2.3" } ], "beaker": [ { "advisory": "Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefore an attacker can conduct a prototype-pollution attack against the Electron internal messaging API.", "cve": "CVE-2020-12079", "id": "pyup.io-70760", "more_info_path": "/vulnerabilities/CVE-2020-12079/70760", "specs": [ "<0.8.9" ], "v": "<0.8.9" }, { "advisory": "Beaker 0.9.4 removes directory escaping characters properly from the session ID when un-signed sessions are used.\r\nhttps://github.com/bbangert/beaker/commit/ad45a77d199c46ddedf5d1aa54780b95d4bd3279", "cve": "PVE-2021-25635", "id": "pyup.io-25635", "more_info_path": "/vulnerabilities/PVE-2021-25635/25635", "specs": [ "<0.9.4" ], "v": "<0.9.4" }, { "advisory": "Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.", "cve": "CVE-2012-3458", "id": "pyup.io-25636", "more_info_path": "/vulnerabilities/CVE-2012-3458/25636", "specs": [ "<1.6.4" ], "v": "<1.6.4" }, { "advisory": "The search bar code in bkr/server/widgets.py in Beaker before 20.1 does not escape tags in string literals when producing JSON.", "cve": "CVE-2015-3161", "id": "pyup.io-70479", "more_info_path": "/vulnerabilities/CVE-2015-3161/70479", "specs": [ "<20.1" ], "v": "<20.1" }, { "advisory": "The admin pages for power types and key types in Beaker before 20.1 do not have any access controls, which allows remote authenticated users to modify power types and key types via navigating to $BEAKER/powertypes and $BEAKER/keytypes respectively.", "cve": "CVE-2015-3163", "id": "pyup.io-70477", "more_info_path": "/vulnerabilities/CVE-2015-3163/70477", "specs": [ "<20.1" ], "v": "<20.1" }, { "advisory": "Cross-site scripting (XSS) vulnerability in the edit comment dialog in bkr/server/widgets.py in Beaker 20.1 allows remote authenticated users to inject arbitrary web script or HTML via writing a crafted comment on an acked or nacked canceled job.", "cve": "CVE-2015-3162", "id": "pyup.io-70478", "more_info_path": "/vulnerabilities/CVE-2015-3162/70478", "specs": [ "<20.1" ], "v": "<20.1" }, { "advisory": "XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beaker before 20.1 allows remote authenticated users to obtain sensitive information via submitting job XML to the server containing entity references which reference files from the Beaker server's file system.", "cve": "CVE-2015-3160", "id": "pyup.io-70480", "more_info_path": "/vulnerabilities/CVE-2015-3160/70480", "specs": [ "<20.1" ], "v": "<20.1" }, { "advisory": "The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.", "cve": "CVE-2013-7489", "id": "pyup.io-38464", "more_info_path": "/vulnerabilities/CVE-2013-7489/38464", "specs": [ "<=1.11.0" ], "v": "<=1.11.0" } ], "beancount-import": [ { "advisory": "Beancount-import version 1.4.0 has upgraded `@babel/traverse` from 7.13.0 to 7.23.3 in the frontend to address the security issue detailed in CVE-2023-45133.", "cve": "CVE-2023-45133", "id": "pyup.io-68055", "more_info_path": "/vulnerabilities/CVE-2023-45133/68055", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "beautifulsup4": [ { "advisory": "Beautifulsup4 is a malicious package. It injects obfuscated JS code that replaces crypto addresses in developer clipboards.", "cve": "PVE-2022-51736", "id": "pyup.io-51736", "more_info_path": "/vulnerabilities/PVE-2022-51736/51736", "specs": [ ">0" ], "v": ">0" } ], "beets": [ { "advisory": "Beets 1.6.0 sanitize filenames in image IDs in the Aura plugin.\r\nhttps://github.com/beetbox/beets/pull/4160/commits/1fad3d01aea4627af42a9b7190d6869d2b007cc4", "cve": "PVE-2021-42892", "id": "pyup.io-42892", "more_info_path": "/vulnerabilities/PVE-2021-42892/42892", "specs": [ "<1.6.0" ], "v": "<1.6.0" } ], "before-commit": [ { "advisory": "Before-commit 1.10.4 replaces 'yaml.load' with a safe alternative.\r\nhttps://github.com/before-commit/before-commit/commit/6853f4aa4c8d7e411839bacc66876baea443186a", "cve": "PVE-2022-48117", "id": "pyup.io-48117", "more_info_path": "/vulnerabilities/PVE-2022-48117/48117", "specs": [ "<1.10.4" ], "v": "<1.10.4" } ], "beginner": [ { "advisory": "The Beginner package in PyPI v0.0.2 to v0.0.4 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.", "cve": "CVE-2022-33004", "id": "pyup.io-54413", "more_info_path": "/vulnerabilities/CVE-2022-33004/54413", "specs": [ ">=0.0.2,<0.0.5" ], "v": ">=0.0.2,<0.0.5" } ], "belvo-python": [ { "advisory": "Belvo-python 0.39.1 updates its dependency 'requests' to version '2.31.0' to include a fix for an Information Exposure vulnerability.\r\nhttps://github.com/belvo-finance/belvo-python/pull/177", "cve": "PVE-2023-60581", "id": "pyup.io-60581", "more_info_path": "/vulnerabilities/PVE-2023-60581/60581", "specs": [ "<0.39.1" ], "v": "<0.39.1" } ], "benchexec": [ { "advisory": "Benchexec 2.2 fixes a security issue. The kernel offers a keyring feature for storage of keys related to features like Kerberos and ecryptfs. Before Linux 5.2, there existed one keyring per user, and BenchExec did not prevent access from the tool inside the container to the kernel keyring of the user who started BenchExec. Now such accesses are forbidden (on all kernel versions) using seccomp (http://man7.org/linux/man-pages/man2/seccomp.2.html) if libseccomp2 (https://github.com/seccomp/libseccomp) is installed, which should be the case on any standard distribution. Note that seccomp filters do have a slight performance impact and could prevent some binaries on exotic architectures from working. In such a case please file a bug report.\r\nhttps://github.com/sosy-lab/benchexec/commit/5f043cd2d2484a75bee48efb924700c0b1ce32b4", "cve": "PVE-2021-42546", "id": "pyup.io-42546", "more_info_path": "/vulnerabilities/PVE-2021-42546/42546", "specs": [ "<2.2" ], "v": "<2.2" }, { "advisory": "Benchexec 2.2 fixes a security issue. Since BenchExec 2.1, the setup of the container for the tool-info module (which was added in BenchExec 1.20) could silently fail, for example if user namespaces are disabled on the system. In this case the tool-info module would be executed outside of the container. Run execution was not affected.\r\nhttps://github.com/sosy-lab/benchexec/commit/dea58cac6e066d89e3ab3e374c6472d575493d07", "cve": "PVE-2021-37510", "id": "pyup.io-37510", "more_info_path": "/vulnerabilities/PVE-2021-37510/37510", "specs": [ "==2.1" ], "v": "==2.1" } ], "bento-lib": [ { "advisory": "Bento-lib 3.0.1 includes security fix to prevent data leak in error messages from data structure queries by default and adds 'secure_errors' param for data structure querying methods.\r\nhttps://github.com/bento-platform/bento_lib/commit/991ee4fd406e3397435d1c8c02f1d0c48b9ec594\r\nhttps://github.com/bento-platform/bento_lib/commit/046a023abe8de0c3e13963a0c236df4f34ade244", "cve": "PVE-2021-41035", "id": "pyup.io-41035", "more_info_path": "/vulnerabilities/PVE-2021-41035/41035", "specs": [ "<3.0.1" ], "v": "<3.0.1" }, { "advisory": "Bento-lib 6.0.1 updates its dependency 'redis' to v4.5.4 to include security fixes.", "cve": "CVE-2023-28858", "id": "pyup.io-54855", "more_info_path": "/vulnerabilities/CVE-2023-28858/54855", "specs": [ "<6.0.1" ], "v": "<6.0.1" }, { "advisory": "Bento-lib 6.0.1 updates its dependency 'redis' to v4.5.4 to include security fixes.", "cve": "CVE-2023-28859", "id": "pyup.io-54854", "more_info_path": "/vulnerabilities/CVE-2023-28859/54854", "specs": [ "<6.0.1" ], "v": "<6.0.1" } ], "bentoml": [ { "advisory": "An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the server and potentially gain unauthorized access or control.", "cve": "CVE-2024-2912", "id": "pyup.io-71907", "more_info_path": "/vulnerabilities/CVE-2024-2912/71907", "specs": [ "<1.2.5" ], "v": "<1.2.5" } ], "bepasty": [ { "advisory": "Bepasty 0.3.0 prevents the disclosure of locked item's metadata.\r\nhttps://github.com/bepasty/bepasty-server/commit/95e49be1b4ecbf800bd81805f37d4e42699f3d45", "cve": "PVE-2022-48339", "id": "pyup.io-48339", "more_info_path": "/vulnerabilities/PVE-2022-48339/48339", "specs": [ "<0.3.0" ], "v": "<0.3.0" }, { "advisory": "Bepasty 0.3.0 forces the content-type to be text/plain and also turn the browser's sniffer off when showing potentially dangerous text/* types.\r\nhttps://github.com/bepasty/bepasty-server/commit/068fc4e1906bda3cd94705ba2907e52864f10ee3", "cve": "PVE-2021-25637", "id": "pyup.io-25637", "more_info_path": "/vulnerabilities/PVE-2021-25637/25637", "specs": [ "<0.3.0" ], "v": "<0.3.0" }, { "advisory": "Bepasty 0.6.0 invalidates old client-side cookies if PERMISSIONS in config are changed. This is a security fix.\r\nhttps://github.com/bepasty/bepasty-server/commit/4d5020d9839db510a4197041dd644efa5778b40e", "cve": "PVE-2021-39120", "id": "pyup.io-39120", "more_info_path": "/vulnerabilities/PVE-2021-39120/39120", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "berglas": [ { "advisory": "Berglas 0.2.0 no longer trusts the environment variables.", "cve": "PVE-2021-37340", "id": "pyup.io-37340", "more_info_path": "/vulnerabilities/PVE-2021-37340/37340", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "betty": [ { "advisory": "Betty 0.3.0a1 addresses a race condition that can occur during the CPU-intensive site generation process. This update introduces safeguards to prevent the copying or serialization of App instances, which could potentially lead to data inconsistencies or other unexpected behavior.\r\nhttps://github.com/bartfeenstra/betty/pull/798/commits/660d4ecdd97f2e5c00cb18945f38cf1c871bdc1e", "cve": "PVE-2023-63062", "id": "pyup.io-63062", "more_info_path": "/vulnerabilities/PVE-2023-63062/63062", "specs": [ "<0.3.0a1" ], "v": "<0.3.0a1" }, { "advisory": "Betty 0.3.0a1 addresses a race condition in the locale API. It aims to ensure thread safety by avoiding shared state and using context managers to handle resources.\r\nhttps://github.com/bartfeenstra/betty/pull/958/commits/05434a10c0c886d1afad0b61b119de13b0d2959b", "cve": "PVE-2023-63093", "id": "pyup.io-63093", "more_info_path": "/vulnerabilities/PVE-2023-63093/63093", "specs": [ "<0.3.0a1" ], "v": "<0.3.0a1" }, { "advisory": "Affected versions of the Betty cache package are vulnerable to a Race Condition (CWE-362). This vulnerability may result in data corruption or inconsistent state when multiple coroutines access shared cache items concurrently. The issue arises in the _CacheItemLock class's release method, which no longer acquires a lock before modifying shared data. Attackers could exploit this by triggering concurrent cache operations, leading to unpredictable behavior. To mitigate this issue, reintroduce the lock in the release method to ensure proper synchronization of shared resources.", "cve": "PVE-2024-73610", "id": "pyup.io-73610", "more_info_path": "/vulnerabilities/PVE-2024-73610/73610", "specs": [ "<0.4.0a12" ], "v": "<0.4.0a12" } ], "bgcflow-wrapper": [ { "advisory": "Bgcflow-wrapper 0.2.5 updates its dependency on the Tox library from version \"^3.24.5\" to version \"^4.6.4\" as a part of a security update.\r\nhttps://github.com/NBChub/bgcflow_wrapper/pull/21/commits/319c772de5b1a572605a641acf6ecd8cced2deca", "cve": "PVE-2024-64545", "id": "pyup.io-64545", "more_info_path": "/vulnerabilities/PVE-2024-64545/64545", "specs": [ "<0.2.5" ], "v": "<0.2.5" }, { "advisory": "Bgcflow-wrapper 0.2.6 updates its dependency 'cryptography' to v41.0.3 to include a security fix.", "cve": "CVE-2023-3446", "id": "pyup.io-62425", "more_info_path": "/vulnerabilities/CVE-2023-3446/62425", "specs": [ "<0.2.6" ], "v": "<0.2.6" }, { "advisory": "Bgcflow-wrapper 0.3.3 updates its Snakemake dependency from the previous version range \"^7.18.2\" to a specific newer version, \"7.31.1,\" as part of a security update.\r\nhttps://github.com/NBChub/bgcflow_wrapper/pull/35/commits/30d7f96c73a0307779b9503160da50a2d9924e91", "cve": "PVE-2024-64544", "id": "pyup.io-64544", "more_info_path": "/vulnerabilities/PVE-2024-64544/64544", "specs": [ "<0.3.3" ], "v": "<0.3.3" }, { "advisory": "Bgcflow-wrapper 0.3.5 adjusts its dependencies by locking the version of Pulp to 2.7.0. This change was implemented to resolve an issue related to its dependency on Snakemake.\r\nhttps://github.com/snakemake/snakemake/issues/2606", "cve": "PVE-2024-64543", "id": "pyup.io-64543", "more_info_path": "/vulnerabilities/PVE-2024-64543/64543", "specs": [ "<0.3.5" ], "v": "<0.3.5" } ], "bids-validator": [ { "advisory": "Bids-validator 0.24.0 includes a fix for a directory traversal vulnerability.\r\nhttps://github.com/bids-standard/bids-validator/pull/368", "cve": "PVE-2023-59251", "id": "pyup.io-59251", "more_info_path": "/vulnerabilities/PVE-2023-59251/59251", "specs": [ "<0.24.0" ], "v": "<0.24.0" } ], "bigchaindb": [ { "advisory": "Bigchaindb 2.2.2 updates its dependency 'gunicorn' to v20.0.4 to include a security fix.", "cve": "CVE-2018-1000164", "id": "pyup.io-45782", "more_info_path": "/vulnerabilities/CVE-2018-1000164/45782", "specs": [ "<2.2.2" ], "v": "<2.2.2" }, { "advisory": "Bigchaindb 2.2.2 updates its dependency 'pyyaml' to v5.3.1 to include a security fix.", "cve": "CVE-2020-1747", "id": "pyup.io-45783", "more_info_path": "/vulnerabilities/CVE-2020-1747/45783", "specs": [ "<2.2.2" ], "v": "<2.2.2" } ], "bigchaindb-driver": [ { "advisory": "Bigchaindb-driver 0.5.2 includes a fix for CVE-2018-10903: A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.", "cve": "CVE-2018-10903", "id": "pyup.io-36427", "more_info_path": "/vulnerabilities/CVE-2018-10903/36427", "specs": [ "<0.5.2" ], "v": "<0.5.2" } ], "bigdl": [ { "advisory": "Bigdl 0.5.0 includes a fix for a Race Condition vulnerability in Spark 1.6.\r\nhttps://github.com/intel-analytics/BigDL/pull/2363", "cve": "PVE-2023-59598", "id": "pyup.io-59598", "more_info_path": "/vulnerabilities/PVE-2023-59598/59598", "specs": [ "<0.5.0" ], "v": "<0.5.0" }, { "advisory": "Bigdl 0.8.0 fixes the scala compiler security issue in 2.10 & 2.11", "cve": "PVE-2021-37576", "id": "pyup.io-37576", "more_info_path": "/vulnerabilities/PVE-2021-37576/37576", "specs": [ "<0.8.0" ], "v": "<0.8.0" }, { "advisory": "Bigdl 2.0.0 updates its Maven dependency 'protobuf-java' to v3.19.2 to include a security fix.", "cve": "CVE-2021-22569", "id": "pyup.io-45818", "more_info_path": "/vulnerabilities/CVE-2021-22569/45818", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Bigdl 2.0.0 updates its Maven dependency 'http.version' to v10.1.15 to include security fixes.", "cve": "CVE-2021-23339", "id": "pyup.io-45840", "more_info_path": "/vulnerabilities/CVE-2021-23339/45840", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Bigdl 2.0.0 updates its Maven dependency 'http.version' to v10.1.15 to include security fixes.", "cve": "CVE-2021-42697", "id": "pyup.io-45841", "more_info_path": "/vulnerabilities/CVE-2021-42697/45841", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Bigdl 2.1.0 updates its Maven dependency 'akka.http' to v10.1.15 to include a security fix.", "cve": "CVE-2021-23339", "id": "pyup.io-51328", "more_info_path": "/vulnerabilities/CVE-2021-23339/51328", "specs": [ "<2.1.0" ], "v": "<2.1.0" }, { "advisory": "Bigdl 2.1.0 updates its Maven dependency 'protobuf-java' to v3.19.2 to include a security fix.", "cve": "CVE-2021-22569", "id": "pyup.io-51239", "more_info_path": "/vulnerabilities/CVE-2021-22569/51239", "specs": [ "<2.1.0" ], "v": "<2.1.0" }, { "advisory": "Bigdl 2.3.0 includes a fix for a SQL injection vulnerability in python/benchmark/run.py.\r\nhttps://github.com/intel-analytics/BigDL/pull/8014", "cve": "PVE-2023-55136", "id": "pyup.io-55136", "more_info_path": "/vulnerabilities/PVE-2023-55136/55136", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Bigdl 2.3.0 includes a security fix in its 'dlib' library: Unsafe Reflection in ModelBroadcast.scala Topology.scala.\r\nhttps://github.com/intel-analytics/BigDL/pull/7731", "cve": "PVE-2023-55134", "id": "pyup.io-55134", "more_info_path": "/vulnerabilities/PVE-2023-55134/55134", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Bigdl 2.3.0 includes a security fix in its 'dlib' library: Reflected XSS All Clients in TorchFile.scala.\r\nhttps://github.com/intel-analytics/BigDL/pull/7731", "cve": "PVE-2023-55131", "id": "pyup.io-55131", "more_info_path": "/vulnerabilities/PVE-2023-55131/55131", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Bigdl 2.3.0 includes a security fix in its 'dlib' library: Deserialization of Untrusted Data in File.scala.\r\nhttps://github.com/intel-analytics/BigDL/pull/7731", "cve": "PVE-2023-55135", "id": "pyup.io-55135", "more_info_path": "/vulnerabilities/PVE-2023-55135/55135", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Bigdl 2.3.0 replaces part of pickle to json to avoid a security issue.\r\nhttps://github.com/intel-analytics/BigDL/pull/8009", "cve": "PVE-2023-55137", "id": "pyup.io-55137", "more_info_path": "/vulnerabilities/PVE-2023-55137/55137", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Bigdl 2.3.0 updates its dependency 'cryptography' to v39.0.1 to include security fixes.\r\nhttps://github.com/intel-analytics/BigDL/pull/7717", "cve": "CVE-2023-0286", "id": "pyup.io-55139", "more_info_path": "/vulnerabilities/CVE-2023-0286/55139", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Bigdl 2.3.0 updates its dependency 'cryptography' to v39.0.1 to include security fixes.\r\nhttps://github.com/intel-analytics/BigDL/pull/7717", "cve": "CVE-2023-0401", "id": "pyup.io-55138", "more_info_path": "/vulnerabilities/CVE-2023-0401/55138", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Bigdl 2.4.0 includes a fix for a command injection vulnerability.\r\nhttps://github.com/intel-analytics/BigDL/pull/8478", "cve": "PVE-2023-62298", "id": "pyup.io-62298", "more_info_path": "/vulnerabilities/PVE-2023-62298/62298", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Bigdl 2.4.0 includes a fix for a Weak Encryption at Rest vulnerability.\r\nhttps://github.com/intel-analytics/BigDL/pull/8414", "cve": "PVE-2023-62334", "id": "pyup.io-62334", "more_info_path": "/vulnerabilities/PVE-2023-62334/62334", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Bigdl 2.4.0 updates its C dependency 'libturbojpeg' to v3.0.0 to include a security fix.\r\nhttps://github.com/intel-analytics/BigDL/pull/8413/commits/34349d2dd7408b75cdb30c365896132a51461dd8", "cve": "CVE-2023-2804", "id": "pyup.io-62335", "more_info_path": "/vulnerabilities/CVE-2023-2804/62335", "specs": [ "<2.4.0" ], "v": "<2.4.0" } ], "bigflow": [ { "advisory": "Allegro Tech BigFlow <1.6 is vulnerable to Missing SSL Certificate Validation.", "cve": "CVE-2023-25392", "id": "pyup.io-62893", "more_info_path": "/vulnerabilities/CVE-2023-25392/62893", "specs": [ "<1.6.0" ], "v": "<1.6.0" }, { "advisory": "Bigflow 1.6.0 enables vault endpoint TLS certificate verification by default to avoid MITM attacks.", "cve": "PVE-2023-53443", "id": "pyup.io-53443", "more_info_path": "/vulnerabilities/PVE-2023-53443/53443", "specs": [ "<1.6.0" ], "v": "<1.6.0" } ], "bikeshed": [ { "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23423:\r\nWhen an untrusted source file containing include, include-code or include-raw block is processed, the contents of arbitrary files could be disclosed in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd", "cve": "CVE-2021-23423", "id": "pyup.io-41180", "more_info_path": "/vulnerabilities/CVE-2021-23423/41180", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23422:\r\nWhen an untrusted source file containing Inline Tag Command metadata is processed or when an arbitrary OS command is executed, the command output would be included in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd", "cve": "CVE-2021-23422", "id": "pyup.io-41179", "more_info_path": "/vulnerabilities/CVE-2021-23422/41179", "specs": [ "<3.0.0" ], "v": "<3.0.0" } ], "bin-collect": [ { "advisory": "The bin-collect package in PyPI before v0.1 included a code execution backdoor inserted by a third party.", "cve": "CVE-2022-34500", "id": "pyup.io-70768", "more_info_path": "/vulnerabilities/CVE-2022-34500/70768", "specs": [ "<0.1" ], "v": "<0.1" }, { "advisory": "The bin-collection package in PyPI before v0.1 included a code execution backdoor inserted by a third party.", "cve": "CVE-2022-34501", "id": "pyup.io-70770", "more_info_path": "/vulnerabilities/CVE-2022-34501/70770", "specs": [ "<0.1" ], "v": "<0.1" } ], "bin-collection": [ { "advisory": "The bin-collect package in PyPI before v0.1 included a code execution backdoor inserted by a third party.", "cve": "CVE-2022-34500", "id": "pyup.io-70769", "more_info_path": "/vulnerabilities/CVE-2022-34500/70769", "specs": [ "<0.1" ], "v": "<0.1" }, { "advisory": "The bin-collection package in PyPI before v0.1 included a code execution backdoor inserted by a third party.", "cve": "CVE-2022-34501", "id": "pyup.io-70771", "more_info_path": "/vulnerabilities/CVE-2022-34501/70771", "specs": [ "<0.1" ], "v": "<0.1" } ], "bincrafters-envy": [ { "advisory": "Bincrafters-envy 0.1.3 updates its dependency 'requests' to v2.20.0 to include a security fix.", "cve": "CVE-2018-18074", "id": "pyup.io-36732", "more_info_path": "/vulnerabilities/CVE-2018-18074/36732", "specs": [ "<0.1.3" ], "v": "<0.1.3" } ], "binderhub": [ { "advisory": "### Impact\n\nA remote code execution vulnerability has been identified in BinderHub, where providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user created pods in the deployment, with the potential to escalate to the host depending on the underlying kubernetes configuration.\n\n### Patches\n\nPatch below, or [on GitHub](https://github.com/jupyterhub/binderhub/commit/195caac172690456dcdc8cc7a6ca50e05abf8182.patch)\n\n```diff\nFrom 9f4043d9dddc1174920e687773f27b7933f48ab6 Mon Sep 17 00:00:00 2001\nFrom: Riccardo Castellotti \nDate: Thu, 19 Aug 2021 15:49:43 +0200\nSubject: [PATCH] Explicitly separate git-ls-remote options from positional\n arguments\n\n---\n binderhub/repoproviders.py | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)\n\ndiff --git a/binderhub/repoproviders.py b/binderhub/repoproviders.py\nindex f33347b..5d4b87c 100755\n--- a/binderhub/repoproviders.py\n+++ b/binderhub/repoproviders.py\n@@ -484,7 +484,7 @@ class GitRepoProvider(RepoProvider):\n self.sha1_validate(self.unresolved_ref)\n except ValueError:\n # The ref is a head/tag and we resolve it using `git ls-remote`\n- command = [\"git\", \"ls-remote\", self.repo, self.unresolved_ref]\n+ command = [\"git\", \"ls-remote\", \"--\", self.repo, self.unresolved_ref]\n result = subprocess.run(command, universal_newlines=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n if result.returncode:\n raise RuntimeError(\"Unable to run git ls-remote to get the `resolved_ref`: {}\".format(result.stderr))\n-- \n2.25.1\n\n```\n\n### Workarounds\n\nDisable the git repo provider by specifying the `BinderHub.repo_providers` config, e.g.:\n\n```python\nfrom binderhub.repoproviders import (GitHubRepoProvider,\n GitLabRepoProvider, GistRepoProvider,\n ZenodoProvider, FigshareProvider, HydroshareProvider,\n DataverseProvider)\n\nc.BinderHub.repo_providers = {\n 'gh': GitHubRepoProvider,\n 'gist': GistRepoProvider,\n 'gl': GitLabRepoProvider,\n 'zenodo': ZenodoProvider,\n 'figshare': FigshareProvider,\n 'hydroshare': HydroshareProvider,\n 'dataverse': DataverseProvider,\n }\n```\n\n### References\n\nCredit: Jose Carlos Luna Duran (CERN) and Riccardo Castellotti (CERN).\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Email us at [security@ipython.org](mailto:security@ipython.org)\n\n\nAffected functions:\nbinderhub.repoproviders.GitRepoProvider.get_resolved_ref", "cve": "CVE-2021-39159", "id": "pyup.io-54316", "more_info_path": "/vulnerabilities/CVE-2021-39159/54316", "specs": [ ">=0,<0.2.0" ], "v": ">=0,<0.2.0" } ], "binpacking": [ { "advisory": "Binpacking 1.5.2 removes 'pytest-runner' dependency as it poses a security risk.\r\nhttps://github.com/benmaier/binpacking/pull/27", "cve": "PVE-2021-43313", "id": "pyup.io-42945", "more_info_path": "/vulnerabilities/PVE-2021-43313/42945", "specs": [ "<1.5.2" ], "v": "<1.5.2" } ], "binwalk": [ { "advisory": "A vulnerability, which was classified as problematic, was found in ReFirm Labs binwalk up to 2.3.2. Affected is an unknown function of the file src/binwalk/modules/extractor.py of the component Archive Extraction Handler. The manipulation leads to symlink following. It is possible to launch the attack remotely.", "cve": "CVE-2021-4287", "id": "pyup.io-54630", "more_info_path": "/vulnerabilities/CVE-2021-4287/54630", "specs": [ ">=0,<2.3.3" ], "v": ">=0,<2.3.3" }, { "advisory": "Binwalk 2.3.4 includes a fix for CVE-2022-4510: A path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 inclusive. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins. This vulnerability is associated with program files src/binwalk/plugins/unpfs.py.\r\nhttps://github.com/ReFirmLabs/binwalk/pull/617", "cve": "CVE-2022-4510", "id": "pyup.io-54641", "more_info_path": "/vulnerabilities/CVE-2022-4510/54641", "specs": [ ">=2.1.2b,<=2.3.3" ], "v": ">=2.1.2b,<=2.3.3" } ], "biolink-model": [ { "advisory": "Biolink-model 2.2.12 updates its dependency 'lxml' to v4.7.1 to include a security fix.", "cve": "CVE-2021-43818", "id": "pyup.io-43418", "more_info_path": "/vulnerabilities/CVE-2021-43818/43418", "specs": [ "<2.2.12" ], "v": "<2.2.12" } ], "biothings": [ { "advisory": "Biothings 0.12.3 includes a fix for a shell injection vulnerability.\r\nhttps://github.com/biothings/biothings.api/pull/301", "cve": "PVE-2023-62122", "id": "pyup.io-62122", "more_info_path": "/vulnerabilities/PVE-2023-62122/62122", "specs": [ "<0.12.3" ], "v": "<0.12.3" } ], "birdhousebuilder-recipe-nginx": [ { "advisory": "Birdhousebuilder-recipe-nginx 0.1.5 disables SSLv3 protocol to avoid known vulnerabilities.", "cve": "CVE-2014-3566", "id": "pyup.io-36135", "more_info_path": "/vulnerabilities/CVE-2014-3566/36135", "specs": [ "<0.1.5" ], "v": "<0.1.5" } ], "bise-theme": [ { "advisory": "bise.theme 2.4 fixes a potential XSS issue with catalogue search.", "cve": "PVE-2021-25639", "id": "pyup.io-25639", "more_info_path": "/vulnerabilities/PVE-2021-25639/25639", "specs": [ "<2.4" ], "v": "<2.4" } ], "bitbot": [ { "advisory": "For security reasons, REST API only listens on localhost in Bitbot 1.12.0.", "cve": "PVE-2021-37551", "id": "pyup.io-37551", "more_info_path": "/vulnerabilities/PVE-2021-37551/37551", "specs": [ "<1.12.0" ], "v": "<1.12.0" } ], "bitlyshortener": [ { "advisory": "A recent update has significantly reduced the quota for free token-generated links in a specific service, dropping from 1000 to 50 links per month. This reduction severely limits the utility of the service for users who rely on the free token. Consequently, maintenance for the associated package is being discontinued, even though the package will still function with the new restricted quota.", "cve": "PVE-2024-69617", "id": "pyup.io-69617", "more_info_path": "/vulnerabilities/PVE-2024-69617/69617", "specs": [ "<0.7.0" ], "v": "<0.7.0" }, { "advisory": "Due to a sudden upstream breaking change by Bitly, versions of 'bitlyshortener' <0.5.0 can generate an invalid short URL when a vanity domain exists.", "cve": "PVE-2023-55202", "id": "pyup.io-55202", "more_info_path": "/vulnerabilities/PVE-2023-55202/55202", "specs": [ ">=0,<0.5.0" ], "v": ">=0,<0.5.0" }, { "advisory": "Due to a sudden upstream breaking change by Bitly, versions of 'bitlyshortener' <0.6.0 generate invalid short URLs. All users are affected and must update immediately. A workaround is to replace \"https://j.mp/\" in each generated short URL with \"https://bit.ly/\".\r\nhttps://github.com/impredicative/bitlyshortener/commit/b307d70bedf745305fa0dd3c5c600d8cb88d09b5", "cve": "PVE-2023-55204", "id": "pyup.io-55204", "more_info_path": "/vulnerabilities/PVE-2023-55204/55204", "specs": [ ">=0,<0.6.0" ], "v": ">=0,<0.6.0" } ], "bittensor": [ { "advisory": "Bittensor 3.4.3 catches precision errors in synapse forward responses that may cause probability sums to exceed permissible boundaries.\r\nhttps://github.com/opentensor/bittensor/pull/991", "cve": "PVE-2022-52000", "id": "pyup.io-52000", "more_info_path": "/vulnerabilities/PVE-2022-52000/52000", "specs": [ "<3.4.3" ], "v": "<3.4.3" }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", "cve": "CVE-2023-0217", "id": "pyup.io-59609", "more_info_path": "/vulnerabilities/CVE-2023-0217/59609", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Timing Attack vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", "cve": "CVE-2022-4304", "id": "pyup.io-59612", "more_info_path": "/vulnerabilities/CVE-2022-4304/59612", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Use After Free vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", "cve": "CVE-2023-0215", "id": "pyup.io-59610", "more_info_path": "/vulnerabilities/CVE-2023-0215/59610", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", "cve": "CVE-2023-2650", "id": "pyup.io-59533", "more_info_path": "/vulnerabilities/CVE-2023-2650/59533", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", "cve": "CVE-2022-3996", "id": "pyup.io-59617", "more_info_path": "/vulnerabilities/CVE-2022-3996/59617", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", "cve": "CVE-2023-0401", "id": "pyup.io-59608", "more_info_path": "/vulnerabilities/CVE-2023-0401/59608", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Type Confusion vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", "cve": "CVE-2023-0286", "id": "pyup.io-59611", "more_info_path": "/vulnerabilities/CVE-2023-0286/59611", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", "cve": "CVE-2022-4203", "id": "pyup.io-59614", "more_info_path": "/vulnerabilities/CVE-2022-4203/59614", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", "cve": "CVE-2023-0216", "id": "pyup.io-59613", "more_info_path": "/vulnerabilities/CVE-2023-0216/59613", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", "cve": "CVE-2022-4450", "id": "pyup.io-59615", "more_info_path": "/vulnerabilities/CVE-2022-4450/59615", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix an Expected Behavior Violation vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", "cve": "CVE-2023-23931", "id": "pyup.io-59616", "more_info_path": "/vulnerabilities/CVE-2023-23931/59616", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { "advisory": "Bittensor version 6.12.0 updates FastAPI to versions 0.99.1 and 0.110.1 to address security issues highlighted in CVE-2024-24762.", "cve": "CVE-2024-24762", "id": "pyup.io-70789", "more_info_path": "/vulnerabilities/CVE-2024-24762/70789", "specs": [ "<6.12.0" ], "v": "<6.12.0" }, { "advisory": "Bittensor version 6.12.0 updates its cryptography library to versions 42.0.0 and 42.0.5 to address the security vulnerabilities outlined in CVE-2024-26130.", "cve": "CVE-2023-5363", "id": "pyup.io-70793", "more_info_path": "/vulnerabilities/CVE-2023-5363/70793", "specs": [ "<6.12.0" ], "v": "<6.12.0" }, { "advisory": "Bittensor version 6.12.0 updates its `certifi` package to versions 2023.7.22 and 2024.2.2 to address the security issues identified in CVE-2023-37920.", "cve": "CVE-2023-37920", "id": "pyup.io-70794", "more_info_path": "/vulnerabilities/CVE-2023-37920/70794", "specs": [ "<6.12.0" ], "v": "<6.12.0" }, { "advisory": "Bittensor 6.4.4 upgrades its aiohttp dependency from version 3.8.5 to 3.9.0 in response to the CVE-2023-49081.\r\nhttps://github.com/opentensor/bittensor/pull/1597/commits/dc7ab6307e465a2dc110677319c58580067d13fc", "cve": "CVE-2023-49081", "id": "pyup.io-63597", "more_info_path": "/vulnerabilities/CVE-2023-49081/63597", "specs": [ "<6.4.4" ], "v": "<6.4.4" }, { "advisory": "Bittensor 6.4.4 upgrades its aiohttp dependency from version 3.8.5 to 3.9.0 in response to the CVE-2023-49082.\r\nhttps://github.com/opentensor/bittensor/pull/1597/commits/dc7ab6307e465a2dc110677319c58580067d13fc", "cve": "CVE-2023-49082", "id": "pyup.io-63903", "more_info_path": "/vulnerabilities/CVE-2023-49082/63903", "specs": [ "<6.4.4" ], "v": "<6.4.4" } ], "biweeklybudget": [ { "advisory": "Biweeklybudget 1.1.0 updates its dependency 'SQLAlchemy' to v1.3.13 to include a security fix.", "cve": "CVE-2019-7548", "id": "pyup.io-52592", "more_info_path": "/vulnerabilities/CVE-2019-7548/52592", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Biweeklybudget 1.1.0 updates its dependency 'Flask' to v1.0.2 to include a security fix.", "cve": "CVE-2018-1000656", "id": "pyup.io-52663", "more_info_path": "/vulnerabilities/CVE-2018-1000656/52663", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Biweeklybudget 1.1.0 updates its dependency 'cryptography' to v2.3.1 to include a security fix.", "cve": "CVE-2018-10903", "id": "pyup.io-52664", "more_info_path": "/vulnerabilities/CVE-2018-10903/52664", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Biweeklybudget 1.1.0 updates its dependency 'jinja2' to v2.10.3 to include a security fix.", "cve": "CVE-2019-10906", "id": "pyup.io-52665", "more_info_path": "/vulnerabilities/CVE-2019-10906/52665", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "bjoern": [ { "advisory": "bjoern before 1.4.2 uses a insecure Django release which is vulnerable to CVE-2015-0219, see https://www.djangoproject.com/weblog/2015/jan/13/security/.", "cve": "CVE-2015-0219", "id": "pyup.io-25640", "more_info_path": "/vulnerabilities/CVE-2015-0219/25640", "specs": [ "<1.4.2" ], "v": "<1.4.2" } ], "black": [ { "advisory": "Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.", "cve": "CVE-2024-21503", "id": "pyup.io-66742", "more_info_path": "/vulnerabilities/CVE-2024-21503/66742", "specs": [ "<24.3.0" ], "v": "<24.3.0" } ], "blackboardsync": [ { "advisory": "Blackboardsync 0.11.1rc.1 sets the pyqt5-qt5 version in the Pipfile and updates PyQt5 due to a security release addressing a recent cURL vulnerability. This update, specific to macOS, resolves an issue where the Pipfile.lock was not valid on other platforms, ensuring compatibility across different operating systems. The PyQt5 version is also updated in the pyproject.toml to maintain security and functionality.", "cve": "PVE-2024-67002", "id": "pyup.io-67002", "more_info_path": "/vulnerabilities/PVE-2024-67002/67002", "specs": [ "<0.11.1rc.1" ], "v": "<0.11.1rc.1" }, { "advisory": "Blackboardsync 0.9.8 updates its dependency 'certifi' from 2023.5.7 to 2023.7.22 to include a security fix.", "cve": "CVE-2023-37920", "id": "pyup.io-61022", "more_info_path": "/vulnerabilities/CVE-2023-37920/61022", "specs": [ "<0.9.8" ], "v": "<0.9.8" } ], "blackduck": [ { "advisory": "Synopsys hub-rest-api-python (aka blackduck on PyPI) version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases. See CVE-2020-27589.", "cve": "CVE-2020-27589", "id": "pyup.io-39070", "more_info_path": "/vulnerabilities/CVE-2020-27589/39070", "specs": [ ">=0.0.25,<=0.0.52" ], "v": ">=0.0.25,<=0.0.52" } ], "blackjack21": [ { "advisory": "Blackjack21 3.0.0 fixes several vulnerabilities related to data validation.\r\nhttps://github.com/rahul-nanwani/blackjack21/compare/2.0.1...v3.0.0#diff-312bb1d80aad60b8051333de1b78b15004177c233da9712b4fd1799b78bdc1c3R1", "cve": "PVE-2022-52382", "id": "pyup.io-52382", "more_info_path": "/vulnerabilities/PVE-2022-52382/52382", "specs": [ "<3.0.0" ], "v": "<3.0.0" } ], "blacksheep": [ { "advisory": "Blacksheep 1.2.5 adds built-in support for anti-forgery validation to protect against Cross-Site Request Forgery (XSRF/CSRF) attacks.", "cve": "PVE-2022-46072", "id": "pyup.io-46072", "more_info_path": "/vulnerabilities/PVE-2022-46072/46072", "specs": [ "<1.2.5" ], "v": "<1.2.5" } ], "blask": [ { "advisory": "Blask 0.2.2 fixes some vulnerabilities. See: .", "cve": "PVE-2021-39028", "id": "pyup.io-39028", "more_info_path": "/vulnerabilities/PVE-2021-39028/39028", "specs": [ "<0.2.2" ], "v": "<0.2.2" } ], "blazar": [ { "advisory": "An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under (because the Python eval function is used). This may result in Horizon host unauthorized access and further compromise of the Horizon service. All setups using the Horizon dashboard with the blazar-dashboard plugin are affected. See: CVE-2020-26943.", "cve": "CVE-2020-26943", "id": "pyup.io-38884", "more_info_path": "/vulnerabilities/CVE-2020-26943/38884", "specs": [ "<1.3.1" ], "v": "<1.3.1" } ], "bleach": [ { "advisory": "bleach 2.1 converts control characters (backspace particularly) to \"?\" preventing malicious copy-and-paste situations.\r\nhttps://github.com/mozilla/bleach/commit/5490eb633def7983c3062b5657193e4210af4a49", "cve": "PVE-2021-34965", "id": "pyup.io-34965", "more_info_path": "/vulnerabilities/PVE-2021-34965/34965", "specs": [ "<2.1" ], "v": "<2.1" }, { "advisory": "Bleach 3.1.2 includes a fix for CVE-2020-6816: Mutation XSS via whitelisted math or svg and RCDATA tag with strip=False.\r\nhttps://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743", "cve": "CVE-2020-6816", "id": "pyup.io-42298", "more_info_path": "/vulnerabilities/CVE-2020-6816/42298", "specs": [ "<3.1.2" ], "v": "<3.1.2" }, { "advisory": "Bleach 3.3.0 includes a fix for CVE-2021-23980: A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.", "cve": "CVE-2021-23980", "id": "pyup.io-51843", "more_info_path": "/vulnerabilities/CVE-2021-23980/51843", "specs": [ "<3.3.0" ], "v": "<3.3.0" }, { "advisory": "Bleach 3.1.1 includes a fix for CVE-2020-6802: Mutation XSS in bleach.clean when noscript and raw tag whitelisted.\r\nhttps://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r", "cve": "CVE-2020-6802", "id": "pyup.io-42297", "more_info_path": "/vulnerabilities/CVE-2020-6802/42297", "specs": [ "<=3.1.0" ], "v": "<=3.1.0" }, { "advisory": "Bleach 3.1.4 includes a fix for CVE-2020-6817: bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).", "cve": "CVE-2020-6817", "id": "pyup.io-38107", "more_info_path": "/vulnerabilities/CVE-2020-6817/38107", "specs": [ "<=3.1.3" ], "v": "<=3.1.3" }, { "advisory": "bleach 2.1.3 fixes a security issue. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.", "cve": "CVE-2018-7753", "id": "pyup.io-35792", "more_info_path": "/vulnerabilities/CVE-2018-7753/35792", "specs": [ ">=2.1,<2.1.3" ], "v": ">=2.1,<2.1.3" } ], "bleach-extras": [ { "advisory": "Bleach-extras 0.0.4 requires bleach version >=3.2.1 to deal with security issues.", "cve": "CVE-2018-7753", "id": "pyup.io-46484", "more_info_path": "/vulnerabilities/CVE-2018-7753/46484", "specs": [ "<0.0.4" ], "v": "<0.0.4" }, { "advisory": "Bleach-extras 0.0.4 requires bleach version >=3.2.1 to deal with security issues.", "cve": "CVE-2020-6817", "id": "pyup.io-38875", "more_info_path": "/vulnerabilities/CVE-2020-6817/38875", "specs": [ "<0.0.4" ], "v": "<0.0.4" }, { "advisory": "Bleach-extras 0.0.4 requires bleach version >=3.2.1 to deal with security issues.", "cve": "CVE-2020-6816", "id": "pyup.io-46482", "more_info_path": "/vulnerabilities/CVE-2020-6816/46482", "specs": [ "<0.0.4" ], "v": "<0.0.4" }, { "advisory": "Bleach-extras 0.0.4 requires bleach version >=3.2.1 to deal with security issues.", "cve": "CVE-2020-6802", "id": "pyup.io-46483", "more_info_path": "/vulnerabilities/CVE-2020-6802/46483", "specs": [ "<0.0.4" ], "v": "<0.0.4" } ], "blendernc": [ { "advisory": "Blendernc 0.6.0 updates its dependency 'pillow' to v9.0.0 to include security fixes.", "cve": "CVE-2022-22816", "id": "pyup.io-50126", "more_info_path": "/vulnerabilities/CVE-2022-22816/50126", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Blendernc 0.6.0 updates its dependency 'pillow' to v9.0.0 to include security fixes.", "cve": "PVE-2021-44525", "id": "pyup.io-50128", "more_info_path": "/vulnerabilities/PVE-2021-44525/50128", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Blendernc 0.6.0 updates its dependency 'pillow' to v9.0.0 to include security fixes.", "cve": "CVE-2022-22815", "id": "pyup.io-50111", "more_info_path": "/vulnerabilities/CVE-2022-22815/50111", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Blendernc 0.6.0 updates its dependency 'pillow' to v9.0.0 to include security fixes.", "cve": "PVE-2022-44524", "id": "pyup.io-50127", "more_info_path": "/vulnerabilities/PVE-2022-44524/50127", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "blickfeld-qb2": [ { "advisory": "Blickfeld-qb2 1.7 patches CVE Security.\r\nhttps://github.com/Blickfeld/blickfeld-qb2/commit/27424bcd7c69c06e7cdfa60a37c7d8534eb0dfb0", "cve": "PVE-2023-62984", "id": "pyup.io-62984", "more_info_path": "/vulnerabilities/PVE-2023-62984/62984", "specs": [ "<1.7" ], "v": "<1.7" } ], "blinkpy": [ { "advisory": "blinkpy 0.10.2 sets minimum required version of the requests library to 2.20.0 due to vulnerability in earlier releases.", "cve": "PVE-2021-36596", "id": "pyup.io-36596", "more_info_path": "/vulnerabilities/PVE-2021-36596/36596", "specs": [ "<0.10.2" ], "v": "<0.10.2" } ], "blint": [ { "advisory": "BLint is powered by LIEF. BLint 1.0.35 and versions below uses LIEF as dependency which has a CVE on its versions below 0.13.0. \r\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-43171\r\nhttps://github.com/lief-project/LIEF/issues/782", "cve": "CVE-2022-43171", "id": "pyup.io-62771", "more_info_path": "/vulnerabilities/CVE-2022-43171/62771", "specs": [ "<=1.0.35" ], "v": "<=1.0.35" }, { "advisory": "BLint is powered by LIEF. BLint 1.0.35 and versions below uses LIEF as dependency, which has a CVE on its versions below 0.13.0. \r\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-38496\r\nhttps://deps.dev/pypi/blint/1.0.35/dependencies", "cve": "CVE-2022-38496", "id": "pyup.io-62768", "more_info_path": "/vulnerabilities/CVE-2022-38496/62768", "specs": [ "<=1.0.35" ], "v": "<=1.0.35" } ], "block-io": [ { "advisory": "block-io 1.1.7 includes a fix for CVE-2013-7459 - https://security-tracker.debian.org/tracker/CVE-2013-7459", "cve": "CVE-2013-7459", "id": "pyup.io-36442", "more_info_path": "/vulnerabilities/CVE-2013-7459/36442", "specs": [ "<1.1.7" ], "v": "<1.1.7" }, { "advisory": "Block-io 1.1.9 updates its dependency 'requests' to include a security fix.", "cve": "CVE-2018-18074", "id": "pyup.io-36712", "more_info_path": "/vulnerabilities/CVE-2018-18074/36712", "specs": [ "<1.1.9" ], "v": "<1.1.9" } ], "blueice": [ { "advisory": "Blueice 1.1.0 fixes a race condition that arose when parallel jobs attempted to write to the same cache file simultaneously. This update introduces the use of the atomicwrites package, ensuring atomic file writing operations. It prevents data corruption and ensures the integrity of cache files.", "cve": "PVE-2024-64087", "id": "pyup.io-64087", "more_info_path": "/vulnerabilities/PVE-2024-64087/64087", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "boatswain": [ { "advisory": "Boatswain 1.0.4 includes a security patch for the function 'main' in 'boatswain/cli.py'. It used the unsafe yaml.load(), that allows instantiation of arbitrary objects. Consider yaml.safe_load().\r\nhttps://github.com/NLeSC/boatswain/commit/1fc3f79b8f1f2affb407c7a147cca71c11f26d3c", "cve": "CVE-2017-18342", "id": "pyup.io-41308", "more_info_path": "/vulnerabilities/CVE-2017-18342/41308", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], "boaviztapi": [ { "advisory": "Boaviztapi bumped requests from 2.31.0 to 2.32.2 via Dependabot to address CVE-2024-35195.", "cve": "CVE-2024-35195", "id": "pyup.io-73400", "more_info_path": "/vulnerabilities/CVE-2024-35195/73400", "specs": [ "<1.3" ], "v": "<1.3" }, { "advisory": "Boaviztapi bumped idna from 3.6 to 3.7 via Dependabot to address CVE-2024-3651.", "cve": "CVE-2024-3651", "id": "pyup.io-73378", "more_info_path": "/vulnerabilities/CVE-2024-3651/73378", "specs": [ "<1.3" ], "v": "<1.3" }, { "advisory": "Boaviztapi bumped certifi from 2024.2.2 to 2024.7.4 via Dependabot to address CVE-2024-39689.", "cve": "CVE-2024-39689", "id": "pyup.io-73399", "more_info_path": "/vulnerabilities/CVE-2024-39689/73399", "specs": [ "<1.3" ], "v": "<1.3" } ], "bobocep": [ { "advisory": "Bobocep 1.2.1 updates its pycryptodome dependency from version 3.19.0 to 3.20.0 to address CVE-2023-52323.", "cve": "CVE-2023-52323", "id": "pyup.io-71800", "more_info_path": "/vulnerabilities/CVE-2023-52323/71800", "specs": [ "<1.2.1" ], "v": "<1.2.1" } ], "bobtemplates-cs": [ { "advisory": "Bobtemplates.cs 1.6 improves default security policies for Nginx.\r\nhttps://github.com/codesyntax/bobtemplates.cs/commit/c3b00adfc1210c46c49f269a7dbd85a91435463f", "cve": "PVE-2022-51164", "id": "pyup.io-51164", "more_info_path": "/vulnerabilities/PVE-2022-51164/51164", "specs": [ "<1.6" ], "v": "<1.6" } ], "bodhi": [ { "advisory": "Bodhi 2.2.0 addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is\r\nwarped to make it more difficult to solve through automation.\r\nhttps://github.com/fedora-infra/bodhi/pull/857\r\nhttps://github.com/fedora-infra/bodhi/commit/f0122855", "cve": "CVE-2016-1000008", "id": "pyup.io-34274", "more_info_path": "/vulnerabilities/CVE-2016-1000008/34274", "specs": [ "<2.2.0" ], "v": "<2.2.0" }, { "advisory": "Bodhi 5.6.1 fixes two reflected XSS vulnerabilities.", "cve": "CVE-2020-15855", "id": "pyup.io-48555", "more_info_path": "/vulnerabilities/CVE-2020-15855/48555", "specs": [ "<5.6.1" ], "v": "<5.6.1" }, { "advisory": "Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting in code injection caused by incorrect validation of bug titles.", "cve": "CVE-2017-1002152", "id": "pyup.io-42337", "more_info_path": "/vulnerabilities/CVE-2017-1002152/42337", "specs": [ "<=2.9.0" ], "v": "<=2.9.0" } ], "bodhi-server": [ { "advisory": "Bodhi-server 2.2.0 addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is warped to make it more difficult to solve through automation.\r\nSee: https://github.com/fedora-infra/bodhi/pull/857\r\nAnd: https://github.com/fedora-infra/bodhi/commit/f0122855", "cve": "CVE-2016-1000008", "id": "pyup.io-34241", "more_info_path": "/vulnerabilities/CVE-2016-1000008/34241", "specs": [ "<2.2.0" ], "v": "<2.2.0" } ], "bokeh": [ { "advisory": "Bokeh before 1.0.4 used a Pyyaml version that was vulnerable to CVE-2017-18342.", "cve": "CVE-2017-18342", "id": "pyup.io-36780", "more_info_path": "/vulnerabilities/CVE-2017-18342/36780", "specs": [ "<1.0.4" ], "v": "<1.0.4" }, { "advisory": "Bokeh 1.1.0 updates its NPM dependency 'handlebars' to v4.1.0 to include a security fix.", "cve": "PVE-2021-37031", "id": "pyup.io-37031", "more_info_path": "/vulnerabilities/PVE-2021-37031/37031", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Bokeh 1.2.0 updates its NPM dependency 'js-yaml' to v3.13.1 to include a security fix.", "cve": "PVE-2022-45295", "id": "pyup.io-45295", "more_info_path": "/vulnerabilities/PVE-2022-45295/45295", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { "advisory": "Bokeh 1.2.0 updates its NPM dependency 'jquery' to v3.4.0 to include security fixes.", "cve": "CVE-2019-11358", "id": "pyup.io-45293", "more_info_path": "/vulnerabilities/CVE-2019-11358/45293", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { "advisory": "Bokeh 1.2.0 updates its NPM dependency 'handlebars' to v4.1.2 to include a security fix.", "cve": "PVE-2021-37170", "id": "pyup.io-37170", "more_info_path": "/vulnerabilities/PVE-2021-37170/37170", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { "advisory": "Bokeh 1.2.0 updates its NPM dependency 'jquery' to v3.4.0 to include security fixes.", "cve": "CVE-2019-11358", "id": "pyup.io-45294", "more_info_path": "/vulnerabilities/CVE-2019-11358/45294", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { "advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.", "cve": "CVE-2021-41183", "id": "pyup.io-42814", "more_info_path": "/vulnerabilities/CVE-2021-41183/42814", "specs": [ "<2.4.2" ], "v": "<2.4.2" }, { "advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.", "cve": "CVE-2021-41184", "id": "pyup.io-42815", "more_info_path": "/vulnerabilities/CVE-2021-41184/42815", "specs": [ "<2.4.2" ], "v": "<2.4.2" }, { "advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.", "cve": "CVE-2021-41182", "id": "pyup.io-42772", "more_info_path": "/vulnerabilities/CVE-2021-41182/42772", "specs": [ "<2.4.2" ], "v": "<2.4.2" } ], "bookops-worldcat": [ { "advisory": "Bookops-worldcat version 0.3.5 updates its urllib3 dependency to 1.26.5, addressing security vulnerability CVE-2021-33503.", "cve": "CVE-2021-33503", "id": "pyup.io-66958", "more_info_path": "/vulnerabilities/CVE-2021-33503/66958", "specs": [ "<0.3.5" ], "v": "<0.3.5" } ], "borgbackup": [ { "advisory": "Borgbackup is vulnerable to an unauthorized remote repository access vulnerability. If you used e.g. --restrict-to-path /path/client1/ (with or without trailing slash does not make a difference), it acted like a path prefix match using /path/client1 (note the missing trailing slash) - the code then also allowed working in e.g. /path/client13 or /path/client1000.\r\nhttps://github.com/borgbackup/borg/issues/1428", "cve": "PVE-2024-64382", "id": "pyup.io-64382", "more_info_path": "/vulnerabilities/PVE-2024-64382/64382", "specs": [ "<1.0.7" ], "v": "<1.0.7" }, { "advisory": "Borgbackup is vulnerable to spoofing in borg check. When rebuilding the manifest (which should only be needed very rarely) duplicate archive names would be handled on a \"first come first serve\" basis, allowing an attacker to apparently replace archives.", "cve": "CVE-2016-10100", "id": "pyup.io-64398", "more_info_path": "/vulnerabilities/CVE-2016-10100/64398", "specs": [ "<1.0.9" ], "v": "<1.0.9" }, { "advisory": "Borgbackup is vulnerable to a flaw in the cryptographic authentication scheme. It allowed an attacker to spoof the manifest.", "cve": "CVE-2016-10099", "id": "pyup.io-64397", "more_info_path": "/vulnerabilities/CVE-2016-10099/64397", "specs": [ "<1.0.9" ], "v": "<1.0.9" }, { "advisory": "Borgbackup is affected by a wrong permissions vulnerability. As a fix, Fuse was configured with \"default_permissions\". Without that, someone could access a mount with -o uid=1001,umask=077 as user 1000.\r\nhttps://github.com/borgbackup/borg/issues/3903", "cve": "PVE-2024-64380", "id": "pyup.io-64380", "more_info_path": "/vulnerabilities/PVE-2024-64380/64380", "specs": [ "<1.1.9" ], "v": "<1.1.9" }, { "advisory": "Borgbackup is affected by a archives spoofing vulnerability. A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.\r\nhttps://github.com/borgbackup/borg/blob/1.2.6/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811", "cve": "CVE-2023-36811", "id": "pyup.io-64379", "more_info_path": "/vulnerabilities/CVE-2023-36811/64379", "specs": [ "<1.2.6" ], "v": "<1.2.6" }, { "advisory": "Incorrect implementation of access controls allows remote users to override repository restrictions in Borg servers 1.1.x before 1.1.3.", "cve": "CVE-2017-15914", "id": "pyup.io-53939", "more_info_path": "/vulnerabilities/CVE-2017-15914/53939", "specs": [ ">=1.1.0b1,<1.1.3" ], "v": ">=1.1.0b1,<1.1.3" } ], "borgmatic": [ { "advisory": "Borgmatic is vulnerable to shell injection within the SQLite hook.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2", "cve": "PVE-2024-64393", "id": "pyup.io-64393", "more_info_path": "/vulnerabilities/PVE-2024-64393/64393", "specs": [ "<1.8.7" ], "v": "<1.8.7" }, { "advisory": "Borgmatic is vulnerable to shell injection within the command hook variable/constant interpolation.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2", "cve": "PVE-2024-64395", "id": "pyup.io-64395", "more_info_path": "/vulnerabilities/PVE-2024-64395/64395", "specs": [ "<1.8.7" ], "v": "<1.8.7" }, { "advisory": "Borgmatic is vulnerable to shell injection within the PostgreSQL hook.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2", "cve": "PVE-2024-64386", "id": "pyup.io-64386", "more_info_path": "/vulnerabilities/PVE-2024-64386/64386", "specs": [ "<1.8.7" ], "v": "<1.8.7" }, { "advisory": "Borgmatic is vulnerable to shell injection within the \"borgmatic borg\" action.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2", "cve": "PVE-2024-64394", "id": "pyup.io-64394", "more_info_path": "/vulnerabilities/PVE-2024-64394/64394", "specs": [ "<1.8.7" ], "v": "<1.8.7" }, { "advisory": "Borgmatic is vulnerable to shell injection within the MongoDB hook.\r\nhttps://github.com/borgmatic-collective/borgmatic/commit/3c22a8ec164087beb1d292dc114f78f8b6382ae2", "cve": "PVE-2024-64392", "id": "pyup.io-64392", "more_info_path": "/vulnerabilities/PVE-2024-64392/64392", "specs": [ "<1.8.7" ], "v": "<1.8.7" } ], "boss-cli": [ { "advisory": "Boss-cli 1.0.0a20 updates its dependency 'requests' to v2.20.0 to include a security fix.", "cve": "CVE-2018-18074", "id": "pyup.io-38521", "more_info_path": "/vulnerabilities/CVE-2018-18074/38521", "specs": [ "<1.0.0a20" ], "v": "<1.0.0a20" }, { "advisory": "Boss-cli 1.0.0alpha.18 updates its dependency 'paramiko' to v2.4.1 to include a security fix.", "cve": "CVE-2018-7750", "id": "pyup.io-36543", "more_info_path": "/vulnerabilities/CVE-2018-7750/36543", "specs": [ "<1.0.0alpha.18" ], "v": "<1.0.0alpha.18" }, { "advisory": "Boss-cli 1.0.0beta.6 uses yaml.FullLoader for loading yaml config and upgrades the dependency pyyaml (CVE-2017-18342).", "cve": "CVE-2017-18342", "id": "pyup.io-37129", "more_info_path": "/vulnerabilities/CVE-2017-18342/37129", "specs": [ "<1.0.0beta.6" ], "v": "<1.0.0beta.6" } ], "botaa3": [ { "advisory": "Botaa3 is a malicious package, typosquatting. It creates a backdoor in your system.\r\nhttps://blog.sonatype.com/another-day-of-malware-malicious-botaa3-pypi-package", "cve": "PVE-2022-45424", "id": "pyup.io-45424", "more_info_path": "/vulnerabilities/PVE-2022-45424/45424", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "botframework-connector": [ { "advisory": "Bot Framework SDK Information Disclosure Vulnerability.\r\nhttps://github.com/microsoft/botbuilder-python/security/advisories/GHSA-cqff-fx2x-p86v", "cve": "CVE-2021-1725", "id": "pyup.io-54255", "more_info_path": "/vulnerabilities/CVE-2021-1725/54255", "specs": [ ">=4.7.0,<4.7.2", ">=4.8.0,<4.8.1", ">=4.9.0,<4.9.3", ">=4.10.0,<4.10.1" ], "v": ">=4.7.0,<4.7.2,>=4.8.0,<4.8.1,>=4.9.0,<4.9.3,>=4.10.0,<4.10.1" } ], "boto": [ { "advisory": "Boto 2.39.0 replaces yaml.load() with yaml.safe_load() to avoid a Code Execution vulnerability.", "cve": "PVE-2017-47528", "id": "pyup.io-47528", "more_info_path": "/vulnerabilities/PVE-2017-47528/47528", "specs": [ "<2.39.0" ], "v": "<2.39.0" }, { "advisory": "Boto 2.9.0 disables loading of external XML entities in BotoServerErrors.\r\nhttps://github.com/jamesls/boto/commit/1ad6e6b233e9cb021269ef3ce9f8a610587e50b9", "cve": "PVE-2022-48018", "id": "pyup.io-48018", "more_info_path": "/vulnerabilities/PVE-2022-48018/48018", "specs": [ "<2.9.0" ], "v": "<2.9.0" } ], "boto3": [ { "advisory": "Boto3 version 1.4.5 fixes an information exposure vulnerability: The boto logger boto3.resources.action, which propagates to root logger, logs the entire uploaded bytes at INFO level.\r\nhttps://github.com/boto/boto3/issues/1017", "cve": "PVE-2021-41708", "id": "pyup.io-41708", "more_info_path": "/vulnerabilities/PVE-2021-41708/41708", "specs": [ "<1.4.5" ], "v": "<1.4.5" }, { "advisory": "Boto3 1.6.12 updates its dependency 'botocore' to version '1.9.12' to include a fix for a Race Condition vulnerability.\r\nhttps://github.com/boto/boto3/commit/71331aad6060e51db42f0c43be4ed34857845647", "cve": "PVE-2023-59547", "id": "pyup.io-59549", "more_info_path": "/vulnerabilities/PVE-2023-59547/59549", "specs": [ "<1.6.12" ], "v": "<1.6.12" } ], "boto33": [ { "advisory": "Boto33 is a malicious package, pytosquatting the popular package 'boto3'. It contains a base64 encoded payload in '__init__.py' file that retrieves your current username, platform and IP information.", "cve": "PVE-2023-53254", "id": "pyup.io-53254", "more_info_path": "/vulnerabilities/PVE-2023-53254/53254", "specs": [ ">=0" ], "v": ">=0" } ], "botoa": [ { "advisory": "Botoa is a malicious package, pytosquatting the popular package 'boto3'. It contains a base64 encoded payload in '__init__.py' file that retrieves your current username, platform and IP information.", "cve": "PVE-2023-53255", "id": "pyup.io-53255", "more_info_path": "/vulnerabilities/PVE-2023-53255/53255", "specs": [ ">=0" ], "v": ">=0" } ], "botoa3": [ { "advisory": "Botoa3 is a malicious package, pytosquatting the popular package 'boto3'. It contains a base64 encoded payload in '__init__.py' file that retrieves your current username, platform and IP information.", "cve": "PVE-2023-53256", "id": "pyup.io-53256", "more_info_path": "/vulnerabilities/PVE-2023-53256/53256", "specs": [ ">=0" ], "v": ">=0" } ], "botocore": [ { "advisory": "Botocore 1.9.12 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/boto/botocore/pull/1405", "cve": "PVE-2023-59547", "id": "pyup.io-59547", "more_info_path": "/vulnerabilities/PVE-2023-59547/59547", "specs": [ "<1.9.12" ], "v": "<1.9.12" } ], "botoo": [ { "advisory": "Botoo is a malicious package, pytosquatting the popular package 'boto3'. It contains a base64 encoded payload in '__init__.py' file that retrieves your current username, platform and IP information.", "cve": "PVE-2023-53257", "id": "pyup.io-53257", "more_info_path": "/vulnerabilities/PVE-2023-53257/53257", "specs": [ ">=0" ], "v": ">=0" } ], "bottle": [ { "advisory": "redirect() in bottle.py in bottle 0.12.10 doesn't filter a \"\\r\\n\" sequence, which leads to a CRLF attack, as demonstrated by a redirect(\"233\\r\\nSet-Cookie: name=salt\") call.", "cve": "CVE-2016-9964", "id": "pyup.io-25642", "more_info_path": "/vulnerabilities/CVE-2016-9964/25642", "specs": [ "<0.12.10" ], "v": "<0.12.10" }, { "advisory": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. See CVE-2020-28473.", "cve": "CVE-2020-28473", "id": "pyup.io-39461", "more_info_path": "/vulnerabilities/CVE-2020-28473/39461", "specs": [ "<0.12.19" ], "v": "<0.12.19" }, { "advisory": "Bottle before 0.12.20 mishandles errors during early request binding.", "cve": "CVE-2022-31799", "id": "pyup.io-49258", "more_info_path": "/vulnerabilities/CVE-2022-31799/49258", "specs": [ "<0.12.20" ], "v": "<0.12.20" }, { "advisory": "Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.", "cve": "CVE-2014-3137", "id": "pyup.io-35548", "more_info_path": "/vulnerabilities/CVE-2014-3137/35548", "specs": [ ">=0.10,<0.10.12", ">=0.11,<0.11.7", ">=0.12,<0.12.6" ], "v": ">=0.10,<0.10.12,>=0.11,<0.11.7,>=0.12,<0.12.6" } ], "bounter": [ { "advisory": "A null pointer reference is found within the CMS_Conservative_increment_obj function in bounter version 1.01 and 1.10, developed by RaRe-Technologies. This vulnerability allows potential attackers to initiate Denial of Service attacks through the submission of extremely large hash bucket widths.", "cve": "CVE-2021-41497", "id": "pyup.io-62664", "more_info_path": "/vulnerabilities/CVE-2021-41497/62664", "specs": [ "==1.01", "==1.10" ], "v": "==1.01,==1.10" } ], "boussole": [ { "advisory": "Boussole 1.5.0 fixes the PyYAML 'load()' deprecation warning. For a recent security issue, PyYAML has introduced a change to its ``load()`` method to be more safe. Boussole now uses the full loader mode so it does not trigger a warning anymore.", "cve": "PVE-2021-37147", "id": "pyup.io-37147", "more_info_path": "/vulnerabilities/PVE-2021-37147/37147", "specs": [ "<1.5.0" ], "v": "<1.5.0" } ], "brasil-gov-portal": [ { "advisory": "Brasil.gov.portal before 1.5.1 uses Plone <4.3.15 which is vulnerable to several XSS and redirect flaws, and a sandbox escape.", "cve": "CVE-2017-1000484", "id": "pyup.io-35086", "more_info_path": "/vulnerabilities/CVE-2017-1000484/35086", "specs": [ "<1.5.1" ], "v": "<1.5.1" } ], "brds": [ { "advisory": "Brds 0.3.0 includes a fix for a path traversal vulnerability.\r\nhttps://github.com/brahle/brds/commit/65a470df27a35d03ca4349707baa0fb0c8c6da43", "cve": "PVE-2023-55038", "id": "pyup.io-55038", "more_info_path": "/vulnerabilities/PVE-2023-55038/55038", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "bridgecrew": [ { "advisory": "Checkov 2.0.1029 introduces a fix for a vulnerability that previously allowed security group rules in Terraform configurations to permit unrestricted ingress access from 0.0.0.0:0 to port 22, commonly used for SSH.\r\nhttps://github.com/bridgecrewio/checkov/issues/1973\r\nhttps://github.com/bridgecrewio/checkov/pull/2749", "cve": "PVE-2024-63921", "id": "pyup.io-63921", "more_info_path": "/vulnerabilities/PVE-2024-63921/63921", "specs": [ "<2.0.1029" ], "v": "<2.0.1029" }, { "advisory": "Bridgecrew 2.0.677 fixes unsafe regex to prevent ReDOS attacks.\r\nhttps://github.com/bridgecrewio/checkov/commit/333d3bcc6c9c178bffc37ac19422b41b665bfbc9", "cve": "PVE-2024-63660", "id": "pyup.io-63660", "more_info_path": "/vulnerabilities/PVE-2024-63660/63660", "specs": [ "<2.0.677" ], "v": "<2.0.677" }, { "advisory": "Bridgecrew before 2.0.26 is vulnerable to unsafe deserialization, which allows arbitrary code execution when processing a malicious terraform file.", "cve": "CVE-2021-3035", "id": "pyup.io-63934", "more_info_path": "/vulnerabilities/CVE-2021-3035/63934", "specs": [ ">=2.0.0,<2.0.26" ], "v": ">=2.0.0,<2.0.26" } ], "brotli": [ { "advisory": "A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a \"one-shot\" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update Brotli library to 1.0.8 or later. If one cannot update, it is recommended to use the \"streaming\" API as opposed to the \"one-shot\" API, and impose chunk size limits.", "cve": "CVE-2020-8927", "id": "pyup.io-42299", "more_info_path": "/vulnerabilities/CVE-2020-8927/42299", "specs": [ "<1.0.8" ], "v": "<1.0.8" } ], "brotli-asgi": [ { "advisory": "Brotli-asgi 1.4.0 updates its dependency 'starlette' to v0.25.0 to include a security fix.", "cve": "CVE-2023-30798", "id": "pyup.io-55157", "more_info_path": "/vulnerabilities/CVE-2023-30798/55157", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "brume": [ { "advisory": "Brume 2.0.2 includes a security patch for the function 'load' in 'brume/config.py'. It used the unsafe yaml.load(), that allows instantiation of arbitrary objects. Consider yaml.safe_load().\r\nhttps://github.com/flou/brume/commit/9407537a4f24521b6d009a52a77b4f6deabb0b71#diff-db395031eb85fc2c76864f9a9e13ed341de029a79e0fc76a798090f50504fb6a", "cve": "CVE-2017-18342", "id": "pyup.io-41309", "more_info_path": "/vulnerabilities/CVE-2017-18342/41309", "specs": [ "<2.0.2" ], "v": "<2.0.2" } ], "bsblan": [ { "advisory": "Bsblan 0.27 sets the DEFAULT_FLAG in config to read-only for added level of security.", "cve": "PVE-2021-37697", "id": "pyup.io-37697", "more_info_path": "/vulnerabilities/PVE-2021-37697/37697", "specs": [ "<0.27" ], "v": "<0.27" } ], "bsdiff4": [ { "advisory": "Bsdiff4 1.2.0 includes a fix for CVE-2020-15904: A buffer overflow in the patching routine of bsdiff4 before 1.2.0 allows an attacker to write to heap memory (beyond allocated bounds) via a crafted patch file.", "cve": "CVE-2020-15904", "id": "pyup.io-42280", "more_info_path": "/vulnerabilities/CVE-2020-15904/42280", "specs": [ "<1.2.0" ], "v": "<1.2.0" } ], "buildbot": [ { "advisory": "Buildbot before 1.3.0 did not use ``hmac.compare_digest()`` in GitHub hooks.\r\nhttps://github.com/buildbot/buildbot/commit/e159e4ed0a2fee9c7e41e81ae81333b0c9557256", "cve": "PVE-2021-36320", "id": "pyup.io-36320", "more_info_path": "/vulnerabilities/PVE-2021-36320/36320", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { "advisory": "Buildbot 1.8.1 includes a fix for CVE-2019-7313: www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain.", "cve": "CVE-2019-7313", "id": "pyup.io-36865", "more_info_path": "/vulnerabilities/CVE-2019-7313/36865", "specs": [ "<1.8.1" ], "v": "<1.8.1" }, { "advisory": "Buildbot 1.8.2 and 2.3.1 fix a vulnerability in OAuth where a user-submitted authorization token was used for authentication. See: .", "cve": "CVE-2019-12300", "id": "pyup.io-37160", "more_info_path": "/vulnerabilities/CVE-2019-12300/37160", "specs": [ "<1.8.2", ">=2.0.0,<2.3.1" ], "v": "<1.8.2,>=2.0.0,<2.3.1" }, { "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Buildbot 0.7.6 through 0.7.11p2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, different vulnerabilities than CVE-2009-2959.", "cve": "CVE-2009-2967", "id": "pyup.io-54043", "more_info_path": "/vulnerabilities/CVE-2009-2967/54043", "specs": [ ">=0.7.6,<0.7.12" ], "v": ">=0.7.6,<0.7.12" }, { "advisory": "Cross-site scripting (XSS) vulnerability in the waterfall web status view (status/web/waterfall.py) in Buildbot 0.7.6 through 0.7.11p1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "cve": "CVE-2009-2959", "id": "pyup.io-54042", "more_info_path": "/vulnerabilities/CVE-2009-2959/54042", "specs": [ ">=0.7.6,<0.7.12" ], "v": ">=0.7.6,<0.7.12" } ], "bullmq": [ { "advisory": "Bullmq 1.14.1 addresses a race condition identified in job finish queue events. It previously led to potential data inconsistencies within the queue management system, especially under heavy load with concurrent job processing. \r\nhttps://github.com/taskforcesh/bullmq/commit/355bca5ee128bf4ff37608746f9c6f7cca580eb0", "cve": "PVE-2024-63935", "id": "pyup.io-63935", "more_info_path": "/vulnerabilities/PVE-2024-63935/63935", "specs": [ "<1.14.1" ], "v": "<1.14.1" }, { "advisory": "Bullmq 5.1.3 upgrades its msgpackr dependency to version ^1.10.1 from the earlier ^1.6.2, in response to the security vulnerability identified as CVE-2023-52079. \r\nhttps://github.com/taskforcesh/bullmq/commit/7ae095357fddbdaacc286cbe5782946b95160d55", "cve": "CVE-2023-52079", "id": "pyup.io-64213", "more_info_path": "/vulnerabilities/CVE-2023-52079/64213", "specs": [ "<5.1.3" ], "v": "<5.1.3" } ], "bumblebee-status": [ { "advisory": "Bumblebee-status 2.1.6 fixes insecure use of tempfile in modules/rss.\r\nhttps://github.com/tobi-wan-kenobi/bumblebee-status/commit/4f9553f7ea4ca9d9166980384669c451b74cd019", "cve": "PVE-2022-51108", "id": "pyup.io-51108", "more_info_path": "/vulnerabilities/PVE-2022-51108/51108", "specs": [ "<2.1.6" ], "v": "<2.1.6" } ], "burl": [ { "advisory": "Burl 2.0.0 workswith JWT tokens more securely.\r\nhttps://github.com/wryfi/burl/commit/664878ce9a31695456be89c8e10e8bb612074ef6", "cve": "PVE-2022-46419", "id": "pyup.io-46419", "more_info_path": "/vulnerabilities/PVE-2022-46419/46419", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Burl 2.0.0 updates its dependency 'django' to v2.2.25 to include security fixes.", "cve": "CVE-2021-44420", "id": "pyup.io-46495", "more_info_path": "/vulnerabilities/CVE-2021-44420/46495", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Burl 2.0.0 updates its dependency 'django' to v2.2.25 to include security fixes.", "cve": "CVE-2021-33571", "id": "pyup.io-46497", "more_info_path": "/vulnerabilities/CVE-2021-33571/46497", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Burl 2.0.0 updates its dependency 'django' to v2.2.25 to include security fixes.", "cve": "CVE-2021-33203", "id": "pyup.io-46496", "more_info_path": "/vulnerabilities/CVE-2021-33203/46496", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Burl 2.0.0 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", "cve": "CVE-2021-33503", "id": "pyup.io-46494", "more_info_path": "/vulnerabilities/CVE-2021-33503/46494", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "buttplug": [ { "advisory": "Buttplug 0.2.1 updates its dependency 'websockets' to v10.1 to include a security fix.", "cve": "PVE-2022-50473", "id": "pyup.io-50468", "more_info_path": "/vulnerabilities/PVE-2022-50473/50468", "specs": [ "<0.2.1" ], "v": "<0.2.1" } ], "byarse": [ { "advisory": "Byarse 1.1.0 introduces 'Safe mode', which can be enabled to prevent unpickling Pickle type during deserialization. This prevents a big security vulnerability.", "cve": "PVE-2021-38754", "id": "pyup.io-38754", "more_info_path": "/vulnerabilities/PVE-2021-38754/38754", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "bzip": [ { "advisory": "bzip is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", "cve": "PVE-2021-34980", "id": "pyup.io-34980", "more_info_path": "/vulnerabilities/PVE-2021-34980/34980", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "bzip3": [ { "advisory": "Bzip3 (python client) 0.1.2 includes bzip3 core version 1.3.0, that fixes a buffer overflow vulnerability in libsais.\r\nhttps://github.com/kspalaiologos/bzip3/commit/bfa5bf82b53715dfedf048e5859a46cf248668ff", "cve": "PVE-2023-58746", "id": "pyup.io-58746", "more_info_path": "/vulnerabilities/PVE-2023-58746/58746", "specs": [ "<0.1.2" ], "v": "<0.1.2" }, { "advisory": "Bzip3 (python client) 0.1.2 includes bzip3 core version 1.3.0, that fixes an overflow in bz3_decode_block.\r\nhttps://github.com/kspalaiologos/bzip3/commit/33b1951f153c3c5dc8ed736b9110437e1a619b7d", "cve": "PVE-2023-58750", "id": "pyup.io-58750", "more_info_path": "/vulnerabilities/PVE-2023-58750/58750", "specs": [ "<0.1.2" ], "v": "<0.1.2" } ], "bzt": [ { "advisory": "Bzt 1.16.2 updates its dependency 'jmeter' to v5.4.2 to include security fixes.\r\nhttps://github.com/Blazemeter/taurus/commit/f7fb13fed9ca4f871a3426c3c26fb3e86beb329a", "cve": "CVE-2021-44228", "id": "pyup.io-43430", "more_info_path": "/vulnerabilities/CVE-2021-44228/43430", "specs": [ "<1.16.2" ], "v": "<1.16.2" }, { "advisory": "Bzt 1.16.2 updates its dependency 'jmeter' to v5.4.2 to include security fixes.\r\nhttps://github.com/Blazemeter/taurus/commit/f7fb13fed9ca4f871a3426c3c26fb3e86beb329a", "cve": "CVE-2021-45046", "id": "pyup.io-43431", "more_info_path": "/vulnerabilities/CVE-2021-45046/43431", "specs": [ "<1.16.2" ], "v": "<1.16.2" }, { "advisory": "Bzt 1.16.4 updates its MAVEN dependency 'jmeter' to v5.4.3 to fix a log4j related vulnerability.\r\nhttps://github.com/Blazemeter/taurus/pull/1641/commits/12e7bae57abdc8eec75e01565cd92d654f062f70", "cve": "CVE-2021-45105", "id": "pyup.io-43435", "more_info_path": "/vulnerabilities/CVE-2021-45105/43435", "specs": [ "<1.16.4" ], "v": "<1.16.4" }, { "advisory": "Bzt 1.16.8 and prior includes a version of 'jmeter' (5.4.3) affected by a medium severity vulnerability.", "cve": "CVE-2021-44832", "id": "pyup.io-44454", "more_info_path": "/vulnerabilities/CVE-2021-44832/44454", "specs": [ "<=1.16.8" ], "v": "<=1.16.8" } ], "c2cciutils": [ { "advisory": "C2cciutils 1.6.0 updates its 'requests' dependency to v2.31.0 to address CVE-2023-32681.", "cve": "CVE-2023-32681", "id": "pyup.io-62110", "more_info_path": "/vulnerabilities/CVE-2023-32681/62110", "specs": [ "<1.6.0" ], "v": "<1.6.0" } ], "c2cgeoform": [ { "advisory": "C2cgeoform 2.1.26 fixes a security issue where attachments could be directly opened in the browser, posing a risk of script execution from malicious files. This update forces attachments to be downloaded, preventing automatic execution and enhancing security. \r\nhttps://github.com/camptocamp/c2cgeoform/pull/236/commits/b4452ff1dadd2f3d45bec8bff6dbe34094ecdb93", "cve": "PVE-2024-63692", "id": "pyup.io-63692", "more_info_path": "/vulnerabilities/PVE-2024-63692/63692", "specs": [ "<2.1.26" ], "v": "<2.1.26" } ], "c2cwsgiutils": [ { "advisory": "C2cwsgiutils 4.0.0 updates its dependency 'pipenv' to v2020.5.28 to include security fixes.", "cve": "CVE-2019-11236", "id": "pyup.io-53059", "more_info_path": "/vulnerabilities/CVE-2019-11236/53059", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "C2cwsgiutils 4.0.0 updates its dependency 'pipenv' to v2020.5.28 to include security fixes.", "cve": "CVE-2019-11324", "id": "pyup.io-53060", "more_info_path": "/vulnerabilities/CVE-2019-11324/53060", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "C2cwsgiutils 4.0.0 updates its dependency 'pipenv' to v2020.5.28 to include security fixes.", "cve": "CVE-2020-26137", "id": "pyup.io-53015", "more_info_path": "/vulnerabilities/CVE-2020-26137/53015", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "C2cwsgiutils 4.1.2 updates its dependency 'mako' to v1.2.2 to include a security fix.", "cve": "CVE-2022-40023", "id": "pyup.io-53014", "more_info_path": "/vulnerabilities/CVE-2022-40023/53014", "specs": [ "<4.1.2" ], "v": "<4.1.2" }, { "advisory": "C2cwsgiutils 4.1.2 updates its dependency 'lxml' to v4.6.3 to include a security fix.", "cve": "CVE-2021-28957", "id": "pyup.io-53061", "more_info_path": "/vulnerabilities/CVE-2021-28957/53061", "specs": [ "<4.1.2" ], "v": "<4.1.2" } ], "cabot": [ { "advisory": "In September 2020 it was reported that all versions of the cabot package are vulnerable to Cross-site Scripting (XSS) via the Endpoint column. The latest release of cabot at that date was version 0.11.7.", "cve": "CVE-2020-7734", "id": "pyup.io-38806", "more_info_path": "/vulnerabilities/CVE-2020-7734/38806", "specs": [ "<=0.11.7" ], "v": "<=0.11.7" }, { "advisory": "Cross Site Scripting (XSS) vulnerability in Arachnys Cabot 0.11.12 can be exploited via the Address column.", "cve": "CVE-2020-25449", "id": "pyup.io-54248", "more_info_path": "/vulnerabilities/CVE-2020-25449/54248", "specs": [ ">=0" ], "v": ">=0" } ], "caikit": [ { "advisory": "Caikit 0.20.4 updates its numpy dependency to versions between 1.22.2 and 2 to include a security fix.", "cve": "CVE-2021-41495", "id": "pyup.io-63311", "more_info_path": "/vulnerabilities/CVE-2021-41495/63311", "specs": [ "<0.20.4" ], "v": "<0.20.4" } ], "cairo-lang": [ { "advisory": "Cairo-lang 0.10.0 fixes a bug in 'uint256_unsigned_div_rem' which allowed a malicious prover to return a wrong result. Contracts using this function or any other function which uses it ('uint256_signed_div_rem' or 'uint256_shr' for the standard library) should be recompiled & redeployed with version >= 0.10.0.", "cve": "PVE-2022-50897", "id": "pyup.io-50897", "more_info_path": "/vulnerabilities/PVE-2022-50897/50897", "specs": [ "<0.10.0" ], "v": "<0.10.0" }, { "advisory": "Cairo-lang 0.10.0pre fixes a bug in the secp signature verification code that allowed a malicious prover to ignore the value of 'v' (this does not let the prover fake a signature, but allows it to claim that a valid signature is invalid).", "cve": "PVE-2022-50898", "id": "pyup.io-50898", "more_info_path": "/vulnerabilities/PVE-2022-50898/50898", "specs": [ "<0.10.0pre" ], "v": "<0.10.0pre" } ], "cairo-rs-py": [ { "advisory": "Cairo-rs-py 0.2.0 includes a fix for a potential DoS vulnerability.\r\nhttps://github.com/lambdaclass/cairo-rs-py/issues/216", "cve": "PVE-2023-54904", "id": "pyup.io-54904", "more_info_path": "/vulnerabilities/PVE-2023-54904/54904", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "cairosvg": [ { "advisory": "cairosvg 1.0.21 is a security update. CairoSVG was vulnerable to XML eXternal Entity (XXE) attacks, this release fixes this vulnerability by not resolving the XML entities anymore. The ``--unsafe`` option has been added to force the resolution of XML entities. Obviously, this option is not safe and should only be used with trusted SVG files.", "cve": "PVE-2021-25643", "id": "pyup.io-25643", "more_info_path": "/vulnerabilities/PVE-2021-25643/25643", "specs": [ "<1.0.21" ], "v": "<1.0.21" }, { "advisory": "Cairosvg 2.5.1 includes a fix for CVE-2021-21236: In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.", "cve": "CVE-2021-21236", "id": "pyup.io-39419", "more_info_path": "/vulnerabilities/CVE-2021-21236/39419", "specs": [ "<2.5.1" ], "v": "<2.5.1" }, { "advisory": "CairosSVG 2.7.0 include a fix for CVE-2023-27586: Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default.", "cve": "CVE-2023-27586", "id": "pyup.io-53750", "more_info_path": "/vulnerabilities/CVE-2023-27586/53750", "specs": [ "<2.7.0" ], "v": "<2.7.0" } ], "calcwave": [ { "advisory": "Calcwave 1.2.6 updates limits for modules and functions available to 'eval()' in the interpreter. This greatly improves the security and reduces the risk of accidentally calling the 'Python' function that damages your computer.\r\nhttps://github.com/zenarcher007/calcwave/commit/1d95d1861a0bf9954e95f82469f279bb3ba12d9a", "cve": "PVE-2021-40507", "id": "pyup.io-40507", "more_info_path": "/vulnerabilities/PVE-2021-40507/40507", "specs": [ "<1.2.6" ], "v": "<1.2.6" } ], "calendar-view": [ { "advisory": "Calendar-view 2.4.0 updates its dependency 'pillow' to include a security fix.", "cve": "CVE-2023-4863", "id": "pyup.io-61595", "more_info_path": "/vulnerabilities/CVE-2023-4863/61595", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Calendar-view 2.4.1 upgrades its dependency on the Pillow library from version 10.0.1 to version 10.2.0. This upgrade addresses the security vulnerability identified as CVE-2023-50447.\r\nhttps://github.com/sakhnevych/calendar-view/commit/834402a42591352670bf4592e706da580a19abac", "cve": "CVE-2023-50447", "id": "pyup.io-64536", "more_info_path": "/vulnerabilities/CVE-2023-50447/64536", "specs": [ "<2.4.1" ], "v": "<2.4.1" }, { "advisory": "Calendar-view 2.4.2 has upgraded its Pillow dependency from version 10.2.0 to 10.3.0 to address the security issue identified in CVE-2024-28219.", "cve": "CVE-2024-28219", "id": "pyup.io-67927", "more_info_path": "/vulnerabilities/CVE-2024-28219/67927", "specs": [ "<2.4.2" ], "v": "<2.4.2" } ], "calibreweb": [ { "advisory": "Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.", "cve": "CVE-2022-0405", "id": "pyup.io-62586", "more_info_path": "/vulnerabilities/CVE-2022-0405/62586", "specs": [ "<0.6.16" ], "v": "<0.6.16" }, { "advisory": "Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.", "cve": "CVE-2022-0406", "id": "pyup.io-62587", "more_info_path": "/vulnerabilities/CVE-2022-0406/62587", "specs": [ "<0.6.16" ], "v": "<0.6.16" }, { "advisory": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.", "cve": "CVE-2022-0939", "id": "pyup.io-62588", "more_info_path": "/vulnerabilities/CVE-2022-0939/62588", "specs": [ "<0.6.18" ], "v": "<0.6.18" }, { "advisory": "Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.", "cve": "CVE-2022-0990", "id": "pyup.io-62589", "more_info_path": "/vulnerabilities/CVE-2022-0990/62589", "specs": [ "<0.6.18" ], "v": "<0.6.18" }, { "advisory": "Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.", "cve": "CVE-2023-2106", "id": "pyup.io-62874", "more_info_path": "/vulnerabilities/CVE-2023-2106/62874", "specs": [ "<0.6.20" ], "v": "<0.6.20" }, { "advisory": "Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.\r\n\r\nAlias:\r\nGHSA-jg8w-wgx2-g7q4", "cve": "CVE-2022-2525", "id": "pyup.io-62623", "more_info_path": "/vulnerabilities/CVE-2022-2525/62623", "specs": [ "<0.6.20" ], "v": "<0.6.20" }, { "advisory": "Calibre-Web 0.6.7 prevents authentication bypass. Prior versions had a hardcoded secret key.", "cve": "CVE-2020-12627", "id": "pyup.io-42274", "more_info_path": "/vulnerabilities/CVE-2020-12627/42274", "specs": [ "<0.6.7" ], "v": "<0.6.7" }, { "advisory": "calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cve": "CVE-2021-4170", "id": "pyup.io-54406", "more_info_path": "/vulnerabilities/CVE-2021-4170/54406", "specs": [ ">=0,<0.6.15" ], "v": ">=0,<0.6.15" }, { "advisory": "calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)", "cve": "CVE-2021-4164", "id": "pyup.io-54147", "more_info_path": "/vulnerabilities/CVE-2021-4164/54147", "specs": [ ">=0,<0.6.15" ], "v": ">=0,<0.6.15" }, { "advisory": "calibre-web is vulnerable to Business Logic Errors\n\nAffected functions:\ncalibreweb.cps.shelf.check_shelf_is_unique\ncalibreweb.cps.shelf.create_edit_shelf", "cve": "CVE-2021-4171", "id": "pyup.io-54146", "more_info_path": "/vulnerabilities/CVE-2021-4171/54146", "specs": [ ">=0,<0.6.15" ], "v": ">=0,<0.6.15" }, { "advisory": "calibreweb prior to version 0.6.16 contains an Incorrect Authorization vulnerability.", "cve": "CVE-2022-0273", "id": "pyup.io-54235", "more_info_path": "/vulnerabilities/CVE-2022-0273/54235", "specs": [ ">=0,<0.6.16" ], "v": ">=0,<0.6.16" }, { "advisory": "calibreweb prior to version 0.6.16 contains a Server-Side Request Forgery (SSRF) vulnerability.", "cve": "CVE-2022-0339", "id": "pyup.io-54237", "more_info_path": "/vulnerabilities/CVE-2022-0339/54237", "specs": [ ">=0,<0.6.16" ], "v": ">=0,<0.6.16" }, { "advisory": "calibreweb prior to version 0.6.16 contains a cross-site scripting vulnerability.", "cve": "CVE-2022-0352", "id": "pyup.io-54416", "more_info_path": "/vulnerabilities/CVE-2022-0352/54416", "specs": [ ">=0,<0.6.16" ], "v": ">=0,<0.6.16" }, { "advisory": "calibreweb prior to version 0.6.17 is vulnerable to server-side request forgery (SSRF). This is due to an incomplete fix for [CVE-2022-0339](https://github.com/advisories/GHSA-4w8p-x6g8-fv64). The blacklist does not check for `0.0.0.0`, which would result in a payload of `0.0.0.0` resolving to `localhost`.\n\nAffected functions:\ncalibreweb.cps.helper.save_cover_from_url", "cve": "CVE-2022-0766", "id": "pyup.io-54414", "more_info_path": "/vulnerabilities/CVE-2022-0766/54414", "specs": [ ">=0,<0.6.17" ], "v": ">=0,<0.6.17" }, { "advisory": "calibreweb prior to version 0.6.17 is vulnerable to server-side request forgery (SSRF). This is a result of incomplete SSRF protection that can be bypassed via an HTTP redirect. An HTTP server set up to respond with a 302 redirect may redirect a request to `localhost`.\n\nAffected functions:\ncalibreweb.cps.helper.save_cover_from_url", "cve": "CVE-2022-0767", "id": "pyup.io-54419", "more_info_path": "/vulnerabilities/CVE-2022-0767/54419", "specs": [ ">=0,<0.6.17" ], "v": ">=0,<0.6.17" }, { "advisory": "Calibre-Web before 0.6.18 allows user table SQL Injection.", "cve": "CVE-2022-30765", "id": "pyup.io-54445", "more_info_path": "/vulnerabilities/CVE-2022-30765/54445", "specs": [ ">=0,<0.6.18" ], "v": ">=0,<0.6.18" }, { "advisory": "In \"Calibre-web\" application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in \"Metadata\". An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.", "cve": "CVE-2021-25964", "id": "pyup.io-62667", "more_info_path": "/vulnerabilities/CVE-2021-25964/62667", "specs": [ ">=0.6.0,<0.6.12" ], "v": ">=0.6.0,<0.6.12" }, { "advisory": "In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.", "cve": "CVE-2021-25965", "id": "pyup.io-62672", "more_info_path": "/vulnerabilities/CVE-2021-25965/62672", "specs": [ ">=0.6.0,<=0.6.13" ], "v": ">=0.6.0,<=0.6.13" }, { "advisory": "In janeczku Calibre-Web affectged versions, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.", "cve": "CVE-2024-39123", "id": "pyup.io-72283", "more_info_path": "/vulnerabilities/CVE-2024-39123/72283", "specs": [ ">=0.6.0,<=0.6.21" ], "v": ">=0.6.0,<=0.6.21" } ], "callisto-core": [ { "advisory": "Callisto-core 0.19.0 stops showing locals on travis.\r\nhttps://github.com/project-callisto/callisto-core/commit/0791639280dfbe742536bf9f29d3eb888d6951e9", "cve": "PVE-2019-45606", "id": "pyup.io-45606", "more_info_path": "/vulnerabilities/PVE-2019-45606/45606", "specs": [ "<0.19.0" ], "v": "<0.19.0" }, { "advisory": "Callisto-core 0.26.0 removes models that contain insecure contact information.\r\nhttps://github.com/project-callisto/callisto-core/pull/453", "cve": "PVE-2019-47052", "id": "pyup.io-47052", "more_info_path": "/vulnerabilities/PVE-2019-47052/47052", "specs": [ "<0.26.0" ], "v": "<0.26.0" } ], "callosum": [ { "advisory": "Callosum 0.9.4 includes a fix for a potential race condition vulnerability.\r\nhttps://github.com/lablup/callosum/pull/12", "cve": "PVE-2023-61189", "id": "pyup.io-61189", "more_info_path": "/vulnerabilities/PVE-2023-61189/61189", "specs": [ "<0.9.4" ], "v": "<0.9.4" } ], "camply": [ { "advisory": "Camply 0.24.1 updates its dependency 'requests' to v2.31.0 to include a security fix.\r\nhttps://github.com/juftin/camply/commit/4c6d371", "cve": "CVE-2023-32681", "id": "pyup.io-58928", "more_info_path": "/vulnerabilities/CVE-2023-32681/58928", "specs": [ "<0.24.1" ], "v": "<0.24.1" }, { "advisory": "Camply 0.24.1 updates its dependency 'pymdown-extensions' to v10.0.1 to include a security fix.\r\nhttps://github.com/juftin/camply/commit/4c6d371", "cve": "CVE-2023-32309", "id": "pyup.io-58938", "more_info_path": "/vulnerabilities/CVE-2023-32309/58938", "specs": [ "<0.24.1" ], "v": "<0.24.1" } ], "canada-holiday": [ { "advisory": "Canada-holiday 1.1.4 upgrades its black dependency to version 24.3.0, addressing the ReDoS vulnerability identified in CVE-2024-21503.", "cve": "CVE-2024-21503", "id": "pyup.io-67444", "more_info_path": "/vulnerabilities/CVE-2024-21503/67444", "specs": [ "<1.1.4" ], "v": "<1.1.4" } ], "cancat": [ { "advisory": "Cancat 2.0.0 and prior uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.", "cve": "CVE-2021-45105", "id": "pyup.io-43586", "more_info_path": "/vulnerabilities/CVE-2021-45105/43586", "specs": [ "<=2.0.0" ], "v": "<=2.0.0" }, { "advisory": "Cancat 2.0.0 and prior uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.", "cve": "CVE-2021-45046", "id": "pyup.io-43585", "more_info_path": "/vulnerabilities/CVE-2021-45046/43585", "specs": [ "<=2.0.0" ], "v": "<=2.0.0" }, { "advisory": "Cancat 2.0.0 and prior potentially uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.", "cve": "CVE-2021-44228", "id": "pyup.io-43587", "more_info_path": "/vulnerabilities/CVE-2021-44228/43587", "specs": [ "<=2.0.0" ], "v": "<=2.0.0" }, { "advisory": "Cancat 2.0.0 and prior uses a version of Arduino IDE that depends on a version of 'log4j' containing severe and critical vulnerabilities.", "cve": "CVE-2021-44832", "id": "pyup.io-44459", "more_info_path": "/vulnerabilities/CVE-2021-44832/44459", "specs": [ "<=2.0.0" ], "v": "<=2.0.0" } ], "candig-server": [ { "advisory": "Candig-server 0.9.0 has enhanced security through a refined data access control mechanism.", "cve": "PVE-2021-37219", "id": "pyup.io-37219", "more_info_path": "/vulnerabilities/PVE-2021-37219/37219", "specs": [ "<0.9.0" ], "v": "<0.9.0" }, { "advisory": "Candig-server 0.9.2 updates its dependency 'Jinja2' to v2.10.1 to include a security fix.", "cve": "CVE-2019-10906", "id": "pyup.io-37218", "more_info_path": "/vulnerabilities/CVE-2019-10906/37218", "specs": [ "<0.9.2" ], "v": "<0.9.2" }, { "advisory": "Candig-server 1.0.2 updates 'WerkZeug' to v0.15.5 to include security fixes.", "cve": "CVE-2019-14806", "id": "pyup.io-37467", "more_info_path": "/vulnerabilities/CVE-2019-14806/37467", "specs": [ "<1.0.2" ], "v": "<1.0.2" }, { "advisory": "Candig-server 1.4.0 drops its dependency 'cryptography==2.8' to avoid security issues.", "cve": "CVE-2020-25659", "id": "pyup.io-48387", "more_info_path": "/vulnerabilities/CVE-2020-25659/48387", "specs": [ "<1.4.0" ], "v": "<1.4.0" }, { "advisory": "Candig-server 1.4.0 drops its dependency 'cryptography==2.8' to avoid security issues.", "cve": "CVE-2020-36242", "id": "pyup.io-39169", "more_info_path": "/vulnerabilities/CVE-2020-36242/39169", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "canto-curses": [ { "advisory": "canto_curses/guibase.py in Canto Curses before 0.9.0 allows remote feed servers to execute arbitrary commands via shell metacharacters in a URL in a feed.", "cve": "CVE-2013-7416", "id": "pyup.io-67960", "more_info_path": "/vulnerabilities/CVE-2013-7416/67960", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "canvaslms": [ { "advisory": "Canvaslms 2.18 updates its dependency 'certifi' to version '2023.7.22' to include a fix for a vulnerability.\r\nhttps://github.com/dbosk/canvaslms/pull/100", "cve": "CVE-2023-37920", "id": "pyup.io-60108", "more_info_path": "/vulnerabilities/CVE-2023-37920/60108", "specs": [ "<2.18" ], "v": "<2.18" }, { "advisory": "Canvaslms 2.18 updates its dependency 'cryptography' to version '41.0.2' to include a fix for an Improper Certificate Validation vulnerability.\r\nhttps://github.com/dbosk/canvaslms/pull/100", "cve": "CVE-2023-38325", "id": "pyup.io-60120", "more_info_path": "/vulnerabilities/CVE-2023-38325/60120", "specs": [ "<2.18" ], "v": "<2.18" }, { "advisory": "Canvaslms 2.18 updates its dependency 'pygments' to version '2.15.1' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/dbosk/canvaslms/pull/100", "cve": "CVE-2022-40896", "id": "pyup.io-60121", "more_info_path": "/vulnerabilities/CVE-2022-40896/60121", "specs": [ "<2.18" ], "v": "<2.18" } ], "capice": [ { "advisory": "Capice 3.1.2 updates its dependency 'numpy' to v1.22.0 to include security fixes.", "cve": "CVE-2021-34141", "id": "pyup.io-49716", "more_info_path": "/vulnerabilities/CVE-2021-34141/49716", "specs": [ "<3.1.2" ], "v": "<3.1.2" }, { "advisory": "Capice 3.1.2 updates its dependency 'numpy' to v1.22.0 to include security fixes.", "cve": "CVE-2021-41496", "id": "pyup.io-49677", "more_info_path": "/vulnerabilities/CVE-2021-41496/49677", "specs": [ "<3.1.2" ], "v": "<3.1.2" } ], "capirca": [ { "advisory": "Capirca 2.0.9 fixes an arbitrary file read vulnerability.\r\nhttps://github.com/google/capirca/commit/78f8e7cf7e4c515fb1696621bf6c6e95faa85d5b", "cve": "PVE-2023-53374", "id": "pyup.io-53374", "more_info_path": "/vulnerabilities/PVE-2023-53374/53374", "specs": [ "<2.0.9" ], "v": "<2.0.9" } ], "capstone": [ { "advisory": "Affected versions of Capstone are potentially vulnerable to buffer overflow.", "cve": "PVE-2024-73501", "id": "pyup.io-73501", "more_info_path": "/vulnerabilities/PVE-2024-73501/73501", "specs": [ "<6.0.0alpha1" ], "v": "<6.0.0alpha1" } ], "captchaboy": [ { "advisory": "Captchaboy is a malicious package. It delivers the W4SP Stealer Malware to your system.\r\nhttps://thehackernews.com/2022/12/w4sp-stealer-discovered-in-multiple.html", "cve": "PVE-2023-52921", "id": "pyup.io-52921", "more_info_path": "/vulnerabilities/PVE-2023-52921/52921", "specs": [ ">0" ], "v": ">0" } ], "capycli": [ { "advisory": "Capycli 2.4.0 updates its dependency 'idna' to v3.7 to include a security fix.", "cve": "CVE-2024-3651", "id": "pyup.io-68074", "more_info_path": "/vulnerabilities/CVE-2024-3651/68074", "specs": [ "<2.4.0" ], "v": "<2.4.0" } ], "carla": [ { "advisory": "Carla 0.9.11 includes a fix for a potential race condition vulnerability: Sorts vehicles by ID to avoid race condition in Traffic Manager.\r\nhttps://github.com/carla-simulator/carla/pull/3438", "cve": "PVE-2023-62323", "id": "pyup.io-62323", "more_info_path": "/vulnerabilities/PVE-2023-62323/62323", "specs": [ "<0.9.11" ], "v": "<0.9.11" }, { "advisory": "Carla 0.9.9 adds security features to the standalone OpenDRIVE mode aiming to prevent cars from falling down from the road.\r\nhttps://github.com/carla-simulator/carla/pull/2678/commits/35032c7ed47a30211869bbd2c7731215bc37b4e1", "cve": "PVE-2021-42713", "id": "pyup.io-42713", "more_info_path": "/vulnerabilities/PVE-2021-42713/42713", "specs": [ "<0.9.9" ], "v": "<0.9.9" } ], "cartridge": [ { "advisory": "Cartridge 0.1.1 adds 'csrf_token' to forms.\r\nhttps://github.com/stephenmcd/cartridge/commit/c8211d7a0696ccb6637dbde64375a58ed7d81e16", "cve": "PVE-2022-47758", "id": "pyup.io-47758", "more_info_path": "/vulnerabilities/PVE-2022-47758/47758", "specs": [ "<0.1.1" ], "v": "<0.1.1" } ], "cartridge-braintree": [ { "advisory": "Cartridge-braintree 1.2.2 updates its dependency 'Django' to v1.11.29 to include security fixes.", "cve": "CVE-2020-9402", "id": "pyup.io-49479", "more_info_path": "/vulnerabilities/CVE-2020-9402/49479", "specs": [ "<1.2.2" ], "v": "<1.2.2" }, { "advisory": "Cartridge-braintree 1.2.2 updates its dependency 'Django' to v1.11.29 to include security fixes.", "cve": "CVE-2020-7471", "id": "pyup.io-40229", "more_info_path": "/vulnerabilities/CVE-2020-7471/40229", "specs": [ "<1.2.2" ], "v": "<1.2.2" } ], "case-utils": [ { "advisory": "Case-utils is affected by an information leakage vulnerability. The vulnerability stems from a Python function, 'cdo_local_uuid.local_uuid()', and its original implementation 'case_utils.local_uuid()'.\r\nhttps://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/security/advisories/GHSA-rgrf-6mf5-m882", "cve": "CVE-2024-22194", "id": "pyup.io-64226", "more_info_path": "/vulnerabilities/CVE-2024-22194/64226", "specs": [ "==0.5.0", "==0.6.0", "==0.7.0", "==0.8.0", "==0.9.0", "==0.10.0", "==0.11.0", "==0.12.0", "==0.13.0", "==0.14.0" ], "v": "==0.5.0,==0.6.0,==0.7.0,==0.8.0,==0.9.0,==0.10.0,==0.11.0,==0.12.0,==0.13.0,==0.14.0" } ], "cashocs": [ { "advisory": "Cashocs version 2.0.0 updates its pygments dependency to version 2.7.4 from the previous 2.5.2, addressing the vulnerability identified as CVE-2021-27291.\r\nhttps://github.com/sblauth/cashocs/pull/141/commits/1fb563e91e1b4d564cb4784c7c812bf27c7e15b7", "cve": "CVE-2021-27291", "id": "pyup.io-64943", "more_info_path": "/vulnerabilities/CVE-2021-27291/64943", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Cashocs version 2.0.0 updates its setuptools dependency to version 65.5.1 from the previous 39.0.1, addressing the vulnerability identified as CVE-2022-40897.\r\nhttps://github.com/sblauth/cashocs/pull/137/commits/eb3fdc2bc65c87fb27d3622ada71c4d841a856a2", "cve": "CVE-2022-40897", "id": "pyup.io-64817", "more_info_path": "/vulnerabilities/CVE-2022-40897/64817", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Cashocs version 2.0.0 updates its pygments dependency to version 2.7.4 from the previous 2.5.2, addressing the vulnerability identified as CVE-2021-20270.\r\nhttps://github.com/sblauth/cashocs/pull/141/commits/1fb563e91e1b4d564cb4784c7c812bf27c7e15b7", "cve": "CVE-2021-20270", "id": "pyup.io-64944", "more_info_path": "/vulnerabilities/CVE-2021-20270/64944", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Cashocs version 2.1.0 updates its fonttools dependency from version 4.38.0 to 4.43.0 to address the security issue identified as CVE-2023-45139.\r\nhttps://github.com/sblauth/cashocs/pull/372/commits/c15b23e743b3046b8afae8b6a0967044f163c8ce", "cve": "CVE-2023-45139", "id": "pyup.io-64980", "more_info_path": "/vulnerabilities/CVE-2023-45139/64980", "specs": [ "<2.1.0" ], "v": "<2.1.0" }, { "advisory": "Cashocs version 2.1.0 updates its Numpy dependency to 1.22.2 from the earlier version 1.21.3. This upgrade is in response to addressing the security vulnerability designated as CVE-2021-34141.\r\nhttps://github.com/sblauth/cashocs/pull/345", "cve": "CVE-2021-34141", "id": "pyup.io-64963", "more_info_path": "/vulnerabilities/CVE-2021-34141/64963", "specs": [ "<2.1.0" ], "v": "<2.1.0" }, { "advisory": "Cashocs version 2.1.0 updates its Pillow dependency to version 10.0.1 from the previous 9.5.0, to mitigate the security vulnerability identified as CVE-2023-4863.\r\nhttps://github.com/sblauth/cashocs/pull/345/commits/86d09b3a5a63e3fbe1a0724fcae54843064bed09", "cve": "CVE-2023-4863", "id": "pyup.io-64981", "more_info_path": "/vulnerabilities/CVE-2023-4863/64981", "specs": [ "<2.1.0" ], "v": "<2.1.0" }, { "advisory": "Cashocs version 2.1.0 updates its Numpy dependency to 1.22.2 from the earlier version 1.21.3. This upgrade is in response to addressing the security vulnerability designated as CVE-2021-41495.\r\nhttps://github.com/sblauth/cashocs/pull/345", "cve": "CVE-2021-41495", "id": "pyup.io-64982", "more_info_path": "/vulnerabilities/CVE-2021-41495/64982", "specs": [ "<2.1.0" ], "v": "<2.1.0" } ], "cassandra-medusa": [ { "advisory": "Cassandra-medusa version 0.20.0 has upgraded its Cryptography dependency to version 42.0.2 from 35.0, in response to CVE-2023-6129.", "cve": "CVE-2023-6129", "id": "pyup.io-67139", "more_info_path": "/vulnerabilities/CVE-2023-6129/67139", "specs": [ "<0.20.0" ], "v": "<0.20.0" }, { "advisory": "Cassandra-medusa version 0.20.0 upgrades its Pycryptodome dependency to 3.19.1 from the previous version 3.19.0, aiming to address the security concerns outlined in CVE-2023-52323.", "cve": "CVE-2023-52323", "id": "pyup.io-67422", "more_info_path": "/vulnerabilities/CVE-2023-52323/67422", "specs": [ "<0.20.0" ], "v": "<0.20.0" }, { "advisory": "Cassandra-medusa 0.9.1 fixes MinIO support that had unsecured access.\r\nhttps://github.com/thelastpickle/cassandra-medusa/commit/2edb8afd9e0961fb3cf390322c0f59066967de84", "cve": "PVE-2021-42517", "id": "pyup.io-42517", "more_info_path": "/vulnerabilities/PVE-2021-42517/42517", "specs": [ "<0.9.1" ], "v": "<0.9.1" } ], "castle-cms": [ { "advisory": "Castle-cms version 2.6.1 includes fixes for secure-login.", "cve": "PVE-2021-41903", "id": "pyup.io-41903", "more_info_path": "/vulnerabilities/PVE-2021-41903/41903", "specs": [ "<2.6.1" ], "v": "<2.6.1" }, { "advisory": "Castle-cms version 2.6.2 fixes default behavior that allowed access to published content inside a private container.", "cve": "PVE-2021-41902", "id": "pyup.io-41902", "more_info_path": "/vulnerabilities/PVE-2021-41902/41902", "specs": [ "<2.6.2" ], "v": "<2.6.2" } ], "catboost": [ { "advisory": "Catboost 0.26 updates version of 'scala' to v2.11.12 for security reasons.\r\nhttps://github.com/catboost/catboost/issues/1632", "cve": "CVE-2017-15288", "id": "pyup.io-41743", "more_info_path": "/vulnerabilities/CVE-2017-15288/41743", "specs": [ "<0.26" ], "v": "<0.26" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'tar' to version '6.1.15' to include a fix for an Arbitrary File Write vulnerability.\r\nhttps://github.com/catboost/catboost/commit/f54bd997762dede21c31022ae27b7fd5be36c925", "cve": "CVE-2021-37713", "id": "pyup.io-60748", "more_info_path": "/vulnerabilities/CVE-2021-37713/60748", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'loader-utils' to version '1.4.2' to include a fix for a Prototype Pollution vulnerability.\r\nhttps://github.com/catboost/catboost/commit/fc169568301a2f20f1329ff0680e4d68dc965485", "cve": "CVE-2022-37601", "id": "pyup.io-60754", "more_info_path": "/vulnerabilities/CVE-2022-37601/60754", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'guava' to version '32.0.0-jre' to include a fix for an Information Disclosure vulnerability.\r\nhttps://github.com/catboost/catboost/commit/cd66946c38a4e2acf9020de5a6f24065c9f16c2d", "cve": "CVE-2020-8908", "id": "pyup.io-60772", "more_info_path": "/vulnerabilities/CVE-2020-8908/60772", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'nanoid' to version '3.3.6' to include a fix for an Information Exposure vulnerability.\r\nhttps://github.com/catboost/catboost/commit/9381a56a05fc7f2b8cecc323c5b26aa60d3703f0", "cve": "CVE-2021-23566", "id": "pyup.io-60761", "more_info_path": "/vulnerabilities/CVE-2021-23566/60761", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'normalize-url' to version '4.5.1' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/44e9f5fcf515e7d3d4bc891388e679ff7bceefb9", "cve": "CVE-2021-33502", "id": "pyup.io-60764", "more_info_path": "/vulnerabilities/CVE-2021-33502/60764", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'snappy-java' to version '1.1.10.1' to include a fix for an Integer Overflow vulnerability.\r\nhttps://github.com/catboost/catboost/commit/b51a3b2302a1d6b1a596b406efef347c872d9a0e", "cve": "CVE-2023-34454", "id": "pyup.io-60766", "more_info_path": "/vulnerabilities/CVE-2023-34454/60766", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'tenser' to version '5.19.2' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/28aa3945fe8664bfbf0dd1d1cd2e04f6aca398b5", "cve": "CVE-2022-25858", "id": "pyup.io-60717", "more_info_path": "/vulnerabilities/CVE-2022-25858/60717", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'ansi-regex' to version '5.0.1' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/7eebbf8e2fec4d2e3225e819a86c0b14dde72c52", "cve": "CVE-2021-3807", "id": "pyup.io-60763", "more_info_path": "/vulnerabilities/CVE-2021-3807/60763", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'tar' to version '6.1.15' to include a fix for an Arbitrary File Write vulnerability.\r\nhttps://github.com/catboost/catboost/commit/f54bd997762dede21c31022ae27b7fd5be36c925", "cve": "CVE-2021-37701", "id": "pyup.io-60746", "more_info_path": "/vulnerabilities/CVE-2021-37701/60746", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'tar' to version '6.1.15' to include a fix for an Arbitrary File Write vulnerability.\r\nhttps://github.com/catboost/catboost/commit/f54bd997762dede21c31022ae27b7fd5be36c925", "cve": "CVE-2021-37712", "id": "pyup.io-60747", "more_info_path": "/vulnerabilities/CVE-2021-37712/60747", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'tar' to version '6.1.15' to include a fix for an Arbitrary File Write vulnerability.\r\nhttps://github.com/catboost/catboost/commit/f54bd997762dede21c31022ae27b7fd5be36c925", "cve": "CVE-2021-32804", "id": "pyup.io-60750", "more_info_path": "/vulnerabilities/CVE-2021-32804/60750", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'semver' to version '5.7.2' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/d0183bfcf67525a3ad9f4427e23f1472ad9f588c", "cve": "CVE-2022-25883", "id": "pyup.io-60757", "more_info_path": "/vulnerabilities/CVE-2022-25883/60757", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'minimist' to version '1.2.8' to include a fix for a Prototype Pollution vulnerability.\r\nhttps://github.com/catboost/catboost/commit/63b0cd67faf62ba3fcd7281044dad144f8b6ff4d", "cve": "CVE-2021-44906", "id": "pyup.io-60755", "more_info_path": "/vulnerabilities/CVE-2021-44906/60755", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'browserslist' to version '4.21.9' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/a15bfbbd2ff8d4ea56e57876e2601a6dbd9e4d37", "cve": "CVE-2021-23364", "id": "pyup.io-60756", "more_info_path": "/vulnerabilities/CVE-2021-23364/60756", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'webpack' to version '5.76.0' to include a fix for a Sandbox Bypass vulnerability.\r\nhttps://github.com/catboost/catboost/commit/e132d847a527827023eb67165e11f1b05a19564f", "cve": "CVE-2023-28154", "id": "pyup.io-60751", "more_info_path": "/vulnerabilities/CVE-2023-28154/60751", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'http-cache-semantics' to version '4.1.1' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/d63e29198a2c5a12e7d857b2b068283298488e8d", "cve": "CVE-2022-25881", "id": "pyup.io-60745", "more_info_path": "/vulnerabilities/CVE-2022-25881/60745", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'path-parse' to version '1.0.7' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/c5384e8e53f4fee40190dd7d52ec0e1ee92a2560", "cve": "CVE-2021-23343", "id": "pyup.io-60758", "more_info_path": "/vulnerabilities/CVE-2021-23343/60758", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'tar' to version '6.1.15' to include a fix for an Arbitrary File Write vulnerability.\r\nhttps://github.com/catboost/catboost/commit/f54bd997762dede21c31022ae27b7fd5be36c925", "cve": "CVE-2021-32803", "id": "pyup.io-60749", "more_info_path": "/vulnerabilities/CVE-2021-32803/60749", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'minimatch' to version '3.1.2' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/3b9820e0bfb7b9e34dbaf0403e95e0dcdc9d9ba3", "cve": "CVE-2022-3517", "id": "pyup.io-60744", "more_info_path": "/vulnerabilities/CVE-2022-3517/60744", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'postcss' to version '8.4.27' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/8143d912bc7364b488ae5a33e2c83e29b988420f", "cve": "CVE-2021-23382", "id": "pyup.io-60759", "more_info_path": "/vulnerabilities/CVE-2021-23382/60759", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'snappy-java' to version '1.1.10.1' to include a fix for an Integer Overflow vulnerability.\r\nhttps://github.com/catboost/catboost/commit/b51a3b2302a1d6b1a596b406efef347c872d9a0e", "cve": "CVE-2023-34453", "id": "pyup.io-60768", "more_info_path": "/vulnerabilities/CVE-2023-34453/60768", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'loader-utils' to version '1.4.2' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/fc169568301a2f20f1329ff0680e4d68dc965485", "cve": "CVE-2022-37603", "id": "pyup.io-60753", "more_info_path": "/vulnerabilities/CVE-2022-37603/60753", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'jackson-databind' to version '2.13.4.2' to include a fix for a DoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/e88f390a4e2630c9e8a5b82cd01c053a9fd29795", "cve": "CVE-2020-36518", "id": "pyup.io-60771", "more_info_path": "/vulnerabilities/CVE-2020-36518/60771", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'json5' to version '3.3.6' to include a fix for a Prototype Pollution vulnerability.\r\nhttps://github.com/catboost/catboost/commit/c6393bf6300ecc6d8bcbd98d61927149cb205100", "cve": "CVE-2022-46175", "id": "pyup.io-60762", "more_info_path": "/vulnerabilities/CVE-2022-46175/60762", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'jackson-databind' to version '2.13.4.2' to include a fix for a DoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/e88f390a4e2630c9e8a5b82cd01c053a9fd29795", "cve": "CVE-2022-42003", "id": "pyup.io-60769", "more_info_path": "/vulnerabilities/CVE-2022-42003/60769", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'snappy-java' to version '1.1.10.1' to include a fix for a DoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/b51a3b2302a1d6b1a596b406efef347c872d9a0e", "cve": "CVE-2023-34455", "id": "pyup.io-60767", "more_info_path": "/vulnerabilities/CVE-2023-34455/60767", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'postcss' to version '8.4.27' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/8143d912bc7364b488ae5a33e2c83e29b988420f", "cve": "CVE-2021-23368", "id": "pyup.io-60760", "more_info_path": "/vulnerabilities/CVE-2021-23368/60760", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'junit:junit' to version '4.13.1' to include a fix for an Information Exposure vulnerability.\r\nhttps://github.com/catboost/catboost/commit/95a9dca46d21133005b3d6d66be165384ba77f2d", "cve": "CVE-2020-15250", "id": "pyup.io-60765", "more_info_path": "/vulnerabilities/CVE-2020-15250/60765", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its dependency 'jackson-databind' to version '2.13.4.2' to include a fix for a DoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/e88f390a4e2630c9e8a5b82cd01c053a9fd29795", "cve": "CVE-2022-42004", "id": "pyup.io-60770", "more_info_path": "/vulnerabilities/CVE-2022-42004/60770", "specs": [ "<1.2.1" ], "v": "<1.2.1" }, { "advisory": "Catboost 1.2.1 updates its NPM dependency 'loader-utils' to version '1.4.2' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/catboost/catboost/commit/fc169568301a2f20f1329ff0680e4d68dc965485", "cve": "CVE-2022-37599", "id": "pyup.io-60752", "more_info_path": "/vulnerabilities/CVE-2022-37599/60752", "specs": [ "<1.2.1" ], "v": "<1.2.1" } ], "catly-translate": [ { "advisory": "The Catly-Translate package in PyPI v0.0.3 to v0.0.5 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.", "cve": "CVE-2022-34061", "id": "pyup.io-54425", "more_info_path": "/vulnerabilities/CVE-2022-34061/54425", "specs": [ ">=0.0.3,<0.0.6" ], "v": ">=0.0.3,<0.0.6" } ], "cbapi": [ { "advisory": "The underlying CbAPI connection class erroneously disabled hostname validation by default. This does *not* affect code that uses CbAPI through the public interfaces documented here; it only affects code that accesses the new ``CbAPISessionAdapter`` class directly. This class was introduced in version 1.3.3. Regardless, it is strongly recommended that all users currently using 1.3.3 upgrade to 1.3.4.", "cve": "PVE-2021-34933", "id": "pyup.io-34933", "more_info_path": "/vulnerabilities/PVE-2021-34933/34933", "specs": [ ">=1.3.3,<1.3.4" ], "v": ">=1.3.3,<1.3.4" } ], "cbor2": [ { "advisory": "Cbor2 5.4.0 fixes bounds checks in C decoder.\r\nhttps://github.com/agronholm/cbor2/pull/113", "cve": "PVE-2023-61961", "id": "pyup.io-61961", "more_info_path": "/vulnerabilities/PVE-2023-61961/61961", "specs": [ "<5.4.0" ], "v": "<5.4.0" }, { "advisory": "Cbor2 5.6.0 fixes issue that was causing a MemoryError when decoding large definite strings. It was due to the library attempting to allocate more memory than available, leading to a failure in memory allocation. The fix involves altering how the library manages memory allocation for large strings, thus preventing the MemoryError from being thrown and allowing the library to handle large strings correctly.\r\nhttps://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542", "cve": "PVE-2024-64281", "id": "pyup.io-64281", "more_info_path": "/vulnerabilities/PVE-2024-64281/64281", "specs": [ "<5.6.0" ], "v": "<5.6.0" }, { "advisory": "Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.", "cve": "CVE-2024-26134", "id": "pyup.io-66703", "more_info_path": "/vulnerabilities/CVE-2024-26134/66703", "specs": [ ">=5.6.0,<5.6.2" ], "v": ">=5.6.0,<5.6.2" } ], "ccf": [ { "advisory": "Ccf 0.7 fixes a vulnerability to a possible replay attack.", "cve": "PVE-2021-38641", "id": "pyup.io-38641", "more_info_path": "/vulnerabilities/PVE-2021-38641/38641", "specs": [ "<0.7" ], "v": "<0.7" }, { "advisory": "Ccf 5.0.0dev7 includes a security fix: 'POST /recovery/members/{memberId}:recover' is now authenticated by COSE Sign1, making it consistent with the other 'POST' endpoints in governance, and avoiding a potential denial of service where unauthenticated and unauthorized clients could submit invalid shares repeatedly.\r\nhttps://github.com/microsoft/CCF/pull/5832", "cve": "PVE-2023-62328", "id": "pyup.io-62328", "more_info_path": "/vulnerabilities/PVE-2023-62328/62328", "specs": [ "<5.0.0dev7" ], "v": "<5.0.0dev7" } ], "cdk-ecr-deployment": [ { "advisory": "Cdk-ecr-deployment 0.0.34 updates its dependency 'trim-newlines' to version '3.0.1' to include a security fix.\r\nhttps://github.com/wchaws/cdk-ecr-deployment/commit/22267948c545579788d1ed065ff2fb3b05adc863\r\nhttps://github.com/wchaws/cdk-ecr-deployment/commit/8cf3f5069e2ec1e22afe17c4025e752172be88bd", "cve": "CVE-2021-33623", "id": "pyup.io-59197", "more_info_path": "/vulnerabilities/CVE-2021-33623/59197", "specs": [ "<0.0.34" ], "v": "<0.0.34" }, { "advisory": "Cdk-ecr-deployment 0.0.60 updates its NPM dependency 'xmldom' to v0.7.0 to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/7b222a9a253a9a18371c489fbb2577e90f59fc4f", "cve": "CVE-2021-32796", "id": "pyup.io-42166", "more_info_path": "/vulnerabilities/CVE-2021-32796/42166", "specs": [ "<0.0.60" ], "v": "<0.0.60" }, { "advisory": "Cdk-ecr-deployment 0.0.83 updates Go dependency 'runc' to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/pull/142/commits/2716589ed475eee2e3458a22b398a92c7b9dab72", "cve": "CVE-2021-30465", "id": "pyup.io-43005", "more_info_path": "/vulnerabilities/CVE-2021-30465/43005", "specs": [ "<0.0.83" ], "v": "<0.0.83" }, { "advisory": "Cdk-ecr-deployment 2.0.7 updates its GO dependency 'containerd' to v1.5.9 to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/74e8412f370f4ab00be5b5a1f509c2615a874a46", "cve": "CVE-2021-43816", "id": "pyup.io-44474", "more_info_path": "/vulnerabilities/CVE-2021-43816/44474", "specs": [ "<2.0.7" ], "v": "<2.0.7" }, { "advisory": "Cdk-ecr-deployment 2.0.7 updates its GO dependency 'opencontainers/runc' to v1.0.3 to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/74e8412f370f4ab00be5b5a1f509c2615a874a46", "cve": "CVE-2021-43784", "id": "pyup.io-54973", "more_info_path": "/vulnerabilities/CVE-2021-43784/54973", "specs": [ "<2.0.7" ], "v": "<2.0.7" }, { "advisory": "Cdk-ecr-deployment 2.1.4 fix security issue by updating 'docker/distribution' version to v2.8.0.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/3ae21c155db5410002ba1a98469bee03ff5a28b7", "cve": "CVE-2021-3538", "id": "pyup.io-45103", "more_info_path": "/vulnerabilities/CVE-2021-3538/45103", "specs": [ "<2.1.4" ], "v": "<2.1.4" }, { "advisory": "Cdk-ecr-deployment 2.5.3 updates its dependency 'opencontainers/runc' to v1.1.2 to include a security fix.", "cve": "CVE-2022-29162", "id": "pyup.io-49117", "more_info_path": "/vulnerabilities/CVE-2022-29162/49117", "specs": [ "<2.5.3" ], "v": "<2.5.3" } ], "cdk-keycloak": [ { "advisory": "Cdk-keycloak 0.2.45 updates its NPM dependency 'got' to v12.5.2 to include a security fix.", "cve": "CVE-2022-33987", "id": "pyup.io-51648", "more_info_path": "/vulnerabilities/CVE-2022-33987/51648", "specs": [ "<0.2.45" ], "v": "<0.2.45" } ], "cdo-local-uuid": [ { "advisory": "Cdo-local-uuid is affected by an information leakage vulnerability. The vulnerability stems from a Python function, 'cdo_local_uuid.local_uuid()', and its original implementation 'case_utils.local_uuid()'.\r\nhttps://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/security/advisories/GHSA-rgrf-6mf5-m882", "cve": "CVE-2024-22194", "id": "pyup.io-64285", "more_info_path": "/vulnerabilities/CVE-2024-22194/64285", "specs": [ "==0.4.0" ], "v": "==0.4.0" } ], "cdsetool": [ { "advisory": "Cdsetool 0.2.10 updates its `requests` dependency requirement from `<2.32.0,>=2.28.1` to `>=2.28.1,<2.33.0` due to the CVE-2024-35195.", "cve": "CVE-2024-35195", "id": "pyup.io-71099", "more_info_path": "/vulnerabilities/CVE-2024-35195/71099", "specs": [ "<0.2.10" ], "v": "<0.2.10" } ], "cedar-backup3": [ { "advisory": "Cedar-backup3 version 1.10 stops using insecure os.popen().", "cve": "PVE-2022-46427", "id": "pyup.io-46427", "more_info_path": "/vulnerabilities/PVE-2022-46427/46427", "specs": [ "<1.10" ], "v": "<1.10" }, { "advisory": "Cedar-backup3 version 1.10 fixes a shell-interpolation bug.", "cve": "PVE-2021-42010", "id": "pyup.io-42010", "more_info_path": "/vulnerabilities/PVE-2021-42010/42010", "specs": [ "<1.10" ], "v": "<1.10" } ], "ceilometer": [ { "advisory": "(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.", "cve": "CVE-2013-6384", "id": "pyup.io-70583", "more_info_path": "/vulnerabilities/CVE-2013-6384/70583", "specs": [ "<2013.2.1" ], "v": "<2013.2.1" }, { "advisory": "A vulnerability was found in ceilometer before version 12.0.0.0rc1. An Information Exposure in ceilometer-agent prints sensitive configuration data to log files without DEBUG logging being activated.", "cve": "CVE-2019-3830", "id": "pyup.io-54166", "more_info_path": "/vulnerabilities/CVE-2019-3830/54166", "specs": [ ">=0,<12.0.0.0rc1" ], "v": ">=0,<12.0.0.0rc1" } ], "celery": [ { "advisory": "Celery 4.4.0rc5 addresses a race condition that occurred during the publishing of very large chord headers. This fix ensures that the operation is completed successfully even when dealing with such large data sets.\r\nhttps://github.com/celery/celery/pull/5850/files#diff-3a80ff45da16a11b96e26a63973d7d490187a68ddc1949e2dfd7fd090b208841", "cve": "PVE-2024-64270", "id": "pyup.io-64270", "more_info_path": "/vulnerabilities/PVE-2024-64270/64270", "specs": [ "<4.4.0rc5" ], "v": "<4.4.0rc5" }, { "advisory": "Celery 5.2.0 updates 'kombu' to v5.2.1, which includes dependencies updates that resolve security issues.", "cve": "CVE-2021-33503", "id": "pyup.io-42498", "more_info_path": "/vulnerabilities/CVE-2021-33503/42498", "specs": [ "<5.2.0" ], "v": "<5.2.0" }, { "advisory": "Celery 5.2.2 includes a fix for CVE-2021-23727: Celery before 5.2.2. by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.", "cve": "CVE-2021-23727", "id": "pyup.io-43738", "more_info_path": "/vulnerabilities/CVE-2021-23727/43738", "specs": [ "<5.2.2" ], "v": "<5.2.2" }, { "advisory": "Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process.", "cve": "CVE-2011-4356", "id": "pyup.io-54071", "more_info_path": "/vulnerabilities/CVE-2011-4356/54071", "specs": [ ">=2.1,<2.2.8", ">=2.3,<2.3.4", ">=2.4,<2.4.4" ], "v": ">=2.1,<2.2.8,>=2.3,<2.3.4,>=2.4,<2.4.4" }, { "advisory": "Celery 4.0.1 includes a fix for a code execution vulnerability: The default accept_content setting was set to allow deserialization of pickled messages in Celery 4.0.0. A workaround is to configure the 4.0.0 version to explicitly only allow json serialized messages.\r\nhttps://github.com/celery/celery/blob/master/docs/sec/CELERYSA-0003.txt", "cve": "PVE-2021-25646", "id": "pyup.io-25646", "more_info_path": "/vulnerabilities/PVE-2021-25646/25646", "specs": [ ">=4.0.0rc3,<4.0.1" ], "v": ">=4.0.0rc3,<4.0.1" } ], "celery-director": [ { "advisory": "Celery-director 0.9.0 updates its dependency 'redis' to v4.4.4 to include security fixes.", "cve": "CVE-2023-28858", "id": "pyup.io-55267", "more_info_path": "/vulnerabilities/CVE-2023-28858/55267", "specs": [ "<0.9.0" ], "v": "<0.9.0" }, { "advisory": "Celery-director 0.9.0 updates its dependency 'redis' to v4.4.4 to include security fixes.", "cve": "CVE-2023-28859", "id": "pyup.io-55276", "more_info_path": "/vulnerabilities/CVE-2023-28859/55276", "specs": [ "<0.9.0" ], "v": "<0.9.0" }, { "advisory": "Celery-director 0.9.0 updates its dependency 'sentry-sdk' to v1.14.0 to include a security fix.", "cve": "CVE-2023-28117", "id": "pyup.io-55277", "more_info_path": "/vulnerabilities/CVE-2023-28117/55277", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "cellxgene": [ { "advisory": "Cellxgene 0.12.0 updates its NPM dependency 'set-value' to v2.0.1 to include a security fix.", "cve": "CVE-2021-23440", "id": "pyup.io-44976", "more_info_path": "/vulnerabilities/CVE-2021-23440/44976", "specs": [ "<0.12.0" ], "v": "<0.12.0" }, { "advisory": "Cellxgene 0.12.0 updates its NPM dependency 'eslint-utils' to a version ^1.4.2 to include a security fix.", "cve": "CVE-2019-15657", "id": "pyup.io-37801", "more_info_path": "/vulnerabilities/CVE-2019-15657/37801", "specs": [ "<0.12.0" ], "v": "<0.12.0" }, { "advisory": "Cellxgene 0.12.0 updates its NPM dependency 'mixin-deep' to v1.3.2 to include a security fix.", "cve": "CVE-2019-10746", "id": "pyup.io-44974", "more_info_path": "/vulnerabilities/CVE-2019-10746/44974", "specs": [ "<0.12.0" ], "v": "<0.12.0" }, { "advisory": "Cellxgene 0.12.0 updates several more NPM dependencies to fix security issues.\r\nhttps://github.com/chanzuckerberg/cellxgene/commit/78a43402cb0c1beca5269b3970d4cc31615e4664", "cve": "PVE-2022-44977", "id": "pyup.io-44977", "more_info_path": "/vulnerabilities/PVE-2022-44977/44977", "specs": [ "<0.12.0" ], "v": "<0.12.0" }, { "advisory": "Cellxgene 0.12.0 stops requiring 'node-fetch' as a NPM dependency to avoid security issues.", "cve": "CVE-2020-15168", "id": "pyup.io-44975", "more_info_path": "/vulnerabilities/CVE-2020-15168/44975", "specs": [ "<0.12.0" ], "v": "<0.12.0" }, { "advisory": "Cellxgene 0.16.0 removed the `client` package that introduced security vulnerabilities.", "cve": "PVE-2021-38696", "id": "pyup.io-38696", "more_info_path": "/vulnerabilities/PVE-2021-38696/38696", "specs": [ "<0.16.0" ], "v": "<0.16.0" } ], "censusdis": [ { "advisory": "Censusdis version 1.1.7 updates its requests dependency from ^2.28.1 to ^2.32.0 to address the security vulnerability identified as CVE-2024-35195.", "cve": "CVE-2024-35195", "id": "pyup.io-71132", "more_info_path": "/vulnerabilities/CVE-2024-35195/71132", "specs": [ "<1.1.7" ], "v": "<1.1.7" } ], "centrifuge": [ { "advisory": "centrifuge 0.3.8 includes a security fix! Please, upgrade to this version or disable access to `/dumps` location.", "cve": "PVE-2021-25647", "id": "pyup.io-25647", "more_info_path": "/vulnerabilities/PVE-2021-25647/25647", "specs": [ "<0.3.8" ], "v": "<0.3.8" } ], "ceph-deploy": [ { "advisory": "ceph-deploy before 1.5.23 uses weak permissions (644) for ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file.", "cve": "CVE-2015-3010", "id": "pyup.io-42238", "more_info_path": "/vulnerabilities/CVE-2015-3010/42238", "specs": [ "<1.5.23" ], "v": "<1.5.23" }, { "advisory": "The admin command in ceph-deploy before 1.5.25 uses world-readable permissions for /etc/ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file.", "cve": "CVE-2015-4053", "id": "pyup.io-54102", "more_info_path": "/vulnerabilities/CVE-2015-4053/54102", "specs": [ ">=0,<1.5.23" ], "v": ">=0,<1.5.23" } ], "certbot": [ { "advisory": "Certbot through 0.34.0 does not configure the web server so that all requests redirect to secure HTTPS access.", "cve": "PVE-2021-37112", "id": "pyup.io-37112", "more_info_path": "/vulnerabilities/PVE-2021-37112/37112", "specs": [ "<=0.34.0" ], "v": "<=0.34.0" } ], "certbot-dns-duckdns": [ { "advisory": "Certbot-dns-duckdns 1.3 updates its dependency 'cryptography' to latest version in the docker image, to include security fixes.", "cve": "CVE-2023-0216", "id": "pyup.io-53630", "more_info_path": "/vulnerabilities/CVE-2023-0216/53630", "specs": [ "<1.3" ], "v": "<1.3" }, { "advisory": "Certbot-dns-duckdns 1.3 updates its dependency 'cryptography' to latest version in the docker image, to include security fixes.", "cve": "CVE-2023-0401", "id": "pyup.io-53624", "more_info_path": "/vulnerabilities/CVE-2023-0401/53624", "specs": [ "<1.3" ], "v": "<1.3" }, { "advisory": "Certbot-dns-duckdns 1.3 updates its dependency 'cryptography' to latest version in the docker image, to include security fixes.", "cve": "CVE-2023-0217", "id": "pyup.io-53628", "more_info_path": "/vulnerabilities/CVE-2023-0217/53628", "specs": [ "<1.3" ], "v": "<1.3" } ], "certbot-dns-porkbun": [ { "advisory": "Certbot-dns-porkbun 0.8 updates 'cryptography' to v39.0.1 in Docker image to include security fixes.\r\nhttps://github.com/infinityofspace/certbot_dns_porkbun/commit/789959d75ef65b9e6e7fdf0651254bf18378b0a9", "cve": "CVE-2023-0217", "id": "pyup.io-53620", "more_info_path": "/vulnerabilities/CVE-2023-0217/53620", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Certbot-dns-porkbun 0.8 updates 'cryptography' to v39.0.1 in Docker image to include security fixes.\r\nhttps://github.com/infinityofspace/certbot_dns_porkbun/commit/789959d75ef65b9e6e7fdf0651254bf18378b0a9", "cve": "CVE-2023-0217", "id": "pyup.io-53619", "more_info_path": "/vulnerabilities/CVE-2023-0217/53619", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Certbot-dns-porkbun 0.8 updates 'cryptography' to v39.0.1 in Docker image to include security fixes.\r\nhttps://github.com/infinityofspace/certbot_dns_porkbun/commit/789959d75ef65b9e6e7fdf0651254bf18378b0a9", "cve": "CVE-2023-0216", "id": "pyup.io-53622", "more_info_path": "/vulnerabilities/CVE-2023-0216/53622", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Certbot-dns-porkbun 0.8 updates 'cryptography' to v39.0.1 in Docker image to include security fixes.\r\nhttps://github.com/infinityofspace/certbot_dns_porkbun/commit/789959d75ef65b9e6e7fdf0651254bf18378b0a9", "cve": "CVE-2023-0401", "id": "pyup.io-53618", "more_info_path": "/vulnerabilities/CVE-2023-0401/53618", "specs": [ "<0.8" ], "v": "<0.8" } ], "certif": [ { "advisory": "Certif is a malicious package, pytosquatting the popular package 'certifi'. It contains a base64 encoded payload in '__init__.py' file that retrieves your current username, platform and IP information.", "cve": "PVE-2023-53258", "id": "pyup.io-53258", "more_info_path": "/vulnerabilities/PVE-2023-53258/53258", "specs": [ ">=0" ], "v": ">=0" } ], "certife": [ { "advisory": "Certife is a malicious package, pytosquatting the popular package 'certifi'. It contains a base64 encoded payload in '__init__.py' file that retrieves your current username, platform and IP information.", "cve": "PVE-2023-53259", "id": "pyup.io-53259", "more_info_path": "/vulnerabilities/PVE-2023-53259/53259", "specs": [ ">=0" ], "v": ">=0" } ], "certifi": [ { "advisory": "Certifi 2022.12.07 includes a fix for CVE-2022-23491: Certifi 2022.12.07 removes root certificates from \"TrustCor\" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.\r\nhttps://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8\r\nhttps://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ", "cve": "CVE-2022-23491", "id": "pyup.io-52365", "more_info_path": "/vulnerabilities/CVE-2022-23491/52365", "specs": [ "<2022.12.07" ], "v": "<2022.12.07" }, { "advisory": "certifi before 2017.04.17 is vulnerable to improper certificate validation because they do not reject deprecated 1024-bit certificates, but instead only issue a warning. This vulnerability impacts the security of the package's certificate verification process.\r\nhttps://github.com/certifi/python-certifi/commit/4f35e3529c78ced74040cf5d80bf8ec4aac9a190", "cve": "PVE-2024-99806", "id": "pyup.io-65987", "more_info_path": "/vulnerabilities/PVE-2024-99806/65987", "specs": [ ">=0,<2017.04.17" ], "v": ">=0,<2017.04.17" }, { "advisory": "Certifi 2023.07.22 includes a fix for CVE-2023-37920: Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.\r\nhttps://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7", "cve": "CVE-2023-37920", "id": "pyup.io-59956", "more_info_path": "/vulnerabilities/CVE-2023-37920/59956", "specs": [ ">=2015.04.28,<2023.07.22" ], "v": ">=2015.04.28,<2023.07.22" }, { "advisory": "Certifi affected versions recognized root certificates from GLOBALTRUST. Certifi patch removes these root certificates from the root store. These certificates are being removed pursuant to an investigation that identified \"long-running and unresolved compliance issues\" and are also in the process of being removed from Mozilla's trust store.", "cve": "CVE-2024-39689", "id": "pyup.io-72083", "more_info_path": "/vulnerabilities/CVE-2024-39689/72083", "specs": [ ">=2021.05.30,<2024.07.04" ], "v": ">=2021.05.30,<2024.07.04" } ], "certifie": [ { "advisory": "Certifie is a malicious package, pytosquatting the popular package 'certifi'. It contains a base64 encoded payload in '__init__.py' file that retrieves your current username, platform and IP information.", "cve": "PVE-2023-53260", "id": "pyup.io-53260", "more_info_path": "/vulnerabilities/PVE-2023-53260/53260", "specs": [ ">=0" ], "v": ">=0" } ], "certifiee": [ { "advisory": "Certifiee is a malicious package, pytosquatting the popular package 'certifi'. It contains a base64 encoded payload in '__init__.py' file that retrieves your current username, platform and IP information.", "cve": "PVE-2023-53261", "id": "pyup.io-53261", "more_info_path": "/vulnerabilities/PVE-2023-53261/53261", "specs": [ ">=0" ], "v": ">=0" } ], "cerulean": [ { "advisory": "Cerulean 0.3.4 adds proper directory permissions when using mkdir().\r\nhttps://github.com/MD-Studio/cerulean/commit/388b171477f909972d5dc9043ed5fcae4369e3b7", "cve": "PVE-2021-36796", "id": "pyup.io-36796", "more_info_path": "/vulnerabilities/PVE-2021-36796/36796", "specs": [ "<0.3.4" ], "v": "<0.3.4" } ], "cffconvert": [ { "advisory": "Cffconvert 1.0.3 updates requests from v2.18.4 to v2.20.0 to include a security fix.", "cve": "CVE-2018-18074", "id": "pyup.io-36623", "more_info_path": "/vulnerabilities/CVE-2018-18074/36623", "specs": [ "<1.0.3" ], "v": "<1.0.3" } ], "cfripper": [ { "advisory": "Cfripper 1.14.0 updates its dependency 'pydash' to v6.0.0 to include a security fix.", "cve": "CVE-2023-26145", "id": "pyup.io-61458", "more_info_path": "/vulnerabilities/CVE-2023-26145/61458", "specs": [ "<1.14.0" ], "v": "<1.14.0" } ], "cfscrape": [ { "advisory": "Cfscrape 1.8.0 includes a fix for CVE-2017-7235: An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed in 1.8.0.", "cve": "CVE-2017-7235", "id": "pyup.io-35741", "more_info_path": "/vulnerabilities/CVE-2017-7235/35741", "specs": [ ">=1.6.6,<1.8.0" ], "v": ">=1.6.6,<1.8.0" } ], "cfstacks": [ { "advisory": "Cfstacks 0.4.4 upgrades PyAML to 4.2b1 (or later) to fix a security vulnerability.", "cve": "CVE-2017-18342", "id": "pyup.io-38388", "more_info_path": "/vulnerabilities/CVE-2017-18342/38388", "specs": [ "<0.4.4" ], "v": "<0.4.4" }, { "advisory": "Cfstacks 0.4.6 fixes potentially unsafe use of 'yaml.load()'.\r\nhttps://github.com/cfstacks/stacks/commit/faa4d8899c06de0a671d4b96471f6cad07e32f2f", "cve": "CVE-2020-1747", "id": "pyup.io-45280", "more_info_path": "/vulnerabilities/CVE-2020-1747/45280", "specs": [ "<0.4.6" ], "v": "<0.4.6" } ], "cg": [ { "advisory": "Cg 18.11.3 updates its dependency 'cryptography' to v3.3.2 to include a security fix.", "cve": "CVE-2020-36242", "id": "pyup.io-39614", "more_info_path": "/vulnerabilities/CVE-2020-36242/39614", "specs": [ "<18.11.3" ], "v": "<18.11.3" }, { "advisory": "Cg 26.0.4 addresses issues with certain endpoints that were only reliant on cookies for authentication, making them prone to potential attacks. The affected areas include the admin and invoice endpoints. After the update, users should experience normal operation through the order, admin, and invoice interfaces. Any attempts to exploit the CSRF vulnerability will now result in a \"Bad Request\" error. \r\nhttps://github.com/Clinical-Genomics/cg/pull/1737", "cve": "PVE-2024-63503", "id": "pyup.io-63503", "more_info_path": "/vulnerabilities/PVE-2024-63503/63503", "specs": [ "<26.0.4" ], "v": "<26.0.4" }, { "advisory": "A vulnerability has been discovered in the handling of the referrer header in the application, which could allow an attacker to conduct open redirects. The issue arises from improper validation of the referrer header in certain conditions. By manipulating the referrer header, an attacker could potentially redirect users to malicious websites, phishing pages, or other dangerous destinations.", "cve": "PVE-2024-71931", "id": "pyup.io-71931", "more_info_path": "/vulnerabilities/PVE-2024-71931/71931", "specs": [ "<60.2.12" ], "v": "<60.2.12" } ], "cg-django-uaa": [ { "advisory": "Cg-django-uaa 2.1.4 updates its dependency 'pyjwt' to include a security fix.", "cve": "CVE-2022-29217", "id": "pyup.io-50653", "more_info_path": "/vulnerabilities/CVE-2022-29217/50653", "specs": [ "<2.1.4" ], "v": "<2.1.4" } ], "cgbeacon2": [ { "advisory": "Cgbeacon2 4.3 prevents unsafe 'HTTP' connections.\r\nhttps://github.com/Clinical-Genomics/cgbeacon2/commit/614bdd7e01b19ce297b0e612e4821ed661c8f658", "cve": "PVE-2022-51437", "id": "pyup.io-51437", "more_info_path": "/vulnerabilities/PVE-2022-51437/51437", "specs": [ "<4.3" ], "v": "<4.3" } ], "cgcloud-lib": [ { "advisory": "Cgcloud-lib 1.6.0 and prior include a version of 'paramiko' (1.16.0) affected by known vulnerabilities.", "cve": "CVE-2018-7750", "id": "pyup.io-47515", "more_info_path": "/vulnerabilities/CVE-2018-7750/47515", "specs": [ "<=1.6.0" ], "v": "<=1.6.0" }, { "advisory": "Cgcloud-lib 1.6.0 and prior include a version of 'paramiko' (1.16.0) affected by known vulnerabilities.", "cve": "CVE-2022-24302", "id": "pyup.io-48020", "more_info_path": "/vulnerabilities/CVE-2022-24302/48020", "specs": [ "<=1.6.0" ], "v": "<=1.6.0" } ], "cgroups-exporter": [ { "advisory": "Cgroups-exporter 0.8.0 includes a fix for a denial of service vulnerability. \r\nhttps://github.com/mosquito/cgroups-exporter/commit/611ac2618e834135a86b1871231680759e4c37ff", "cve": "PVE-2023-59074", "id": "pyup.io-59074", "more_info_path": "/vulnerabilities/PVE-2023-59074/59074", "specs": [ "<0.8.0" ], "v": "<0.8.0" } ], "chafa.py": [ { "advisory": "Chafa.py serves as a Python wrapper for the Chafa library. The GitHub repository hpjansson/chafa, prior to version 1.12.0, contains a heap-based Buffer Overflow vulnerability. This issue has been addressed in the Chapa.py update, specifically version 1.1.0.", "cve": "CVE-2022-20610", "id": "pyup.io-63001", "more_info_path": "/vulnerabilities/CVE-2022-20610/63001", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "chainerrl-visualizer": [ { "advisory": "Chainerrl-visualizer throughout 0.1.1 allows absolute path traversal because the Flask send_file function is used unsafely. See CVE-2022-31573.", "cve": "CVE-2022-31573", "id": "pyup.io-50085", "more_info_path": "/vulnerabilities/CVE-2022-31573/50085", "specs": [ "<=0.1.1" ], "v": "<=0.1.1" } ], "chainlit": [ { "advisory": "Chainlit 0.2.108 includes a fix for an improper authorization vulnerability.\r\nhttps://github.com/Chainlit/chainlit/commit/ae3fe1c3b21e3d2a7b297f6985b56a2ab0e5f784", "cve": "PVE-2023-58839", "id": "pyup.io-58839", "more_info_path": "/vulnerabilities/PVE-2023-58839/58839", "specs": [ "<0.2.108" ], "v": "<0.2.108" }, { "advisory": "Chainlit 0.4.1 updates its dependency 'vite' to version '4.3.9' to include a security fix.\r\nhttps://github.com/Chainlit/chainlit/commit/67bfc52445afec69d383e43208a48a80b8a9f8dc", "cve": "CVE-2023-34092", "id": "pyup.io-59120", "more_info_path": "/vulnerabilities/CVE-2023-34092/59120", "specs": [ "<0.4.1" ], "v": "<0.4.1" }, { "advisory": "Chainlit 1.0.501 has updated its Starlette dependency to version \"^0.37.2\" from \"<0.33.0\" to address the security issue identified in CVE-2023-29159.", "cve": "CVE-2023-29159", "id": "pyup.io-67535", "more_info_path": "/vulnerabilities/CVE-2023-29159/67535", "specs": [ "<1.0.501" ], "v": "<1.0.501" }, { "advisory": "Affected versions of Chainlit are vulnerable to Unsafe Defaults. Default host configuration was 0.0.0.0, allowing connections from any external IP address. This could lead to several security vulnerabilities, such as:\r\n- Denial of Service (DoS) Attacks: Attackers can inundate the system with an overwhelming number of requests, leading to service interruptions for legitimate users by exhausting the system's resources.\r\n- Man-in-the-Middle (MitM) Attacks: The open access makes it feasible for attackers to intercept and manipulate communications between two parties covertly.", "cve": "PVE-2024-73234", "id": "pyup.io-73234", "more_info_path": "/vulnerabilities/PVE-2024-73234/73234", "specs": [ "<1.1.404" ], "v": "<1.1.404" }, { "advisory": "Affected versions of Chainlit are vulnerable to Path Traversal (CWE-22). This vulnerability allows attackers to read arbitrary files on the server by exploiting insufficient path validation in file-serving endpoints. Functions like `get_file`, `serve_file`, and `get_avatar` fail to properly restrict file paths, enabling attackers to access sensitive files via crafted requests containing malicious path components. Users should upgrade to the version where input validation and path restrictions are correctly implemented to mitigate this vulnerability.", "cve": "PVE-2024-73036", "id": "pyup.io-73036", "more_info_path": "/vulnerabilities/PVE-2024-73036/73036", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { "advisory": "Affected versions of the Chainlit backend are vulnerable to Missing Authorization (CWE-862). This flaw allows unauthorized users to access and retrieve session files by guessing or obtaining valid session_ids, potentially leading to data breaches. The vulnerability exists in the get_file endpoint, which lacked proper user verification. Exploitability is high if session_ids are predictable. Chainlit mitigates this issue by enforcing strict authorization checks.\r\nUPDATE: \"1.3.1 release temporarily reverts the file access security improvements from 1.3.0 to restore element functionality. The element feature currently has a known security vulnerability that could allow unauthorized access to files. We strongly recommend against using elements in production environments until the next release. A comprehensive security fix using HTTP-only cookie authentication will be implemented in an upcoming release.\"", "cve": "PVE-2024-73842", "id": "pyup.io-73842", "more_info_path": "/vulnerabilities/PVE-2024-73842/73842", "specs": [ "<1.3.0", ">=2.0.dev0,<2.0.dev1", ">2.0.dev1", ">1.3.0,<2.0.dev0" ], "v": "<1.3.0,>=2.0.dev0,<2.0.dev1,>2.0.dev1,>1.3.0,<2.0.dev0" } ], "changedetection-io": [ { "advisory": "Changedetection.io before v0.40.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the \"Add a new change detection watch\" function.\r\n\r\nAlias(es):\r\nGHSA-68wj-c2jw-5pp9\r\nPYSEC-2023-10", "cve": "CVE-2023-24769", "id": "pyup.io-59565", "more_info_path": "/vulnerabilities/CVE-2023-24769/59565", "specs": [ "<0.40.1.1" ], "v": "<0.40.1.1" } ], "changedetection.io": [ { "advisory": "Changedetection.io affected versions were discovered to contain a stored cross-site scripting (XSS) vulnerability on the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the \"Add a new change detection watch\" function.", "cve": "CVE-2023-24769", "id": "pyup.io-72001", "more_info_path": "/vulnerabilities/CVE-2023-24769/72001", "specs": [ "<0.40.2" ], "v": "<0.40.2" }, { "advisory": "Changedetection.io version 0.45.21 includes a security update to fix a server-side template injection vulnerability in Jinja2 that could allow remote command execution, identified as CVE-2024-32651. Additionally, it implements the use of `ImmutableSandboxedEnvironment` for validation to enhance security.", "cve": "CVE-2024-32651", "id": "pyup.io-70483", "more_info_path": "/vulnerabilities/CVE-2024-32651/70483", "specs": [ "<0.45.21" ], "v": "<0.45.21" }, { "advisory": "changedetection.io is a free open-source web page change detection, website watcher, restock monitor and notification service. In affected versions Input in parameter notification_urls is not processed resulting in javascript execution in the application. A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content.", "cve": "CVE-2024-34061", "id": "pyup.io-71908", "more_info_path": "/vulnerabilities/CVE-2024-34061/71908", "specs": [ "<0.45.22" ], "v": "<0.45.22" }, { "advisory": "Changedetection.io 0.45.6 updates its dependency 'flask' to include a security fix.", "cve": "CVE-2023-30861", "id": "pyup.io-62234", "more_info_path": "/vulnerabilities/CVE-2023-30861/62234", "specs": [ "<0.45.6" ], "v": "<0.45.6" }, { "advisory": "Changedetection.io is vulnerable to an Incorrect Authorization vulnerability. API endpoint /api/v1/watch//history can be accessed by any unauthorized user.", "cve": "CVE-2024-23329", "id": "pyup.io-64341", "more_info_path": "/vulnerabilities/CVE-2024-23329/64341", "specs": [ ">=0.39.14,<=0.45.12" ], "v": ">=0.39.14,<=0.45.12" } ], "chanjo-report": [ { "advisory": "Chanjo-report 2.4.0 uses sudo insecurely, potentially allowing a local attacker to escalate privileges.\r\nhttps://github.com/robinandeer/chanjo-report/commit/bbb6ba9855b08c563764639d55bbcc0915c1dc55", "cve": "PVE-2022-45287", "id": "pyup.io-45287", "more_info_path": "/vulnerabilities/PVE-2022-45287/45287", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chanjo-report 2.4.0 removes a link to the \"index\" page from the report (security).", "cve": "PVE-2021-25648", "id": "pyup.io-25648", "more_info_path": "/vulnerabilities/PVE-2021-25648/25648", "specs": [ "<2.4.0" ], "v": "<2.4.0" } ], "channels": [ { "advisory": "Django channels package before 2.1.7 is vulnerable to a Denial of Service (DoS) attack due to not limiting the size of request bodies. This vulnerability specifically involves Regular Expression Denial of Service (ReDoS) attacks, whereby crafted inputs utilizing regular expressions can cause excessive backtracking by the regex engine. This process can significantly slow down the system, consuming disproportionate CPU resources to process these crafted requests, potentially making the system inaccessible to legitimate users. This issue arises from the way certain strings, when matched against specific regular expressions, can force the regex engine into a large number of computational steps, drastically increasing for strings with specific patterns, thereby enabling attackers to exploit this behavior for a DoS attack.\r\nhttps://github.com/django/channels/commit/a1ecd5ee72a538f19bdd9e8f6bb91bb8aabba5d9", "cve": "PVE-2024-99807", "id": "pyup.io-65986", "more_info_path": "/vulnerabilities/PVE-2024-99807/65986", "specs": [ ">=0,<2.1.7" ], "v": ">=0,<2.1.7" }, { "advisory": "Channels 3.0.3 includes a fix for CVE-2020-35681. See also: .", "cve": "CVE-2020-35681", "id": "pyup.io-39368", "more_info_path": "/vulnerabilities/CVE-2020-35681/39368", "specs": [ ">=3.0.0,<3.0.3" ], "v": ">=3.0.0,<3.0.3" } ], "chaosloader": [ { "advisory": "Chaosloader 1.0.0 adds secure encrypted password to travis.yml.", "cve": "PVE-2021-37048", "id": "pyup.io-37048", "more_info_path": "/vulnerabilities/PVE-2021-37048/37048", "specs": [ "<1.0.0" ], "v": "<1.0.0" } ], "chaostoolkit": [ { "advisory": "Chaostoolkit 1.14.0 updates container image to include security fixes.", "cve": "CVE-2022-29458", "id": "pyup.io-54860", "more_info_path": "/vulnerabilities/CVE-2022-29458/54860", "specs": [ "<1.14.0" ], "v": "<1.14.0" }, { "advisory": "Chaostoolkit 1.14.0 updates container image to include security fixes.", "cve": "CVE-2020-16156", "id": "pyup.io-54865", "more_info_path": "/vulnerabilities/CVE-2020-16156/54865", "specs": [ "<1.14.0" ], "v": "<1.14.0" }, { "advisory": "Chaostoolkit 1.14.0 updates container image to include security fixes.", "cve": "CVE-2022-1304", "id": "pyup.io-54845", "more_info_path": "/vulnerabilities/CVE-2022-1304/54845", "specs": [ "<1.14.0" ], "v": "<1.14.0" }, { "advisory": "Chaostoolkit 1.14.0 updates container image to include security fixes.", "cve": "CVE-2022-1304", "id": "pyup.io-54863", "more_info_path": "/vulnerabilities/CVE-2022-1304/54863", "specs": [ "<1.14.0" ], "v": "<1.14.0" }, { "advisory": "Chaostoolkit 1.14.0 updates container image to include security fixes.", "cve": "CVE-2019-8457", "id": "pyup.io-54857", "more_info_path": "/vulnerabilities/CVE-2019-8457/54857", "specs": [ "<1.14.0" ], "v": "<1.14.0" }, { "advisory": "Chaostoolkit 1.14.0 updates container image to include security fixes.", "cve": "CVE-2021-33560", "id": "pyup.io-54859", "more_info_path": "/vulnerabilities/CVE-2021-33560/54859", "specs": [ "<1.14.0" ], "v": "<1.14.0" } ], "charm-crypto": [ { "advisory": "In Charm 0.43, any two users can collude to achieve the ability to decrypt YCT14 data.", "cve": "CVE-2021-37588", "id": "pyup.io-42318", "more_info_path": "/vulnerabilities/CVE-2021-37588/42318", "specs": [ "==0.43" ], "v": "==0.43" }, { "advisory": "In Charm 0.43, any single user can decrypt DAC-MACS or MA-ABE-YJ14 data.", "cve": "CVE-2021-37587", "id": "pyup.io-42317", "more_info_path": "/vulnerabilities/CVE-2021-37587/42317", "specs": [ "==0.43" ], "v": "==0.43" } ], "charm-tools": [ { "advisory": "Charm-tools 2.6.0 addresses security alerts from GitHub (#484).", "cve": "PVE-2021-37201", "id": "pyup.io-37201", "more_info_path": "/vulnerabilities/PVE-2021-37201/37201", "specs": [ "<2.6.0" ], "v": "<2.6.0" } ], "charmhelpers": [ { "advisory": "Charmhelpers 0.19.13 updates Keystone's config files permissions to meet security guide.\r\nhttps://github.com/juju/charm-helpers/pull/299", "cve": "PVE-2021-37032", "id": "pyup.io-37032", "more_info_path": "/vulnerabilities/PVE-2021-37032/37032", "specs": [ "<0.19.13" ], "v": "<0.19.13" } ], "chartify": [ { "advisory": "Chartify version 3.0.3 includes a security patch for the function '_from_yaml' in 'chartify/_core/colors.py'. It used the unsafe yaml.load(), that allows instantiation of arbitrary objects.\r\nhttps://github.com/spotify/chartify/commit/e9d34194b19f973b934497a1013c918bc8a98fee#diff-8238e9741da72d8460f3b7e87879bad2821fe5cfbadb42112a6a7373ee5c494a", "cve": "CVE-2020-14343", "id": "pyup.io-41310", "more_info_path": "/vulnerabilities/CVE-2020-14343/41310", "specs": [ "<3.0.3" ], "v": "<3.0.3" }, { "advisory": "Chartify 3.0.4 updates its dependency 'pillow' requirement to '>=8.4.0' to include security fixes.", "cve": "CVE-2019-19911", "id": "pyup.io-38345", "more_info_path": "/vulnerabilities/CVE-2019-19911/38345", "specs": [ "<=3.0.3" ], "v": "<=3.0.3" }, { "advisory": "Chartify 3.0.3 includes a version of 'pillow' (6.2.0) affected by several CVEs.", "cve": "CVE-2020-5311", "id": "pyup.io-43569", "more_info_path": "/vulnerabilities/CVE-2020-5311/43569", "specs": [ "<=3.0.3" ], "v": "<=3.0.3" }, { "advisory": "Chartify 3.0.3 includes a version of 'pillow' (6.2.0) affected by several CVEs.", "cve": "CVE-2020-5312", "id": "pyup.io-43570", "more_info_path": "/vulnerabilities/CVE-2020-5312/43570", "specs": [ "<=3.0.3" ], "v": "<=3.0.3" }, { "advisory": "libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.", "cve": "CVE-2020-5310", "id": "pyup.io-43568", "more_info_path": "/vulnerabilities/CVE-2020-5310/43568", "specs": [ "<=3.0.3" ], "v": "<=3.0.3" }, { "advisory": "libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.", "cve": "CVE-2020-5313", "id": "pyup.io-43571", "more_info_path": "/vulnerabilities/CVE-2020-5313/43571", "specs": [ "<=3.0.3" ], "v": "<=3.0.3" } ], "chartmogul": [ { "advisory": "Chartmogul 4.3.1 updates its urllib3 dependency from <=2.0.4 to 1.26.19 to address security concerns, including several vulnerabilities such as CVE-2023-43804.", "cve": "CVE-2023-43804", "id": "pyup.io-71724", "more_info_path": "/vulnerabilities/CVE-2023-43804/71724", "specs": [ "<4.3.1" ], "v": "<4.3.1" }, { "advisory": "Chartmogul 4.3.1 updates its urllib3 dependency from <=2.0.4 to 1.26.19 to address security concerns, including several vulnerabilities such as CVE-2023-45803.", "cve": "CVE-2023-45803", "id": "pyup.io-71715", "more_info_path": "/vulnerabilities/CVE-2023-45803/71715", "specs": [ "<4.3.1" ], "v": "<4.3.1" }, { "advisory": "Chartmogul 4.3.2 updates its urllib3 dependency from version 1.26.19 to 2.2.2 to address CVE-2024-37891.", "cve": "CVE-2024-37891", "id": "pyup.io-71816", "more_info_path": "/vulnerabilities/CVE-2024-37891/71816", "specs": [ "<4.3.2" ], "v": "<4.3.2" } ], "chatbot-ner": [ { "advisory": "Chatbot-ner 0.5.8 updates its dependency 'django' to v1.11.26 to include security fixes.", "cve": "CVE-2019-14235", "id": "pyup.io-38516", "more_info_path": "/vulnerabilities/CVE-2019-14235/38516", "specs": [ "<0.5.8" ], "v": "<0.5.8" }, { "advisory": "Chatbot-ner 0.5.8 updates its dependency 'django' to v1.11.26 to include security fixes.", "cve": "CVE-2019-14234", "id": "pyup.io-42432", "more_info_path": "/vulnerabilities/CVE-2019-14234/42432", "specs": [ "<0.5.8" ], "v": "<0.5.8" }, { "advisory": "Chatbot-ner 0.5.8 updates its dependency 'django' to v1.11.26 to include security fixes.", "cve": "CVE-2019-14233", "id": "pyup.io-42433", "more_info_path": "/vulnerabilities/CVE-2019-14233/42433", "specs": [ "<0.5.8" ], "v": "<0.5.8" }, { "advisory": "Chatbot-ner 0.5.8 updates its dependency 'django' to v1.11.26 to include security fixes.", "cve": "CVE-2019-14232", "id": "pyup.io-42434", "more_info_path": "/vulnerabilities/CVE-2019-14232/42434", "specs": [ "<0.5.8" ], "v": "<0.5.8" }, { "advisory": "Chatbot-ner 0.6.0 updates its dependency 'Django' to v1.11.27 to include security fixes.", "cve": "CVE-2019-14232", "id": "pyup.io-43695", "more_info_path": "/vulnerabilities/CVE-2019-14232/43695", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Chatbot-ner 0.6.0 updates its dependency 'Django' to v1.11.27 to include security fixes.", "cve": "CVE-2019-19844", "id": "pyup.io-43699", "more_info_path": "/vulnerabilities/CVE-2019-19844/43699", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Chatbot-ner 0.6.0 updates its dependency 'nltk' to v3.4.5 to include a security fix.", "cve": "CVE-2019-14751", "id": "pyup.io-43698", "more_info_path": "/vulnerabilities/CVE-2019-14751/43698", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Chatbot-ner 0.6.0 updates its dependency 'Django' to v1.11.26 to include security fixes.", "cve": "CVE-2019-14234", "id": "pyup.io-38515", "more_info_path": "/vulnerabilities/CVE-2019-14234/38515", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Chatbot-ner 0.6.0 updates its dependency 'Django' to v1.11.27 to include security fixes.", "cve": "CVE-2019-14235", "id": "pyup.io-43697", "more_info_path": "/vulnerabilities/CVE-2019-14235/43697", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Chatbot-ner 0.6.0 updates its dependency 'Django' to v1.11.27 to include security fixes.", "cve": "CVE-2019-14233", "id": "pyup.io-43696", "more_info_path": "/vulnerabilities/CVE-2019-14233/43696", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "chaturbate-poller": [ { "advisory": "Affected versions of Chaturbate-poller are vulnerable to Sensitive Information Exposure.", "cve": "PVE-2024-73683", "id": "pyup.io-73683", "more_info_path": "/vulnerabilities/PVE-2024-73683/73683", "specs": [ "<0.11.0" ], "v": "<0.11.0" } ], "chazz": [ { "advisory": "Chazz is a malicious package. It delivers the W4SP Stealer Malware to your system.\r\nhttps://thehackernews.com/2022/12/w4sp-stealer-discovered-in-multiple.html", "cve": "PVE-2023-52909", "id": "pyup.io-52909", "more_info_path": "/vulnerabilities/PVE-2023-52909/52909", "specs": [ ">0" ], "v": ">0" } ], "checkmk": [ { "advisory": "Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2017-14955", "id": "pyup.io-63076", "more_info_path": "/vulnerabilities/CVE-2017-14955/63076", "specs": [ "<1.2.8p26" ], "v": "<1.2.8p26" }, { "advisory": "Checkmk before 1.6.0p17 allows local users to obtain SYSTEM privileges via a Trojan horse shell script in the %PROGRAMDATA%\\checkmk\\agent\\local directory.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2020-24908", "id": "pyup.io-63081", "more_info_path": "/vulnerabilities/CVE-2020-24908/63081", "specs": [ "<1.6.0p17" ], "v": "<1.6.0p17" }, { "advisory": "In Checkmk before 1.6.0p29, 2.x before 2.0.0p25, and 2.1.x before 2.1.0b10, a site user can escalate to root by editing an OMD hook symlink.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-31258", "id": "pyup.io-63088", "more_info_path": "/vulnerabilities/CVE-2022-31258/63088", "specs": [ "<1.6.0p29", ">=2.0.0p0,<2.0.0p25", ">=2.1.0b0,<2.1.0b10" ], "v": "<1.6.0p29,>=2.0.0p0,<2.0.0p25,>=2.1.0b0,<2.1.0b10" }, { "advisory": "Uncontrolled Search Path Element in Checkmk Agent in Tribe29 Checkmk before 2.1.0p1, before 2.0.0p25 and before 1.6.0p29 on a Checkmk server allows the site user to escalate privileges via a manipulated unixcat executable\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-43440", "id": "pyup.io-63125", "more_info_path": "/vulnerabilities/CVE-2022-43440/63125", "specs": [ "<1.6.0p29", ">=2.0.0p0,<2.0.0p25", ">=2.1.0p0,<2.1.0p1" ], "v": "<1.6.0p29,>=2.0.0p0,<2.0.0p25,>=2.1.0p0,<2.1.0p1" }, { "advisory": "A permission issue affects users that deployed the shipped version of the Checkmk Debian package. Packages created by the agent bakery (enterprise editions only) were not affected. Using the shipped version of the agents, the maintainer scripts located at /var/lib/dpkg/info/ will be owned by the user and the group with ID 1001. If such a user exists on the system, they can change the content of these files (which are then executed by root). This leads to a local privilege escalation on the monitored host. Version 1.6 through 1.6.9p29, version 2.0 through 2.0.0p26, version 2.1 through 2.1.0p3, and version 2.2.0i1 are affected.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-33912", "id": "pyup.io-63082", "more_info_path": "/vulnerabilities/CVE-2022-33912/63082", "specs": [ "<1.6.9p29", ">=2.0.0p0,<2.0.0p26", ">=2.1.0p0,<2.1.0p3", "==2.2.0i1" ], "v": "<1.6.9p29,>=2.0.0p0,<2.0.0p26,>=2.1.0p0,<2.1.0p3,==2.2.0i1" }, { "advisory": "Checkmk <=2.0.0p19 contains a Cross Site Scripting (XSS) vulnerability. While creating or editing a user attribute, the Help Text is subject to HTML injection, which can be triggered for editing a user.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-24564", "id": "pyup.io-63077", "more_info_path": "/vulnerabilities/CVE-2022-24564/63077", "specs": [ "<2.0.0p20" ], "v": "<2.0.0p20" }, { "advisory": "Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-31208", "id": "pyup.io-63141", "more_info_path": "/vulnerabilities/CVE-2023-31208/63141", "specs": [ "<2.0.0p36", ">=2.2.0b0,<2.2.0p28", ">=2.2.0b0,<2.2.0b8" ], "v": "<2.0.0p36,>=2.2.0b0,<2.2.0p28,>=2.2.0b0,<2.2.0b8" }, { "advisory": "Limited Server-Side Request Forgery (SSRF) in agent-receiver in Tribe29's Checkmk <= 2.1.0p11 allows an attacker to communicate with local network restricted endpoints by use of the host registration API.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-48321", "id": "pyup.io-63133", "more_info_path": "/vulnerabilities/CVE-2022-48321/63133", "specs": [ "<2.1.0p12" ], "v": "<2.1.0p12" }, { "advisory": "Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-48320", "id": "pyup.io-63126", "more_info_path": "/vulnerabilities/CVE-2022-48320/63126", "specs": [ "<=2.0.0p31", ">=2.1.0p0,<2.1.0p18" ], "v": "<=2.0.0p31,>=2.1.0p0,<2.1.0p18" }, { "advisory": "Path-Traversal in MKP storing in Tribe29 Checkmk <=2.0.0p32 and <= 2.1.0p18 allows an administrator to write mkp files to arbitrary locations via a malicious mkp file.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-4884", "id": "pyup.io-63083", "more_info_path": "/vulnerabilities/CVE-2022-4884/63083", "specs": [ "<=2.0.0p32", ">=2.1.0p0,<=2.1.0p18" ], "v": "<=2.0.0p32,>=2.1.0p0,<=2.1.0p18" }, { "advisory": "Improper Input Validation of LDAP user IDs in Tribe29 Checkmk allows attackers that can control LDAP user IDs to manipulate files on the server. Checkmk <= 2.1.0p19, Checkmk <= 2.0.0p32, and all versions of Checkmk 1.6.0 (EOL) are affected.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-0284", "id": "pyup.io-63124", "more_info_path": "/vulnerabilities/CVE-2023-0284/63124", "specs": [ "<=2.0.0p32", ">=2.1.0p0,<=2.1.0p19" ], "v": "<=2.0.0p32,>=2.1.0p0,<=2.1.0p19" }, { "advisory": "User enumeration in Checkmk <=2.2.0p4 allows an authenticated attacker to enumerate usernames.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-22359", "id": "pyup.io-63143", "more_info_path": "/vulnerabilities/CVE-2023-22359/63143", "specs": [ "<=2.2.0p4" ], "v": "<=2.2.0p4" }, { "advisory": "The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2021-40904", "id": "pyup.io-63085", "more_info_path": "/vulnerabilities/CVE-2021-40904/63085", "specs": [ ">=1.5.0,<1.6.0" ], "v": ">=1.5.0,<1.6.0" }, { "advisory": "CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitize the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2021-40906", "id": "pyup.io-63080", "more_info_path": "/vulnerabilities/CVE-2021-40906/63080", "specs": [ ">=1.5.0,<1.6.0p19" ], "v": ">=1.5.0,<1.6.0p19" }, { "advisory": "The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts), the XSS payload will be triggered when the user accesses some specific sections of the application. In the same sense a very dangerous potential way would be when an attacker who has the monitor role (not administrator) manages to get a stored XSS to steal the secretAutomation (for the use of the API in administrator mode) and thus be able to create another administrator user who has high privileges on the CheckMK monitoring web console. Another way is that persistent XSS allows an attacker to modify the displayed content or change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2021-36563", "id": "pyup.io-63084", "more_info_path": "/vulnerabilities/CVE-2021-36563/63084", "specs": [ ">=1.5.0,<=2.0.0" ], "v": ">=1.5.0,<=2.0.0" }, { "advisory": "A stored cross site scripting (XSS) vulnerability in Checkmk 1.6.0x prior to 1.6.0p19 allows an authenticated remote attacker to inject arbitrary JavaScript via a javascript: URL in a view title.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2020-28919", "id": "pyup.io-63087", "more_info_path": "/vulnerabilities/CVE-2020-28919/63087", "specs": [ ">=1.6.0p0,<1.6.0p19" ], "v": ">=1.6.0p0,<1.6.0p19" }, { "advisory": "In Checkmk <=2.0.0p19 fixed in 2.0.0p20 and Checkmk <=1.6.0p27 fixed in 1.6.0p28, the title of a Predefined condition is not properly escaped when shown as condition, which can result in Cross Site Scripting (XSS).\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-24566", "id": "pyup.io-63078", "more_info_path": "/vulnerabilities/CVE-2022-24566/63078", "specs": [ ">=2.0.0p0,<2.0.0p20", "<1.6.0p28" ], "v": ">=2.0.0p0,<2.0.0p20,<1.6.0p28" }, { "advisory": "Checkmk <=2.0.0p19 Fixed in 2.0.0p20 and Checkmk <=1.6.0p27 Fixed in 1.6.0p28 are affected by a Cross Site Scripting (XSS) vulnerability. The Alias of a site was not properly escaped when shown as condition for notifications.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-24565", "id": "pyup.io-63079", "more_info_path": "/vulnerabilities/CVE-2022-24565/63079", "specs": [ ">=2.0.0p0,<2.0.0p20", "<1.6.0p28" ], "v": ">=2.0.0p0,<2.0.0p20,<1.6.0p28" }, { "advisory": "Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform remote code execution with root privileges on the underlying host.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-46302", "id": "pyup.io-63139", "more_info_path": "/vulnerabilities/CVE-2022-46302/63139", "specs": [ ">=2.1.0b0,<=2.1.0p6", "<=2.0.0p27" ], "v": ">=2.1.0b0,<=2.1.0p6,<=2.0.0p27" }, { "advisory": "Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-47909", "id": "pyup.io-63127", "more_info_path": "/vulnerabilities/CVE-2022-47909/63127", "specs": [ ">=2.1.0p0,<2.1.0p12", "<=2.0.0p28" ], "v": ">=2.1.0p0,<2.1.0p12,<=2.0.0p28" }, { "advisory": "No authorization controls in the RestAPI documentation for Tribe29's Checkmk <= 2.1.0p13 and Checkmk <= 2.0.0p29 which may lead to unintended information disclosure through automatically generated user specific tags within Rest API documentation.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-48318", "id": "pyup.io-63128", "more_info_path": "/vulnerabilities/CVE-2022-48318/63128", "specs": [ ">=2.1.0p0,<2.1.0p14", "<=2.0.0p29" ], "v": ">=2.1.0p0,<2.1.0p14,<=2.0.0p29" }, { "advisory": "Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-48317", "id": "pyup.io-63132", "more_info_path": "/vulnerabilities/CVE-2022-48317/63132", "specs": [ ">=2.1.0p0,<=2.1.0p10", "<=2.0.0p28" ], "v": ">=2.1.0p0,<=2.1.0p10,<=2.0.0p28" }, { "advisory": "Command injection in SMS notifications in Tribe29 Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker with User Management permissions, as well as LDAP administrators in certain scenarios, to perform arbitrary commands within the context of the application's local permissions.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-46303", "id": "pyup.io-63129", "more_info_path": "/vulnerabilities/CVE-2022-46303/63129", "specs": [ ">=2.1.0p0,<=2.1.0p10", ">=2.0.0p0,<=2.0.0p27", "<=1.6.0p29" ], "v": ">=2.1.0p0,<=2.1.0p10,>=2.0.0p0,<=2.0.0p27,<=1.6.0p29" }, { "advisory": "PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-46836", "id": "pyup.io-63130", "more_info_path": "/vulnerabilities/CVE-2022-46836/63130", "specs": [ ">=2.1.0p0,<=2.1.0p10", ">=2.0.0p0,<=2.0.0p27", "<=1.6.0p29" ], "v": ">=2.1.0p0,<=2.1.0p10,>=2.0.0p0,<=2.0.0p27,<=1.6.0p29" }, { "advisory": "Sensitive host secret disclosed in cmk-update-agent.log file in Tribe29's Checkmk <= 2.1.0p13, Checkmk <= 2.0.0p29, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to gain access to the host secret through the unprotected agent updater log file.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2022-48319", "id": "pyup.io-63131", "more_info_path": "/vulnerabilities/CVE-2022-48319/63131", "specs": [ ">=2.1.0p0,<=2.1.0p13", "<=2.0.0p29" ], "v": ">=2.1.0p0,<=2.1.0p13,<=2.0.0p29" }, { "advisory": "HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-22288", "id": "pyup.io-63134", "more_info_path": "/vulnerabilities/CVE-2023-22288/63134", "specs": [ ">=2.1.0p0,<=2.1.0p23", "<=2.0.0p34" ], "v": ">=2.1.0p0,<=2.1.0p23,<=2.0.0p34" }, { "advisory": "Inappropriate error handling in Tribe29 Checkmk <= 2.1.0p25, <= 2.0.0p34, <= 2.2.0b3 (beta), and all versions of Checkmk 1.6.0 causes the symmetric encryption of agent data to fail silently and transmit the data in plaintext in certain configurations.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-1768", "id": "pyup.io-63135", "more_info_path": "/vulnerabilities/CVE-2023-1768/63135", "specs": [ ">=2.1.0p0,<=2.1.0p25", ">=2.2.0b0,<=2.2.0b3", "<=2.0.0p34" ], "v": ">=2.1.0p0,<=2.1.0p25,>=2.2.0b0,<=2.2.0b3,<=2.0.0p34" }, { "advisory": "Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows remote authenticated users to read arbitrary host_configs.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-22348", "id": "pyup.io-63142", "more_info_path": "/vulnerabilities/CVE-2023-22348/63142", "specs": [ ">=2.2.0b0,<2.2.0b8", "<2.1.0p28" ], "v": ">=2.2.0b0,<2.2.0b8,<2.1.0p28" }, { "advisory": "Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-6157", "id": "pyup.io-63147", "more_info_path": "/vulnerabilities/CVE-2023-6157/63147", "specs": [ ">=2.2.0b0,<2.2.0p15", ">=2.1.0b0,<2.1.0p37", "<=2.0.0p39" ], "v": ">=2.2.0b0,<2.2.0p15,>=2.1.0b0,<2.1.0p37,<=2.0.0p39" }, { "advisory": "Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, <= 2.0.0p39 allow an authenticated attacker to delete user-messages for individual users.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-6251", "id": "pyup.io-63148", "more_info_path": "/vulnerabilities/CVE-2023-6251/63148", "specs": [ ">=2.2.0b0,<2.2.0p15", ">=2.1.0b0,<2.1.0p37", "<=2.0.0p39" ], "v": ">=2.2.0b0,<2.2.0p15,>=2.1.0b0,<2.1.0p37,<=2.0.0p39" }, { "advisory": "Improper Input Validation in Checkmk <2.2.0p15, <2.1.0p37, <=2.0.0p39 allows privileged attackers to cause partial denial of service in the UI via long hostnames.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-23549", "id": "pyup.io-63146", "more_info_path": "/vulnerabilities/CVE-2023-23549/63146", "specs": [ ">=2.2.0b0,<2.2.0p15", ">=2.1.0b0,<2.1.0p37", "<=2.0.0p39" ], "v": ">=2.2.0b0,<2.2.0p15,>=2.1.0b0,<2.1.0p37,<=2.0.0p39" }, { "advisory": "Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-6156", "id": "pyup.io-63149", "more_info_path": "/vulnerabilities/CVE-2023-6156/63149", "specs": [ ">=2.2.0b0,<2.2.0p15", ">=2.1.0b0,<2.1.0p37", "<=2.0.0p39" ], "v": ">=2.2.0b0,<2.2.0p15,>=2.1.0b0,<2.1.0p37,<=2.0.0p39" }, { "advisory": "Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0p4 leads to arbitrary command execution for authenticated users.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-31209", "id": "pyup.io-63145", "more_info_path": "/vulnerabilities/CVE-2023-31209/63145", "specs": [ ">=2.2.0b0,<2.2.0p4", ">=2.1.0b0,<2.1.0p32", "<2.0.0p38" ], "v": ">=2.2.0b0,<2.2.0p4,>=2.1.0b0,<2.1.0p32,<2.0.0p38" }, { "advisory": "Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-23548", "id": "pyup.io-63144", "more_info_path": "/vulnerabilities/CVE-2023-23548/63144", "specs": [ ">=2.2.0b0,<2.2.0p8", ">=2.1.0b0,<2.1.0p32", ">=2.0.0b0,<2.0.0p38", "<=1.6.0p30" ], "v": ">=2.2.0b0,<2.2.0p8,>=2.1.0b0,<2.1.0p32,>=2.0.0b0,<2.0.0p38,<=1.6.0p30" }, { "advisory": "Insufficient permission checks in the REST API in Tribe29 Checkmk <= 2.1.0p27 and <= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-2020", "id": "pyup.io-63136", "more_info_path": "/vulnerabilities/CVE-2023-2020/63136", "specs": [ ">=2.2.0b0,<=2.2.0b4", "<=2.1.0p27" ], "v": ">=2.2.0b0,<=2.2.0b4,<=2.1.0p27" }, { "advisory": "Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log.\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-31207", "id": "pyup.io-63140", "more_info_path": "/vulnerabilities/CVE-2023-31207/63140", "specs": [ ">=2.2.0b0,<=2.2.0b6", ">=2.1.0p0,<=2.1.0p26", "<=2.0.0p35" ], "v": ">=2.2.0b0,<=2.2.0b6,>=2.1.0p0,<=2.1.0p26,<=2.0.0p35" }, { "advisory": "Usage of user controlled LD_LIBRARY_PATH in agent in Checkmk 2.2.0p10 up to 2.2.0p16 allows malicious Checkmk site user to escalate rights via injection of malicious libraries\r\nNote: Checkmk on PyPI is a placeholder. You may download the real package from its official website (https://checkmk.com/download).", "cve": "CVE-2023-31210", "id": "pyup.io-63150", "more_info_path": "/vulnerabilities/CVE-2023-31210/63150", "specs": [ ">=2.2.0p10,<=2.2.0p16" ], "v": ">=2.2.0p10,<=2.2.0p16" } ], "checkov": [ { "advisory": "Bridgecrew 2.0.1029 introduces a fix for a vulnerability that previously allowed security group rules in Terraform configurations to permit unrestricted ingress access from 0.0.0.0:0 to port 22, commonly used for SSH.\r\nhttps://github.com/bridgecrewio/checkov/issues/1973\r\nhttps://github.com/bridgecrewio/checkov/pull/2749", "cve": "PVE-2024-63646", "id": "pyup.io-63646", "more_info_path": "/vulnerabilities/PVE-2024-63646/63646", "specs": [ "<2.0.1029" ], "v": "<2.0.1029" }, { "advisory": "Checkov 2.0.677 fixes unsafe regex to prevent ReDOS attacks.\r\nhttps://github.com/bridgecrewio/checkov/commit/333d3bcc6c9c178bffc37ac19422b41b665bfbc9", "cve": "PVE-2021-43446", "id": "pyup.io-43446", "more_info_path": "/vulnerabilities/PVE-2021-43446/43446", "specs": [ "<2.0.677" ], "v": "<2.0.677" }, { "advisory": "Checkov before 2.0.26 is vulnerable to unsafe deserialization, which allows arbitrary code execution when processing a malicious terraform file.", "cve": "CVE-2021-3035", "id": "pyup.io-63933", "more_info_path": "/vulnerabilities/CVE-2021-3035/63933", "specs": [ ">=2.0.0,<2.0.26" ], "v": ">=2.0.0,<2.0.26" } ], "checksec-py": [ { "advisory": "Checksec-py is powered by LIEF. Cchecksec-py 0.6.2 and versions below uses LIEF as dependency, which has a CVE on its versions below 0.13.0. \r\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-38496\r\nhttps://deps.dev/pypi/checksec-py/0.6.2/dependencies", "cve": "CVE-2022-38496", "id": "pyup.io-62769", "more_info_path": "/vulnerabilities/CVE-2022-38496/62769", "specs": [ "<=0.6.2" ], "v": "<=0.6.2" } ], "cheetah": [ { "advisory": "cheetah 0.9.17rc1 removeS the use of temp files for handling imports with dynamic compilation. This removes a whole slew of issues, including a temp file security issue.", "cve": "PVE-2021-25649", "id": "pyup.io-25649", "more_info_path": "/vulnerabilities/PVE-2021-25649/25649", "specs": [ "<0.9.17rc1" ], "v": "<0.9.17rc1" }, { "advisory": "Cheetah 0.9.15 and 0.9.16 searches the /tmp directory for modules before using the paths in the PYTHONPATH variable, which allows local users to execute arbitrary code via a malicious module in /tmp/.", "cve": "CVE-2005-1632", "id": "pyup.io-66881", "more_info_path": "/vulnerabilities/CVE-2005-1632/66881", "specs": [ ">=0.9.15,<=0.9.16" ], "v": ">=0.9.15,<=0.9.16" } ], "cheetah3": [ { "advisory": "Cheetah3 version 3.2.2 replaces the outdated and insecure ``mktemp`` with ``mkstemp``.", "cve": "PVE-2021-37134", "id": "pyup.io-37134", "more_info_path": "/vulnerabilities/PVE-2021-37134/37134", "specs": [ "<3.2.2" ], "v": "<3.2.2" } ], "cheroot": [ { "advisory": "Cheroot 6.3.2 introduces a HTTP 400 response to a malicious 'Content-Length' in the request headers.\r\nhttps://github.com/cherrypy/cheroot/commit/040f7bf687fb2c2ae5b98d0c15de65fdb7682a30", "cve": "PVE-2021-39125", "id": "pyup.io-39125", "more_info_path": "/vulnerabilities/PVE-2021-39125/39125", "specs": [ "<6.3.2" ], "v": "<6.3.2" } ], "cherrymusic": [ { "advisory": "Cross-site scripting (XSS) vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to inject arbitrary web script or HTML via the playlistname field when creating a new playlist.", "cve": "CVE-2015-8310", "id": "pyup.io-42242", "more_info_path": "/vulnerabilities/CVE-2015-8310/42242", "specs": [ "<0.36.0" ], "v": "<0.36.0" }, { "advisory": "Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the \"value\" parameter to \"download.\"", "cve": "CVE-2015-8309", "id": "pyup.io-25650", "more_info_path": "/vulnerabilities/CVE-2015-8309/25650", "specs": [ "<0.36.0" ], "v": "<0.36.0" } ], "cherrypy": [ { "advisory": "Directory traversal vulnerability in the staticfilter component in CherryPy before 2.1.1 allows remote attackers to read arbitrary files via \"..\" sequences in unspecified vectors.", "cve": "CVE-2006-0847", "id": "pyup.io-42231", "more_info_path": "/vulnerabilities/CVE-2006-0847/42231", "specs": [ "<2.1.1" ], "v": "<2.1.1" }, { "advisory": "Directory traversal vulnerability in the _get_file_path function in (1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, (2) filter/sessionfilter.py in CherryPy 2.1, and (3) filter/sessionfilter.py in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie.", "cve": "CVE-2008-0252", "id": "pyup.io-54033", "more_info_path": "/vulnerabilities/CVE-2008-0252/54033", "specs": [ ">=0,<2.1.1", ">=3.0,<3.0.2" ], "v": ">=0,<2.1.1,>=3.0,<3.0.2" } ], "chia": [ { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29590", "id": "pyup.io-44297", "more_info_path": "/vulnerabilities/CVE-2021-29590/44297", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37652", "id": "pyup.io-44344", "more_info_path": "/vulnerabilities/CVE-2021-37652/44344", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37690", "id": "pyup.io-44382", "more_info_path": "/vulnerabilities/CVE-2021-37690/44382", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37642", "id": "pyup.io-44334", "more_info_path": "/vulnerabilities/CVE-2021-37642/44334", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37678", "id": "pyup.io-44370", "more_info_path": "/vulnerabilities/CVE-2021-37678/44370", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29612", "id": "pyup.io-44319", "more_info_path": "/vulnerabilities/CVE-2021-29612/44319", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37681", "id": "pyup.io-44373", "more_info_path": "/vulnerabilities/CVE-2021-37681/44373", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37687", "id": "pyup.io-44379", "more_info_path": "/vulnerabilities/CVE-2021-37687/44379", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29529", "id": "pyup.io-44234", "more_info_path": "/vulnerabilities/CVE-2021-29529/44234", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29554", "id": "pyup.io-44259", "more_info_path": "/vulnerabilities/CVE-2021-29554/44259", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29569", "id": "pyup.io-44275", "more_info_path": "/vulnerabilities/CVE-2021-29569/44275", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29573", "id": "pyup.io-44280", "more_info_path": "/vulnerabilities/CVE-2021-29573/44280", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37670", "id": "pyup.io-44362", "more_info_path": "/vulnerabilities/CVE-2021-37670/44362", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29609", "id": "pyup.io-44316", "more_info_path": "/vulnerabilities/CVE-2021-29609/44316", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37637", "id": "pyup.io-44329", "more_info_path": "/vulnerabilities/CVE-2021-37637/44329", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29608", "id": "pyup.io-44315", "more_info_path": "/vulnerabilities/CVE-2021-29608/44315", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37641", "id": "pyup.io-44333", "more_info_path": "/vulnerabilities/CVE-2021-37641/44333", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37662", "id": "pyup.io-44354", "more_info_path": "/vulnerabilities/CVE-2021-37662/44354", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37665", "id": "pyup.io-44357", "more_info_path": "/vulnerabilities/CVE-2021-37665/44357", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37643", "id": "pyup.io-44335", "more_info_path": "/vulnerabilities/CVE-2021-37643/44335", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37645", "id": "pyup.io-44337", "more_info_path": "/vulnerabilities/CVE-2021-37645/44337", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37654", "id": "pyup.io-44346", "more_info_path": "/vulnerabilities/CVE-2021-37654/44346", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37655", "id": "pyup.io-44347", "more_info_path": "/vulnerabilities/CVE-2021-37655/44347", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29613", "id": "pyup.io-44320", "more_info_path": "/vulnerabilities/CVE-2021-29613/44320", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29550", "id": "pyup.io-44255", "more_info_path": "/vulnerabilities/CVE-2021-29550/44255", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15202", "id": "pyup.io-44188", "more_info_path": "/vulnerabilities/CVE-2020-15202/44188", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37673", "id": "pyup.io-44365", "more_info_path": "/vulnerabilities/CVE-2021-37673/44365", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37689", "id": "pyup.io-44381", "more_info_path": "/vulnerabilities/CVE-2021-37689/44381", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29562", "id": "pyup.io-44267", "more_info_path": "/vulnerabilities/CVE-2021-29562/44267", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29563", "id": "pyup.io-44268", "more_info_path": "/vulnerabilities/CVE-2021-29563/44268", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29555", "id": "pyup.io-44260", "more_info_path": "/vulnerabilities/CVE-2021-29555/44260", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29564", "id": "pyup.io-44269", "more_info_path": "/vulnerabilities/CVE-2021-29564/44269", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29565", "id": "pyup.io-44270", "more_info_path": "/vulnerabilities/CVE-2021-29565/44270", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29569", "id": "pyup.io-44273", "more_info_path": "/vulnerabilities/CVE-2021-29569/44273", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15211", "id": "pyup.io-44197", "more_info_path": "/vulnerabilities/CVE-2020-15211/44197", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15212", "id": "pyup.io-44198", "more_info_path": "/vulnerabilities/CVE-2020-15212/44198", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29578", "id": "pyup.io-44285", "more_info_path": "/vulnerabilities/CVE-2021-29578/44285", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29583", "id": "pyup.io-44290", "more_info_path": "/vulnerabilities/CVE-2021-29583/44290", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29587", "id": "pyup.io-44294", "more_info_path": "/vulnerabilities/CVE-2021-29587/44294", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29540", "id": "pyup.io-44245", "more_info_path": "/vulnerabilities/CVE-2021-29540/44245", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29589", "id": "pyup.io-44296", "more_info_path": "/vulnerabilities/CVE-2021-29589/44296", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29557", "id": "pyup.io-44262", "more_info_path": "/vulnerabilities/CVE-2021-29557/44262", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29558", "id": "pyup.io-44263", "more_info_path": "/vulnerabilities/CVE-2021-29558/44263", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29561", "id": "pyup.io-44266", "more_info_path": "/vulnerabilities/CVE-2021-29561/44266", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29605", "id": "pyup.io-44312", "more_info_path": "/vulnerabilities/CVE-2021-29605/44312", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29615", "id": "pyup.io-44322", "more_info_path": "/vulnerabilities/CVE-2021-29615/44322", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29619", "id": "pyup.io-44326", "more_info_path": "/vulnerabilities/CVE-2021-29619/44326", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37656", "id": "pyup.io-44348", "more_info_path": "/vulnerabilities/CVE-2021-37656/44348", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37660", "id": "pyup.io-44352", "more_info_path": "/vulnerabilities/CVE-2021-37660/44352", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29570", "id": "pyup.io-44274", "more_info_path": "/vulnerabilities/CVE-2021-29570/44274", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29581", "id": "pyup.io-44288", "more_info_path": "/vulnerabilities/CVE-2021-29581/44288", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29586", "id": "pyup.io-44293", "more_info_path": "/vulnerabilities/CVE-2021-29586/44293", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29598", "id": "pyup.io-44305", "more_info_path": "/vulnerabilities/CVE-2021-29598/44305", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29600", "id": "pyup.io-44307", "more_info_path": "/vulnerabilities/CVE-2021-29600/44307", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29604", "id": "pyup.io-44311", "more_info_path": "/vulnerabilities/CVE-2021-29604/44311", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29579", "id": "pyup.io-44286", "more_info_path": "/vulnerabilities/CVE-2021-29579/44286", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29582", "id": "pyup.io-44289", "more_info_path": "/vulnerabilities/CVE-2021-29582/44289", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29536", "id": "pyup.io-44241", "more_info_path": "/vulnerabilities/CVE-2021-29536/44241", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15204", "id": "pyup.io-44190", "more_info_path": "/vulnerabilities/CVE-2020-15204/44190", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29585", "id": "pyup.io-44292", "more_info_path": "/vulnerabilities/CVE-2021-29585/44292", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29617", "id": "pyup.io-44324", "more_info_path": "/vulnerabilities/CVE-2021-29617/44324", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37635", "id": "pyup.io-44327", "more_info_path": "/vulnerabilities/CVE-2021-37635/44327", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29592", "id": "pyup.io-44299", "more_info_path": "/vulnerabilities/CVE-2021-29592/44299", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29594", "id": "pyup.io-44301", "more_info_path": "/vulnerabilities/CVE-2021-29594/44301", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29593", "id": "pyup.io-44300", "more_info_path": "/vulnerabilities/CVE-2021-29593/44300", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29551", "id": "pyup.io-44256", "more_info_path": "/vulnerabilities/CVE-2021-29551/44256", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29553", "id": "pyup.io-44258", "more_info_path": "/vulnerabilities/CVE-2021-29553/44258", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29556", "id": "pyup.io-44261", "more_info_path": "/vulnerabilities/CVE-2021-29556/44261", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29559", "id": "pyup.io-44264", "more_info_path": "/vulnerabilities/CVE-2021-29559/44264", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29560", "id": "pyup.io-44265", "more_info_path": "/vulnerabilities/CVE-2021-29560/44265", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29571", "id": "pyup.io-44278", "more_info_path": "/vulnerabilities/CVE-2021-29571/44278", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29572", "id": "pyup.io-44279", "more_info_path": "/vulnerabilities/CVE-2021-29572/44279", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29577", "id": "pyup.io-44284", "more_info_path": "/vulnerabilities/CVE-2021-29577/44284", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29588", "id": "pyup.io-44295", "more_info_path": "/vulnerabilities/CVE-2021-29588/44295", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29576", "id": "pyup.io-44283", "more_info_path": "/vulnerabilities/CVE-2021-29576/44283", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29595", "id": "pyup.io-44302", "more_info_path": "/vulnerabilities/CVE-2021-29595/44302", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29599", "id": "pyup.io-44306", "more_info_path": "/vulnerabilities/CVE-2021-29599/44306", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29601", "id": "pyup.io-44308", "more_info_path": "/vulnerabilities/CVE-2021-29601/44308", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29602", "id": "pyup.io-44309", "more_info_path": "/vulnerabilities/CVE-2021-29602/44309", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29606", "id": "pyup.io-44313", "more_info_path": "/vulnerabilities/CVE-2021-29606/44313", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29611", "id": "pyup.io-44318", "more_info_path": "/vulnerabilities/CVE-2021-29611/44318", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29618", "id": "pyup.io-44325", "more_info_path": "/vulnerabilities/CVE-2021-29618/44325", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37636", "id": "pyup.io-44328", "more_info_path": "/vulnerabilities/CVE-2021-37636/44328", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37640", "id": "pyup.io-44332", "more_info_path": "/vulnerabilities/CVE-2021-37640/44332", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37661", "id": "pyup.io-44353", "more_info_path": "/vulnerabilities/CVE-2021-37661/44353", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37666", "id": "pyup.io-44358", "more_info_path": "/vulnerabilities/CVE-2021-37666/44358", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29584", "id": "pyup.io-44291", "more_info_path": "/vulnerabilities/CVE-2021-29584/44291", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37669", "id": "pyup.io-44361", "more_info_path": "/vulnerabilities/CVE-2021-37669/44361", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37688", "id": "pyup.io-44380", "more_info_path": "/vulnerabilities/CVE-2021-37688/44380", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29580", "id": "pyup.io-44287", "more_info_path": "/vulnerabilities/CVE-2021-29580/44287", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29596", "id": "pyup.io-44303", "more_info_path": "/vulnerabilities/CVE-2021-29596/44303", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29597", "id": "pyup.io-44304", "more_info_path": "/vulnerabilities/CVE-2021-29597/44304", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29591", "id": "pyup.io-44298", "more_info_path": "/vulnerabilities/CVE-2021-29591/44298", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37664", "id": "pyup.io-44356", "more_info_path": "/vulnerabilities/CVE-2021-37664/44356", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37682", "id": "pyup.io-44374", "more_info_path": "/vulnerabilities/CVE-2021-37682/44374", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15208", "id": "pyup.io-44194", "more_info_path": "/vulnerabilities/CVE-2020-15208/44194", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29548", "id": "pyup.io-44253", "more_info_path": "/vulnerabilities/CVE-2021-29548/44253", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15190", "id": "pyup.io-44176", "more_info_path": "/vulnerabilities/CVE-2020-15190/44176", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15191", "id": "pyup.io-44177", "more_info_path": "/vulnerabilities/CVE-2020-15191/44177", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15194", "id": "pyup.io-44180", "more_info_path": "/vulnerabilities/CVE-2020-15194/44180", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15203", "id": "pyup.io-44189", "more_info_path": "/vulnerabilities/CVE-2020-15203/44189", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15206", "id": "pyup.io-44192", "more_info_path": "/vulnerabilities/CVE-2020-15206/44192", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15266", "id": "pyup.io-44202", "more_info_path": "/vulnerabilities/CVE-2020-15266/44202", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29516", "id": "pyup.io-44221", "more_info_path": "/vulnerabilities/CVE-2021-29516/44221", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29519", "id": "pyup.io-44224", "more_info_path": "/vulnerabilities/CVE-2021-29519/44224", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29524", "id": "pyup.io-44229", "more_info_path": "/vulnerabilities/CVE-2021-29524/44229", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29530", "id": "pyup.io-44235", "more_info_path": "/vulnerabilities/CVE-2021-29530/44235", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29533", "id": "pyup.io-44238", "more_info_path": "/vulnerabilities/CVE-2021-29533/44238", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29535", "id": "pyup.io-44240", "more_info_path": "/vulnerabilities/CVE-2021-29535/44240", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29537", "id": "pyup.io-44242", "more_info_path": "/vulnerabilities/CVE-2021-29537/44242", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29539", "id": "pyup.io-44244", "more_info_path": "/vulnerabilities/CVE-2021-29539/44244", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29549", "id": "pyup.io-44254", "more_info_path": "/vulnerabilities/CVE-2021-29549/44254", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37638", "id": "pyup.io-44330", "more_info_path": "/vulnerabilities/CVE-2021-37638/44330", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29603", "id": "pyup.io-44310", "more_info_path": "/vulnerabilities/CVE-2021-29603/44310", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29607", "id": "pyup.io-44314", "more_info_path": "/vulnerabilities/CVE-2021-29607/44314", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29616", "id": "pyup.io-44323", "more_info_path": "/vulnerabilities/CVE-2021-29616/44323", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29552", "id": "pyup.io-44257", "more_info_path": "/vulnerabilities/CVE-2021-29552/44257", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29566", "id": "pyup.io-44271", "more_info_path": "/vulnerabilities/CVE-2021-29566/44271", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29570", "id": "pyup.io-44276", "more_info_path": "/vulnerabilities/CVE-2021-29570/44276", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29569", "id": "pyup.io-44277", "more_info_path": "/vulnerabilities/CVE-2021-29569/44277", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29574", "id": "pyup.io-44281", "more_info_path": "/vulnerabilities/CVE-2021-29574/44281", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29575", "id": "pyup.io-44282", "more_info_path": "/vulnerabilities/CVE-2021-29575/44282", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37639", "id": "pyup.io-44331", "more_info_path": "/vulnerabilities/CVE-2021-37639/44331", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37644", "id": "pyup.io-44336", "more_info_path": "/vulnerabilities/CVE-2021-37644/44336", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37646", "id": "pyup.io-44338", "more_info_path": "/vulnerabilities/CVE-2021-37646/44338", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37647", "id": "pyup.io-44339", "more_info_path": "/vulnerabilities/CVE-2021-37647/44339", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37648", "id": "pyup.io-44340", "more_info_path": "/vulnerabilities/CVE-2021-37648/44340", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37649", "id": "pyup.io-44341", "more_info_path": "/vulnerabilities/CVE-2021-37649/44341", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37650", "id": "pyup.io-44342", "more_info_path": "/vulnerabilities/CVE-2021-37650/44342", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37651", "id": "pyup.io-44343", "more_info_path": "/vulnerabilities/CVE-2021-37651/44343", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37653", "id": "pyup.io-44345", "more_info_path": "/vulnerabilities/CVE-2021-37653/44345", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37657", "id": "pyup.io-44349", "more_info_path": "/vulnerabilities/CVE-2021-37657/44349", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37658", "id": "pyup.io-44350", "more_info_path": "/vulnerabilities/CVE-2021-37658/44350", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37659", "id": "pyup.io-44351", "more_info_path": "/vulnerabilities/CVE-2021-37659/44351", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37663", "id": "pyup.io-44355", "more_info_path": "/vulnerabilities/CVE-2021-37663/44355", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37667", "id": "pyup.io-44359", "more_info_path": "/vulnerabilities/CVE-2021-37667/44359", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37668", "id": "pyup.io-44360", "more_info_path": "/vulnerabilities/CVE-2021-37668/44360", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37671", "id": "pyup.io-44363", "more_info_path": "/vulnerabilities/CVE-2021-37671/44363", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37672", "id": "pyup.io-44364", "more_info_path": "/vulnerabilities/CVE-2021-37672/44364", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37675", "id": "pyup.io-44367", "more_info_path": "/vulnerabilities/CVE-2021-37675/44367", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37676", "id": "pyup.io-44368", "more_info_path": "/vulnerabilities/CVE-2021-37676/44368", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37679", "id": "pyup.io-44371", "more_info_path": "/vulnerabilities/CVE-2021-37679/44371", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37680", "id": "pyup.io-44372", "more_info_path": "/vulnerabilities/CVE-2021-37680/44372", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37683", "id": "pyup.io-44375", "more_info_path": "/vulnerabilities/CVE-2021-37683/44375", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37684", "id": "pyup.io-44376", "more_info_path": "/vulnerabilities/CVE-2021-37684/44376", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37685", "id": "pyup.io-44377", "more_info_path": "/vulnerabilities/CVE-2021-37685/44377", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37686", "id": "pyup.io-44378", "more_info_path": "/vulnerabilities/CVE-2021-37686/44378", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37691", "id": "pyup.io-44383", "more_info_path": "/vulnerabilities/CVE-2021-37691/44383", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15195", "id": "pyup.io-44181", "more_info_path": "/vulnerabilities/CVE-2020-15195/44181", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15209", "id": "pyup.io-44195", "more_info_path": "/vulnerabilities/CVE-2020-15209/44195", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-26271", "id": "pyup.io-44208", "more_info_path": "/vulnerabilities/CVE-2020-26271/44208", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29517", "id": "pyup.io-44222", "more_info_path": "/vulnerabilities/CVE-2021-29517/44222", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29518", "id": "pyup.io-44223", "more_info_path": "/vulnerabilities/CVE-2021-29518/44223", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29523", "id": "pyup.io-44228", "more_info_path": "/vulnerabilities/CVE-2021-29523/44228", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29526", "id": "pyup.io-44231", "more_info_path": "/vulnerabilities/CVE-2021-29526/44231", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29534", "id": "pyup.io-44239", "more_info_path": "/vulnerabilities/CVE-2021-29534/44239", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15192", "id": "pyup.io-44178", "more_info_path": "/vulnerabilities/CVE-2020-15192/44178", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15193", "id": "pyup.io-44179", "more_info_path": "/vulnerabilities/CVE-2020-15193/44179", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15196", "id": "pyup.io-44182", "more_info_path": "/vulnerabilities/CVE-2020-15196/44182", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15197", "id": "pyup.io-44183", "more_info_path": "/vulnerabilities/CVE-2020-15197/44183", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15198", "id": "pyup.io-44184", "more_info_path": "/vulnerabilities/CVE-2020-15198/44184", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15199", "id": "pyup.io-44185", "more_info_path": "/vulnerabilities/CVE-2020-15199/44185", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15200", "id": "pyup.io-44186", "more_info_path": "/vulnerabilities/CVE-2020-15200/44186", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15201", "id": "pyup.io-44187", "more_info_path": "/vulnerabilities/CVE-2020-15201/44187", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15205", "id": "pyup.io-44191", "more_info_path": "/vulnerabilities/CVE-2020-15205/44191", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15207", "id": "pyup.io-44193", "more_info_path": "/vulnerabilities/CVE-2020-15207/44193", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15210", "id": "pyup.io-44196", "more_info_path": "/vulnerabilities/CVE-2020-15210/44196", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15213", "id": "pyup.io-44199", "more_info_path": "/vulnerabilities/CVE-2020-15213/44199", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15214", "id": "pyup.io-44200", "more_info_path": "/vulnerabilities/CVE-2020-15214/44200", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-26266", "id": "pyup.io-44204", "more_info_path": "/vulnerabilities/CVE-2020-26266/44204", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15265", "id": "pyup.io-44201", "more_info_path": "/vulnerabilities/CVE-2020-15265/44201", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-26267", "id": "pyup.io-44205", "more_info_path": "/vulnerabilities/CVE-2020-26267/44205", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-26268", "id": "pyup.io-44206", "more_info_path": "/vulnerabilities/CVE-2020-26268/44206", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-26270", "id": "pyup.io-44207", "more_info_path": "/vulnerabilities/CVE-2020-26270/44207", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29513", "id": "pyup.io-44218", "more_info_path": "/vulnerabilities/CVE-2021-29513/44218", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29514", "id": "pyup.io-44219", "more_info_path": "/vulnerabilities/CVE-2021-29514/44219", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29515", "id": "pyup.io-44220", "more_info_path": "/vulnerabilities/CVE-2021-29515/44220", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29521", "id": "pyup.io-44226", "more_info_path": "/vulnerabilities/CVE-2021-29521/44226", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29522", "id": "pyup.io-44227", "more_info_path": "/vulnerabilities/CVE-2021-29522/44227", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29525", "id": "pyup.io-44230", "more_info_path": "/vulnerabilities/CVE-2021-29525/44230", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29527", "id": "pyup.io-44232", "more_info_path": "/vulnerabilities/CVE-2021-29527/44232", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29528", "id": "pyup.io-44233", "more_info_path": "/vulnerabilities/CVE-2021-29528/44233", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29531", "id": "pyup.io-44236", "more_info_path": "/vulnerabilities/CVE-2021-29531/44236", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29532", "id": "pyup.io-44237", "more_info_path": "/vulnerabilities/CVE-2021-29532/44237", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29538", "id": "pyup.io-44243", "more_info_path": "/vulnerabilities/CVE-2021-29538/44243", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29541", "id": "pyup.io-44246", "more_info_path": "/vulnerabilities/CVE-2021-29541/44246", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29545", "id": "pyup.io-44250", "more_info_path": "/vulnerabilities/CVE-2021-29545/44250", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29543", "id": "pyup.io-44248", "more_info_path": "/vulnerabilities/CVE-2021-29543/44248", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29546", "id": "pyup.io-44251", "more_info_path": "/vulnerabilities/CVE-2021-29546/44251", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29547", "id": "pyup.io-44252", "more_info_path": "/vulnerabilities/CVE-2021-29547/44252", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-8177", "id": "pyup.io-44210", "more_info_path": "/vulnerabilities/CVE-2020-8177/44210", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29614", "id": "pyup.io-44321", "more_info_path": "/vulnerabilities/CVE-2021-29614/44321", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29542", "id": "pyup.io-44247", "more_info_path": "/vulnerabilities/CVE-2021-29542/44247", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29520", "id": "pyup.io-44225", "more_info_path": "/vulnerabilities/CVE-2021-29520/44225", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-22876", "id": "pyup.io-44214", "more_info_path": "/vulnerabilities/CVE-2021-22876/44214", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-8286", "id": "pyup.io-44213", "more_info_path": "/vulnerabilities/CVE-2020-8286/44213", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-8169", "id": "pyup.io-44209", "more_info_path": "/vulnerabilities/CVE-2020-8169/44209", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-14155", "id": "pyup.io-44175", "more_info_path": "/vulnerabilities/CVE-2020-14155/44175", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2019-20838", "id": "pyup.io-41298", "more_info_path": "/vulnerabilities/CVE-2019-20838/41298", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-15358", "id": "pyup.io-44203", "more_info_path": "/vulnerabilities/CVE-2020-15358/44203", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29610", "id": "pyup.io-44317", "more_info_path": "/vulnerabilities/CVE-2021-29610/44317", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-8284", "id": "pyup.io-44212", "more_info_path": "/vulnerabilities/CVE-2020-8284/44212", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37674", "id": "pyup.io-44366", "more_info_path": "/vulnerabilities/CVE-2021-37674/44366", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29568", "id": "pyup.io-44272", "more_info_path": "/vulnerabilities/CVE-2021-29568/44272", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-37677", "id": "pyup.io-44369", "more_info_path": "/vulnerabilities/CVE-2021-37677/44369", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-8231", "id": "pyup.io-44211", "more_info_path": "/vulnerabilities/CVE-2020-8231/44211", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2020-13790", "id": "pyup.io-44174", "more_info_path": "/vulnerabilities/CVE-2020-13790/44174", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-22901", "id": "pyup.io-44217", "more_info_path": "/vulnerabilities/CVE-2021-22901/44217", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-22898", "id": "pyup.io-44216", "more_info_path": "/vulnerabilities/CVE-2021-22898/44216", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-22897", "id": "pyup.io-44215", "more_info_path": "/vulnerabilities/CVE-2021-22897/44215", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia 2.4.0 updates Tensorflow to v2.4.3 to include security fixes.", "cve": "CVE-2021-29544", "id": "pyup.io-44249", "more_info_path": "/vulnerabilities/CVE-2021-29544/44249", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41213", "id": "pyup.io-46814", "more_info_path": "/vulnerabilities/CVE-2021-41213/46814", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23568", "id": "pyup.io-46858", "more_info_path": "/vulnerabilities/CVE-2022-23568/46858", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41214", "id": "pyup.io-46815", "more_info_path": "/vulnerabilities/CVE-2021-41214/46815", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41220", "id": "pyup.io-46821", "more_info_path": "/vulnerabilities/CVE-2021-41220/46821", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41223", "id": "pyup.io-46824", "more_info_path": "/vulnerabilities/CVE-2021-41223/46824", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41224", "id": "pyup.io-46825", "more_info_path": "/vulnerabilities/CVE-2021-41224/46825", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41226", "id": "pyup.io-46827", "more_info_path": "/vulnerabilities/CVE-2021-41226/46827", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41227", "id": "pyup.io-46828", "more_info_path": "/vulnerabilities/CVE-2021-41227/46828", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21729", "id": "pyup.io-46834", "more_info_path": "/vulnerabilities/CVE-2022-21729/46834", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21730", "id": "pyup.io-46835", "more_info_path": "/vulnerabilities/CVE-2022-21730/46835", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21732", "id": "pyup.io-46837", "more_info_path": "/vulnerabilities/CVE-2022-21732/46837", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21733", "id": "pyup.io-46838", "more_info_path": "/vulnerabilities/CVE-2022-21733/46838", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23587", "id": "pyup.io-46877", "more_info_path": "/vulnerabilities/CVE-2022-23587/46877", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23589", "id": "pyup.io-46879", "more_info_path": "/vulnerabilities/CVE-2022-23589/46879", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23595", "id": "pyup.io-46881", "more_info_path": "/vulnerabilities/CVE-2022-23595/46881", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41219", "id": "pyup.io-46820", "more_info_path": "/vulnerabilities/CVE-2021-41219/46820", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41221", "id": "pyup.io-46822", "more_info_path": "/vulnerabilities/CVE-2021-41221/46822", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41222", "id": "pyup.io-46823", "more_info_path": "/vulnerabilities/CVE-2021-41222/46823", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41225", "id": "pyup.io-46826", "more_info_path": "/vulnerabilities/CVE-2021-41225/46826", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21726", "id": "pyup.io-46831", "more_info_path": "/vulnerabilities/CVE-2022-21726/46831", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41228", "id": "pyup.io-46829", "more_info_path": "/vulnerabilities/CVE-2021-41228/46829", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21727", "id": "pyup.io-46832", "more_info_path": "/vulnerabilities/CVE-2022-21727/46832", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21728", "id": "pyup.io-46833", "more_info_path": "/vulnerabilities/CVE-2022-21728/46833", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21731", "id": "pyup.io-46836", "more_info_path": "/vulnerabilities/CVE-2022-21731/46836", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21734", "id": "pyup.io-46839", "more_info_path": "/vulnerabilities/CVE-2022-21734/46839", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21736", "id": "pyup.io-46841", "more_info_path": "/vulnerabilities/CVE-2022-21736/46841", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21735", "id": "pyup.io-46840", "more_info_path": "/vulnerabilities/CVE-2022-21735/46840", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21737", "id": "pyup.io-46842", "more_info_path": "/vulnerabilities/CVE-2022-21737/46842", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21738", "id": "pyup.io-46843", "more_info_path": "/vulnerabilities/CVE-2022-21738/46843", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21739", "id": "pyup.io-46844", "more_info_path": "/vulnerabilities/CVE-2022-21739/46844", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21740", "id": "pyup.io-46845", "more_info_path": "/vulnerabilities/CVE-2022-21740/46845", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21741", "id": "pyup.io-46846", "more_info_path": "/vulnerabilities/CVE-2022-21741/46846", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23557", "id": "pyup.io-46847", "more_info_path": "/vulnerabilities/CVE-2022-23557/46847", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23558", "id": "pyup.io-46848", "more_info_path": "/vulnerabilities/CVE-2022-23558/46848", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23559", "id": "pyup.io-46849", "more_info_path": "/vulnerabilities/CVE-2022-23559/46849", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23560", "id": "pyup.io-46850", "more_info_path": "/vulnerabilities/CVE-2022-23560/46850", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23561", "id": "pyup.io-46851", "more_info_path": "/vulnerabilities/CVE-2022-23561/46851", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23562", "id": "pyup.io-46852", "more_info_path": "/vulnerabilities/CVE-2022-23562/46852", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23564", "id": "pyup.io-46854", "more_info_path": "/vulnerabilities/CVE-2022-23564/46854", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23565", "id": "pyup.io-46855", "more_info_path": "/vulnerabilities/CVE-2022-23565/46855", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23566", "id": "pyup.io-46856", "more_info_path": "/vulnerabilities/CVE-2022-23566/46856", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23567", "id": "pyup.io-46857", "more_info_path": "/vulnerabilities/CVE-2022-23567/46857", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23569", "id": "pyup.io-46859", "more_info_path": "/vulnerabilities/CVE-2022-23569/46859", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23570", "id": "pyup.io-46860", "more_info_path": "/vulnerabilities/CVE-2022-23570/46860", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23571", "id": "pyup.io-46861", "more_info_path": "/vulnerabilities/CVE-2022-23571/46861", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23572", "id": "pyup.io-46862", "more_info_path": "/vulnerabilities/CVE-2022-23572/46862", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23573", "id": "pyup.io-46863", "more_info_path": "/vulnerabilities/CVE-2022-23573/46863", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23574", "id": "pyup.io-46864", "more_info_path": "/vulnerabilities/CVE-2022-23574/46864", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23575", "id": "pyup.io-46865", "more_info_path": "/vulnerabilities/CVE-2022-23575/46865", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23576", "id": "pyup.io-46866", "more_info_path": "/vulnerabilities/CVE-2022-23576/46866", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23577", "id": "pyup.io-46867", "more_info_path": "/vulnerabilities/CVE-2022-23577/46867", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23578", "id": "pyup.io-46868", "more_info_path": "/vulnerabilities/CVE-2022-23578/46868", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23579", "id": "pyup.io-46869", "more_info_path": "/vulnerabilities/CVE-2022-23579/46869", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23581", "id": "pyup.io-46871", "more_info_path": "/vulnerabilities/CVE-2022-23581/46871", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23582", "id": "pyup.io-46872", "more_info_path": "/vulnerabilities/CVE-2022-23582/46872", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23584", "id": "pyup.io-46874", "more_info_path": "/vulnerabilities/CVE-2022-23584/46874", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23585", "id": "pyup.io-46875", "more_info_path": "/vulnerabilities/CVE-2022-23585/46875", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23586", "id": "pyup.io-46876", "more_info_path": "/vulnerabilities/CVE-2022-23586/46876", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23588", "id": "pyup.io-46878", "more_info_path": "/vulnerabilities/CVE-2022-23588/46878", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41202", "id": "pyup.io-46803", "more_info_path": "/vulnerabilities/CVE-2021-41202/46803", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41211", "id": "pyup.io-46812", "more_info_path": "/vulnerabilities/CVE-2021-41211/46812", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41218", "id": "pyup.io-46819", "more_info_path": "/vulnerabilities/CVE-2021-41218/46819", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23591", "id": "pyup.io-46880", "more_info_path": "/vulnerabilities/CVE-2022-23591/46880", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-21725", "id": "pyup.io-46830", "more_info_path": "/vulnerabilities/CVE-2022-21725/46830", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41195", "id": "pyup.io-46796", "more_info_path": "/vulnerabilities/CVE-2021-41195/46796", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41196", "id": "pyup.io-46797", "more_info_path": "/vulnerabilities/CVE-2021-41196/46797", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41197", "id": "pyup.io-46798", "more_info_path": "/vulnerabilities/CVE-2021-41197/46798", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41200", "id": "pyup.io-46801", "more_info_path": "/vulnerabilities/CVE-2021-41200/46801", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41198", "id": "pyup.io-46799", "more_info_path": "/vulnerabilities/CVE-2021-41198/46799", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41199", "id": "pyup.io-46800", "more_info_path": "/vulnerabilities/CVE-2021-41199/46800", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41201", "id": "pyup.io-46802", "more_info_path": "/vulnerabilities/CVE-2021-41201/46802", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41204", "id": "pyup.io-46805", "more_info_path": "/vulnerabilities/CVE-2021-41204/46805", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41203", "id": "pyup.io-46804", "more_info_path": "/vulnerabilities/CVE-2021-41203/46804", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41205", "id": "pyup.io-46806", "more_info_path": "/vulnerabilities/CVE-2021-41205/46806", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41206", "id": "pyup.io-46807", "more_info_path": "/vulnerabilities/CVE-2021-41206/46807", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41207", "id": "pyup.io-46808", "more_info_path": "/vulnerabilities/CVE-2021-41207/46808", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41208", "id": "pyup.io-46809", "more_info_path": "/vulnerabilities/CVE-2021-41208/46809", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41209", "id": "pyup.io-46810", "more_info_path": "/vulnerabilities/CVE-2021-41209/46810", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41210", "id": "pyup.io-46811", "more_info_path": "/vulnerabilities/CVE-2021-41210/46811", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41212", "id": "pyup.io-46813", "more_info_path": "/vulnerabilities/CVE-2021-41212/46813", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41215", "id": "pyup.io-46816", "more_info_path": "/vulnerabilities/CVE-2021-41215/46816", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41216", "id": "pyup.io-46817", "more_info_path": "/vulnerabilities/CVE-2021-41216/46817", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41217", "id": "pyup.io-46818", "more_info_path": "/vulnerabilities/CVE-2021-41217/46818", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23563", "id": "pyup.io-46853", "more_info_path": "/vulnerabilities/CVE-2022-23563/46853", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23583", "id": "pyup.io-46873", "more_info_path": "/vulnerabilities/CVE-2022-23583/46873", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2022-23580", "id": "pyup.io-46870", "more_info_path": "/vulnerabilities/CVE-2022-23580/46870", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-22924", "id": "pyup.io-46794", "more_info_path": "/vulnerabilities/CVE-2021-22924/46794", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-22923", "id": "pyup.io-46793", "more_info_path": "/vulnerabilities/CVE-2021-22923/46793", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2020-10531", "id": "pyup.io-46791", "more_info_path": "/vulnerabilities/CVE-2020-10531/46791", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-22925", "id": "pyup.io-46795", "more_info_path": "/vulnerabilities/CVE-2021-22925/46795", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" }, { "advisory": "Chia versions 2.5.0 and prior require as minimum dependency TensorFlow v2.6.0 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-22922", "id": "pyup.io-46792", "more_info_path": "/vulnerabilities/CVE-2021-22922/46792", "specs": [ "<=2.5.0" ], "v": "<=2.5.0" } ], "chia-blockchain": [ { "advisory": "Consideration of the new consensus algorithm in chia-blockchain version 1.0beta19 resulted in a much higher security level against all attacks.", "cve": "PVE-2021-39444", "id": "pyup.io-39444", "more_info_path": "/vulnerabilities/PVE-2021-39444/39444", "specs": [ "<1.0b19" ], "v": "<1.0b19" }, { "advisory": "Chia-blockchain 1.0b27 updates its GUI to handle CVE-2020-28477.\r\nhttps://github.com/Chia-Network/chia-blockchain/commit/45c85c0030a9b07bd3d07fc0e7f7afc540b53009", "cve": "CVE-2020-28477", "id": "pyup.io-42341", "more_info_path": "/vulnerabilities/CVE-2020-28477/42341", "specs": [ "<1.0b27" ], "v": "<1.0b27" }, { "advisory": "Chia-blockchain 1.0b27 updates its dependency 'pyyaml' to v5.4.1 to include a security fix.\r\nhttps://github.com/Chia-Network/chia-blockchain/commit/c3eae20b877a85eface0d4043abb5777fad3acf4", "cve": "CVE-2020-14343", "id": "pyup.io-42367", "more_info_path": "/vulnerabilities/CVE-2020-14343/42367", "specs": [ "<1.0b27" ], "v": "<1.0b27" }, { "advisory": "Chia-blockchain 1.0beta10 includes various vulnerability fixes.", "cve": "PVE-2021-38700", "id": "pyup.io-38700", "more_info_path": "/vulnerabilities/PVE-2021-38700/38700", "specs": [ "<1.0beta10" ], "v": "<1.0beta10" }, { "advisory": "Node peers in chia-blockchain 1.0beta14 are gossiped between nodes with logic to keep connected nodes on disparate internet networks to partially protect from eclipse attacks.", "cve": "PVE-2021-38844", "id": "pyup.io-38844", "more_info_path": "/vulnerabilities/PVE-2021-38844/38844", "specs": [ "<1.0beta14" ], "v": "<1.0beta14" }, { "advisory": "Chia-blockchain 1.0beta8 removes the ability to pass in sk_seed to plotting. This increases security.", "cve": "PVE-2021-38582", "id": "pyup.io-38582", "more_info_path": "/vulnerabilities/PVE-2021-38582/38582", "specs": [ "<1.0beta8" ], "v": "<1.0beta8" }, { "advisory": "Chia-blockchain 1.0rc5 updates its dependency 'aiohttp' to version '3.7.4' to include a security fix.\r\nhttps://github.com/Chia-Network/chia-blockchain/commit/f0a598b1a592ce4d7a8981b1b372e75452d8ea11\r\nhttps://github.com/advisories/GHSA-v6wp-4m6f-gcjg", "cve": "CVE-2021-21330", "id": "pyup.io-59386", "more_info_path": "/vulnerabilities/CVE-2021-21330/59386", "specs": [ "<1.0rc5" ], "v": "<1.0rc5" }, { "advisory": "Chia-blockchain 1.0rc6 improves defense against many DDoS attacks by rate limiting for the full node.\r\nhttps://github.com/Chia-Network/chia-blockchain/pull/1259", "cve": "PVE-2021-39703", "id": "pyup.io-39703", "more_info_path": "/vulnerabilities/PVE-2021-39703/39703", "specs": [ "<1.0rc6" ], "v": "<1.0rc6" }, { "advisory": "Chia-blockchain 1.3.2 updates its dependency 'OpenSSL' to include a fix for a DoS vulnerability.\r\nhttps://github.com/Chia-Network/chia-blockchain/pull/10988\r\nhttps://github.com/Chia-Network/chia-blockchain/pull/10991", "cve": "CVE-2022-0778", "id": "pyup.io-59381", "more_info_path": "/vulnerabilities/CVE-2022-0778/59381", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "Chia-blockchain 1.4.0 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/Chia-Network/chia-blockchain/pull/11324", "cve": "PVE-2023-59663", "id": "pyup.io-59663", "more_info_path": "/vulnerabilities/PVE-2023-59663/59663", "specs": [ "<1.4.0" ], "v": "<1.4.0" }, { "advisory": "Chia-blockchain 1.5.0 includes a fix for CVE-2022-36447: Tokens previously minted on the Chia blockchain using the 'CAT1' standard can be inflated in arbitrary amounts by any holder of the token. Total amount of the token can be increased as high as the malicious actor pleases. This is true for every 'CAT1' on the Chia blockchain, regardless of issuance rules. This attack is auditable on-chain, so maliciously altered coins can potentially be \"marked\" by off-chain observers as malicious.", "cve": "CVE-2022-36447", "id": "pyup.io-50737", "more_info_path": "/vulnerabilities/CVE-2022-36447/50737", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Chia-blockchain 1.8.0 includes unspecified critical security updates.\r\nhttps://www.chia.net/2023/05/03/version-1-8-0-release", "cve": "PVE-2024-63739", "id": "pyup.io-63739", "more_info_path": "/vulnerabilities/PVE-2024-63739/63739", "specs": [ "<1.8.0" ], "v": "<1.8.0" }, { "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", "cve": "CVE-2023-2133", "id": "pyup.io-64104", "more_info_path": "/vulnerabilities/CVE-2023-2133/64104", "specs": [ "<1.8.1rc4" ], "v": "<1.8.1rc4" }, { "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", "cve": "CVE-2023-2033", "id": "pyup.io-63738", "more_info_path": "/vulnerabilities/CVE-2023-2033/63738", "specs": [ "<1.8.1rc4" ], "v": "<1.8.1rc4" }, { "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", "cve": "CVE-2023-2136", "id": "pyup.io-64107", "more_info_path": "/vulnerabilities/CVE-2023-2136/64107", "specs": [ "<1.8.1rc4" ], "v": "<1.8.1rc4" }, { "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", "cve": "CVE-2023-2135", "id": "pyup.io-64106", "more_info_path": "/vulnerabilities/CVE-2023-2135/64106", "specs": [ "<1.8.1rc4" ], "v": "<1.8.1rc4" }, { "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", "cve": "CVE-2023-2134", "id": "pyup.io-64105", "more_info_path": "/vulnerabilities/CVE-2023-2134/64105", "specs": [ "<1.8.1rc4" ], "v": "<1.8.1rc4" }, { "advisory": "Chia-blockchain 2.0.0rc4 updates its NPM dependency 'Electron' to 25.4.0 to include security fixes.\r\nhttps://github.com/Chia-Network/chia-blockchain-gui/pull/1976", "cve": "CVE-2023-3728", "id": "pyup.io-64108", "more_info_path": "/vulnerabilities/CVE-2023-3728/64108", "specs": [ "<2.0.0rc4" ], "v": "<2.0.0rc4" }, { "advisory": "Chia-blockchain 2.0.0rc4 updates its NPM dependency 'Electron' to 25.4.0 to include security fixes.\r\nhttps://github.com/Chia-Network/chia-blockchain-gui/pull/1976", "cve": "CVE-2023-3730", "id": "pyup.io-64109", "more_info_path": "/vulnerabilities/CVE-2023-3730/64109", "specs": [ "<2.0.0rc4" ], "v": "<2.0.0rc4" }, { "advisory": "Chia-blockchain 2.0.0rc4 updates its NPM dependency 'Electron' to 25.4.0 to include security fixes.\r\nhttps://github.com/Chia-Network/chia-blockchain-gui/pull/1976", "cve": "CVE-2023-3732", "id": "pyup.io-63735", "more_info_path": "/vulnerabilities/CVE-2023-3732/63735", "specs": [ "<2.0.0rc4" ], "v": "<2.0.0rc4" }, { "advisory": "Chia-blockchain 2.1.0 updates its NPM dependency 'Electron' to 26.2.1 to include a security fix.", "cve": "CVE-2023-4863", "id": "pyup.io-63732", "more_info_path": "/vulnerabilities/CVE-2023-4863/63732", "specs": [ "<2.1.0" ], "v": "<2.1.0" } ], "chiapos": [ { "advisory": "Chiapos 1.0.12b3 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/Chia-Network/chiapos/pull/349", "cve": "PVE-2023-59535", "id": "pyup.io-59535", "more_info_path": "/vulnerabilities/PVE-2023-59535/59535", "specs": [ "<1.0.12b3" ], "v": "<1.0.12b3" } ], "chiavdf": [ { "advisory": "Chiavdf 1.0 includes a fix to prevent potential grinding attacks.\r\nhttps://github.com/Chia-Network/chiavdf/commit/2f2dc55b8c11597d0674a1f347bfbefd0efcafa3", "cve": "PVE-2021-39691", "id": "pyup.io-39691", "more_info_path": "/vulnerabilities/PVE-2021-39691/39691", "specs": [ "<1.0" ], "v": "<1.0" } ], "chinaski": [ { "advisory": "Chinaski 0.0.2 includes a fix for a REDoS vulnerability.\r\nhttps://github.com/w0rmr1d3r/chinaski/pull/5", "cve": "PVE-2023-53495", "id": "pyup.io-53495", "more_info_path": "/vulnerabilities/PVE-2023-53495/53495", "specs": [ "<0.0.2" ], "v": "<0.0.2" } ], "chinilla-blockchain": [ { "advisory": "Chinilla-blockchain 1.2.0 includes a fix for CVE-2022-36447, where in tokens previously minted on the Chinilla blockchain using the CAT1 standard can be inflated in arbitrary amounts by any holder of the token. Total amount of the token can be increased as high as the malicious actor pleases. This is true for every CAT1 on the Chinilla blockchain, regardless of issuance rules. This attack is auditable on-chain, so maliciously altered coins can potentially be \"marked\" by off-chain observers as malicious.", "cve": "CVE-2022-36447", "id": "pyup.io-52641", "more_info_path": "/vulnerabilities/CVE-2022-36447/52641", "specs": [ "<1.2.0" ], "v": "<1.2.0" } ], "chipsec": [ { "advisory": "Chipsec 1.11.0 updates its dependency 'flask' to versions '>=2.2.5' to include a security fix.", "cve": "CVE-2023-30861", "id": "pyup.io-58853", "more_info_path": "/vulnerabilities/CVE-2023-30861/58853", "specs": [ "<1.11.0" ], "v": "<1.11.0" } ], "choochoo": [ { "advisory": "Choochoo 0.40.0 updates its NPM dependency 'lodash' to 4.17.21 to include security fixes.", "cve": "CVE-2021-23337", "id": "pyup.io-41273", "more_info_path": "/vulnerabilities/CVE-2021-23337/41273", "specs": [ "<0.40.0" ], "v": "<0.40.0" }, { "advisory": "Choochoo 0.40.0 updates its NPM dependency 'lodash' to 4.17.21 to include security fixes.", "cve": "CVE-2020-28500", "id": "pyup.io-49116", "more_info_path": "/vulnerabilities/CVE-2020-28500/49116", "specs": [ "<0.40.0" ], "v": "<0.40.0" } ], "chuanhuchatgpt": [ { "advisory": "Chuanhuchatgpt is vulnerable to an unrestricted file upload vulnerability due to insufficient validation of uploaded file types in its '/upload' endpoint. Specifically, the 'handle_file_upload' function does not sanitize or validate the file extension or content type of uploaded files, allowing attackers to upload files with arbitrary extensions, including HTML files containing XSS payloads and Python files. This vulnerability could lead to stored XSS attacks and potentially result in remote code execution (RCE) on the server hosting the application. The PyPI package is a fork of the vulnerable package GaiZhenbiao/ChuanhuChatGPT.", "cve": "CVE-2024-5278", "id": "pyup.io-71785", "more_info_path": "/vulnerabilities/CVE-2024-5278/71785", "specs": [ "<=3.2.5" ], "v": "<=3.2.5" }, { "advisory": "A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system. The PyPI package is a fork of the vulnerable package GaiZhenbiao/ChuanhuChatGPT.", "cve": "CVE-2024-5124", "id": "pyup.io-71784", "more_info_path": "/vulnerabilities/CVE-2024-5124/71784", "specs": [ "<=3.2.5" ], "v": "<=3.2.5" } ], "cif2cell": [ { "advisory": "Cif2cell 1.0.12 includes a fix for a code injection vulnerability related to vectors/matrices input from the command line.\r\nhttps://github.com/torbjornbjorkman/cif2cell/commit/53341d96b7967358799f6955643bd3683dbbad9e", "cve": "PVE-2023-61608", "id": "pyup.io-61608", "more_info_path": "/vulnerabilities/PVE-2023-61608/61608", "specs": [ "<1.0.12" ], "v": "<1.0.12" } ], "ciftify": [ { "advisory": "Ciftify 2.3.3 includes a security patch for the function '__read_settings' in 'ciftify/utils.py'. It used the unsafe yaml.load(), that allows instantiation of arbitrary objects. Consider yaml.safe_load().\r\nhttps://github.com/edickie/ciftify/commit/7ac66dc2efc78bae272a0e1e713c81756f780969#diff-d55ace9e33dabdeba89768d93ae8fe97cf6d2ba4936fc5ab472b7bf749270b63", "cve": "CVE-2017-18342", "id": "pyup.io-41312", "more_info_path": "/vulnerabilities/CVE-2017-18342/41312", "specs": [ "<2.3.3" ], "v": "<2.3.3" } ], "cinder": [ { "advisory": "Cinder versions 14.1.0, 15.2.0 and 16.1.0 include a fix for CVE-2020-10755: An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the 'connection_info' element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API.\r\nhttps://wiki.openstack.org/wiki/OSSN/OSSN-0086", "cve": "CVE-2020-10755", "id": "pyup.io-38408", "more_info_path": "/vulnerabilities/CVE-2020-10755/38408", "specs": [ "<14.1.0", ">=15.0.0.0rc1,<15.2.0", ">=16.0.0.0b1,<16.1.0" ], "v": "<14.1.0,>=15.0.0.0rc1,<15.2.0,>=16.0.0.0b1,<16.1.0" }, { "advisory": "Cinder 19.1.2, 20.0.2 and 21.0.0 include a fix for CVE-2022-47951: An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.\r\nhttps://security.openstack.org/ossa/OSSA-2023-002.html", "cve": "CVE-2022-47951", "id": "pyup.io-52929", "more_info_path": "/vulnerabilities/CVE-2022-47951/52929", "specs": [ "<19.1.2", ">=20.0.0.0rc1,<20.0.2", ">=21.0.0.0rc1,<21.0.0" ], "v": "<19.1.2,>=20.0.0.0rc1,<20.0.2,>=21.0.0.0rc1,<21.0.0" }, { "advisory": "A security flaw in affected versions of OpenStack Cinder allows arbitrary file access via custom QCOW2 external data. An authenticated user can supply a crafted QCOW2 image that references a specific data file path, convincing systems to return a copy of that file's contents from the server. This results in unauthorized access to potentially sensitive data.", "cve": "CVE-2024-32498", "id": "pyup.io-72147", "more_info_path": "/vulnerabilities/CVE-2024-32498/72147", "specs": [ "<25.0.0.0rc1" ], "v": "<25.0.0.0rc1" }, { "advisory": "The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image.", "cve": "CVE-2015-5162", "id": "pyup.io-35629", "more_info_path": "/vulnerabilities/CVE-2015-5162/35629", "specs": [ "<7.0.2", ">=8.0.0,<8.1.1" ], "v": "<7.0.2,>=8.0.0,<8.1.1" }, { "advisory": "OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.", "cve": "CVE-2015-1851", "id": "pyup.io-70457", "more_info_path": "/vulnerabilities/CVE-2015-1851/70457", "specs": [ ">2010,<2015.1.1" ], "v": ">2010,<2015.1.1" }, { "advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.", "cve": "CVE-2013-1068", "id": "pyup.io-25651", "more_info_path": "/vulnerabilities/CVE-2013-1068/25651", "specs": [ ">=2000,<2013.2.3" ], "v": ">=2000,<2013.2.3" }, { "advisory": "The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.", "cve": "CVE-2014-3641", "id": "pyup.io-35566", "more_info_path": "/vulnerabilities/CVE-2014-3641/35566", "specs": [ ">=2010,<2014.1.3" ], "v": ">=2010,<2014.1.3" }, { "advisory": "The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors.", "cve": "CVE-2013-4183", "id": "pyup.io-68017", "more_info_path": "/vulnerabilities/CVE-2013-4183/68017", "specs": [ ">=2012,<2013.1.3" ], "v": ">=2012,<2013.1.3" }, { "advisory": "The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.", "cve": "CVE-2013-4202", "id": "pyup.io-68019", "more_info_path": "/vulnerabilities/CVE-2013-4202/68019", "specs": [ ">=2012,<=2013.1.3" ], "v": ">=2012,<=2013.1.3" }, { "advisory": "The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.", "cve": "CVE-2014-7230", "id": "pyup.io-70424", "more_info_path": "/vulnerabilities/CVE-2014-7230/70424", "specs": [ ">=2013.2,<2013.2.4", ">=2014.1,<2014.1.3" ], "v": ">=2013.2,<2013.2.4,>=2014.1,<2014.1.3" }, { "advisory": "The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.", "cve": "CVE-2014-7231", "id": "pyup.io-70430", "more_info_path": "/vulnerabilities/CVE-2014-7231/70430", "specs": [ ">=2013.2,<2013.2.4", ">=2014.1,<2014.1.3" ], "v": ">=2013.2,<2013.2.4,>=2014.1,<2014.1.3" }, { "advisory": "Cinder 22.1.0, 21.3.0 and 20.3.0 include a fix for CVE-2023-2088: A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.\r\nhttps://opendev.org/openstack/cinder/commit/68fdc323369943f494541a3510e71290b091359f\r\nhttps://bugs.launchpad.net/nova/+bug/2004555", "cve": "CVE-2023-2088", "id": "pyup.io-58700", "more_info_path": "/vulnerabilities/CVE-2023-2088/58700", "specs": [ ">=22.0.0.0rc1,<22.1.0", ">=21.0.0.0rc2,<21.3.0", "<20.3.0" ], "v": ">=22.0.0.0rc1,<22.1.0,>=21.0.0.0rc2,<21.3.0,<20.3.0" } ], "cipher-googlepam": [ { "advisory": "Cipher.googlepam 1.5.1 does not use the same cache key for all users. Previously, when one user logged in successfully, others could not log in using their own passwords -- but the first user could use its password to log in as anyone else.", "cve": "PVE-2021-25652", "id": "pyup.io-25652", "more_info_path": "/vulnerabilities/PVE-2021-25652/25652", "specs": [ "<1.5.1" ], "v": "<1.5.1" } ], "cipherbcrypt": [ { "advisory": "Malicious package. Exfiltrated secrets to a target server.", "cve": "PVE-2024-72112", "id": "pyup.io-72112", "more_info_path": "/vulnerabilities/PVE-2024-72112/72112", "specs": [ ">=0" ], "v": ">=0" } ], "circuit-maintenance-parser": [ { "advisory": "Circuit-maintenance-parser 1.1.0 updates the 'Pydantic' dependency version to v1.8.2 to include a security fix.", "cve": "CVE-2021-29510", "id": "pyup.io-41103", "more_info_path": "/vulnerabilities/CVE-2021-29510/41103", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "circuitbreaker": [ { "advisory": "Circuitbreaker 1.4.0 starts using a monotonic clock source. Using the wall clock to measure duration is vulnerable to changes in the system clock causing misbehavior - a clock accidentally set far in the future and later reset could result in the circuit breaker remaining open for a great deal longer than expected.\r\nhttps://github.com/fabfuel/circuitbreaker/commit/094946f2b1232ec2dcf1685fd84f87927791fa4a", "cve": "PVE-2022-50117", "id": "pyup.io-50117", "more_info_path": "/vulnerabilities/PVE-2022-50117/50117", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "circup": [ { "advisory": "Circup 0.0.6 includes an unspecified security fix.", "cve": "PVE-2021-37936", "id": "pyup.io-37936", "more_info_path": "/vulnerabilities/PVE-2021-37936/37936", "specs": [ "<0.0.6" ], "v": "<0.0.6" } ], "cisco-sdwan": [ { "advisory": "A vulnerability in the CLI of Cisco SDWAN vManage Software could allow an authenticated, local attacker to delete arbitrary files. This vulnerability is due to improper filtering of directory traversal character sequences within system commands. An attacker with administrative privileges could exploit this vulnerability by running a system command containing directory traversal character sequences to target an arbitrary file. A successful exploit could allow the attacker to delete arbitrary files from the system, including files owned by root.", "cve": "CVE-2023-20098", "id": "pyup.io-62884", "more_info_path": "/vulnerabilities/CVE-2023-20098/62884", "specs": [ "<20.9.1" ], "v": "<20.9.1" } ], "ciscosupportsdk": [ { "advisory": "Ciscosupportsdk 0.2.1 updates its dependency 'authlib' to versions \"^1.2.1\" to include a security fixes.", "cve": "CVE-2022-39174", "id": "pyup.io-61453", "more_info_path": "/vulnerabilities/CVE-2022-39174/61453", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Ciscosupportsdk 0.2.1 updates its dependency 'authlib' to versions \"^1.2.1\" to include a security fixes.", "cve": "CVE-2022-39175", "id": "pyup.io-61470", "more_info_path": "/vulnerabilities/CVE-2022-39175/61470", "specs": [ "<0.2.1" ], "v": "<0.2.1" } ], "citation-graph": [ { "advisory": "Citation-graph 1.2.5 removes its dependency 'setuptools' to avoid a vulnerability.", "cve": "CVE-2022-40897", "id": "pyup.io-52763", "more_info_path": "/vulnerabilities/CVE-2022-40897/52763", "specs": [ "<1.2.5" ], "v": "<1.2.5" }, { "advisory": "Citation-graph 1.2.7 updates its dependency 'ipython' to v8.11.0 to include a security fix.", "cve": "CVE-2023-24816", "id": "pyup.io-53606", "more_info_path": "/vulnerabilities/CVE-2023-24816/53606", "specs": [ "<1.2.7" ], "v": "<1.2.7" } ], "citrine": [ { "advisory": "Citrine 0.115.0 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/CitrineInformatics/citrine-python/pull/571", "cve": "PVE-2023-59618", "id": "pyup.io-59618", "more_info_path": "/vulnerabilities/PVE-2023-59618/59618", "specs": [ "<0.115.0" ], "v": "<0.115.0" }, { "advisory": "Citrine 2.37.1 updates its dependency 'urllib3' to include a security fix.", "cve": "CVE-2023-45803", "id": "pyup.io-62129", "more_info_path": "/vulnerabilities/CVE-2023-45803/62129", "specs": [ "<2.37.1" ], "v": "<2.37.1" } ], "civis": [ { "advisory": "Dwave-cloud-client version 0.12.0 increases the minimum required version of requests to 2.32.3 due to a security vulnerability in versions below 2.32.0, identified as CVE-2024-35195.", "cve": "CVE-2024-35195", "id": "pyup.io-71529", "more_info_path": "/vulnerabilities/CVE-2024-35195/71529", "specs": [ "<2.3.0" ], "v": "<2.3.0" } ], "ck": [ { "advisory": "Ck 1.7.1 fixes a server vulnerability (action with ; can run various CMD commands).\r\nhttps://github.com/mlcommons/ck/commit/ac16bf54a03c1d13832f9bbef9c3cf1039583f28", "cve": "PVE-2021-40221", "id": "pyup.io-40221", "more_info_path": "/vulnerabilities/PVE-2021-40221/40221", "specs": [ "<1.7.1" ], "v": "<1.7.1" } ], "ckan": [ { "advisory": "ckan 1.5.1 fixes a security issue affecting CKAN v1.5 and before.", "cve": "PVE-2021-34556", "id": "pyup.io-34556", "more_info_path": "/vulnerabilities/PVE-2021-34556/34556", "specs": [ "<1.5.1" ], "v": "<1.5.1" }, { "advisory": "Ckan 1.8.1 fixes a possible XSS vulnerability on html input.\r\nhttps://github.com/ckan/ckan/pull/703", "cve": "PVE-2021-34558", "id": "pyup.io-34558", "more_info_path": "/vulnerabilities/PVE-2021-34558/34558", "specs": [ "<1.8.1" ], "v": "<1.8.1" }, { "advisory": "Several CKAN plugins, including XLoader, DataPusher, Resource Proxy, and ckanext-archiver, are vulnerable to SSRF attacks due to a lack of URL validation. Malicious users can exploit these plugins by creating resources with URLs that access unauthorized locations. To mitigate this, users should use an HTTP proxy, implement firewall rules, or apply custom URL validators. The latest plugin versions support the ckan.download_proxy setting.", "cve": "CVE-2024-43371", "id": "pyup.io-72975", "more_info_path": "/vulnerabilities/CVE-2024-43371/72975", "specs": [ "<2.10.5" ], "v": "<2.10.5" }, { "advisory": "CKAN affected versions may expose sensitive information, including internal Solr URLs and potential credentials, in error messages when connection issues occur with the Solr server. This vulnerability arises during package_search API calls, where an unsuccessful connection to Solr could result in the leaking of internal configuration details as part of the returned error message.", "cve": "CVE-2024-41674", "id": "pyup.io-72977", "more_info_path": "/vulnerabilities/CVE-2024-41674/72977", "specs": [ "<2.10.5" ], "v": "<2.10.5" }, { "advisory": "Ckan 2.6.9, 2.7.7 and 2.8.4 fix a code injection issue in the autocomplete module. \r\nhttps://github.com/ckan/ckan/pull/5064", "cve": "PVE-2021-39613", "id": "pyup.io-39613", "more_info_path": "/vulnerabilities/PVE-2021-39613/39613", "specs": [ "<2.6.9", ">=2.7.0,<2.7.7", ">=2.8.0,<2.8.4" ], "v": "<2.6.9,>=2.7.0,<2.7.7,>=2.8.0,<2.8.4" }, { "advisory": "CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own `.env` file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. The affected images are ckan/ckan-docker, (ckan/ckan-base images), okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images) keitaroinc/docker-ckan (keitaro/ckan images).", "cve": "CVE-2023-22746", "id": "pyup.io-62888", "more_info_path": "/vulnerabilities/CVE-2023-22746/62888", "specs": [ "<2.8.12", ">=2.9.0,<2.9.7" ], "v": "<2.8.12,>=2.9.0,<2.9.7" }, { "advisory": "A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. Users are advised to upgrade. Users unable to upgrade should override the `/user/reset` endpoint to filter the `id` parameter in order to exclude new lines.", "cve": "CVE-2024-27097", "id": "pyup.io-71909", "more_info_path": "/vulnerabilities/CVE-2024-27097/71909", "specs": [ "<2.9.11", ">=2.10.0,<2.10.4" ], "v": "<2.9.11,>=2.10.0,<2.10.4" }, { "advisory": "CKAN is an open-source data management system for powering data hubs and data portals. Prior to versions 2.9.9 and 2.10.1, the `ckan` user (equivalent to www-data) owned code and configuration files in the docker container and the `ckan` user had the permissions to use sudo. These issues allowed for code execution or privilege escalation if an arbitrary file write bug was available. Versions 2.9.9, 2.9.9-dev, 2.10.1, and 2.10.1-dev contain a patch.", "cve": "CVE-2023-32696", "id": "pyup.io-64195", "more_info_path": "/vulnerabilities/CVE-2023-32696/64195", "specs": [ "<2.9.9", "==2.10.0" ], "v": "<2.9.9,==2.10.0" }, { "advisory": "CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in Ckan which may lead to remote code execution. An arbitrary file write in `resource_create` and `package_update` actions, using the `ResourceUploader` object. Also reachable via `package_create`, `package_revise`, and `package_patch` via calls to `package_update`. Remote code execution via unsafe pickle loading, via Beaker's session store when configured to use the file session store backend. Potential DOS due to lack of a length check on the resource id. Information disclosure: A user with permission to create a resource can access any other resource on the system if they know the id, even if they don't have access to it. Resource overwrite: A user with permission to create a resource can overwrite any resource if they know the id, even if they don't have access to it. A user with permissions to create or edit a dataset can upload a resource with a specially crafted id to write the uploaded file in an arbitrary location. This can be leveraged to Remote Code Execution via Beaker's insecure pickle loading. All the above listed vulnerabilities have been fixed in CKAN 2.9.9 and CKAN 2.10.1. Users are advised to upgrade. There are no known workarounds for these issues.", "cve": "CVE-2023-32321", "id": "pyup.io-64193", "more_info_path": "/vulnerabilities/CVE-2023-32321/64193", "specs": [ "==2.10.0", ">=2.9.0,<2.9.9" ], "v": "==2.10.0,>=2.9.0,<2.9.9" }, { "advisory": "CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.", "cve": "CVE-2022-43685", "id": "pyup.io-54589", "more_info_path": "/vulnerabilities/CVE-2022-43685/54589", "specs": [ ">=0,<2.9.7" ], "v": ">=0,<2.9.7" }, { "advisory": "CKAN is an open-source data management system for powering data hubs and data portals. Starting in version 2.0.0 and prior to versions 2.9.10 and 2.10.3, when submitting a POST request to the `/dataset/new` endpoint (including either the auth cookie or the `Authorization` header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server. To trigger this error, the attacker need to have permissions to create or edit datasets. This vulnerability has been patched in CKAN 2.10.3 and 2.9.10.", "cve": "CVE-2023-50248", "id": "pyup.io-65383", "more_info_path": "/vulnerabilities/CVE-2023-50248/65383", "specs": [ ">=2.0,<2.9.10", ">=2.10.0,<2.10.3" ], "v": ">=2.0,<2.9.10,>=2.10.0,<2.10.3" }, { "advisory": "CKAN's datatables_view plugin affected versions are vulnerable to a Cross-Site Scripting (XSS) attack due to improper escaping of record data from the DataStore, allowing attackers to inject malicious scripts into tabular data previews. This issue was addressed by implementing proper HTML escaping of data within the plugin, ensuring that any potentially harmful content is neutralized before being rendered in the browser. As a precaution, administrators should prevent importing tabular files from untrusted sources until they have applied the patch.", "cve": "CVE-2024-41675", "id": "pyup.io-72976", "more_info_path": "/vulnerabilities/CVE-2024-41675/72976", "specs": [ ">=2.7.0,<2.10.5" ], "v": ">=2.7.0,<2.10.5" }, { "advisory": "In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users\u2019 profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim\u2019s browser when they open the malicious profile picture", "cve": "CVE-2021-25967", "id": "pyup.io-54196", "more_info_path": "/vulnerabilities/CVE-2021-25967/54196", "specs": [ ">=2.9.0,<2.9.4" ], "v": ">=2.9.0,<2.9.4" } ], "ckanext-dataset-reference": [ { "advisory": "Ckanext-dataset-reference 2.0.2 protects against XSS attacks.\r\nhttps://github.com/TIBHannover/ckanext-Dataset-Reference/commit/ea7abc28f90991cc73becd8e67d0621f62979d6a", "cve": "PVE-2022-49237", "id": "pyup.io-49237", "more_info_path": "/vulnerabilities/PVE-2022-49237/49237", "specs": [ "<2.0.2" ], "v": "<2.0.2" } ], "ckuehl-celery": [ { "advisory": "Ckuehl-celery 4.0.2.post1 (fork of Celery) is affected by CVE-2021-23727.", "cve": "CVE-2021-23727", "id": "pyup.io-47079", "more_info_path": "/vulnerabilities/CVE-2021-23727/47079", "specs": [ "==4.0.2.post1" ], "v": "==4.0.2.post1" } ], "clam": [ { "advisory": "Clam 0.9.10 protects against a code injection vulnerability.\r\nhttps://github.com/proycon/clam/commit/f89ba22a3b74f0b86ce9d8190ce28b6da7331813", "cve": "PVE-2021-25653", "id": "pyup.io-25653", "more_info_path": "/vulnerabilities/PVE-2021-25653/25653", "specs": [ "<0.9.10" ], "v": "<0.9.10" }, { "advisory": "Clam 0.9.11 fixes a RCE vulnerability in its dispatcher.\r\nhttps://github.com/proycon/clam/commit/f89ba22a3b74f0b86ce9d8190ce28b6da7331813", "cve": "PVE-2021-25654", "id": "pyup.io-25654", "more_info_path": "/vulnerabilities/PVE-2021-25654/25654", "specs": [ "<0.9.11" ], "v": "<0.9.11" } ], "clara-viz": [ { "advisory": "Clara-viz 0.1.4 updates Jupyter widget Java code packages to fix vulnerabilities. This is stated by its changelog, but no changes in code were found.", "cve": "PVE-2022-45107", "id": "pyup.io-45107", "more_info_path": "/vulnerabilities/PVE-2022-45107/45107", "specs": [ "<0.1.4" ], "v": "<0.1.4" }, { "advisory": "Clara-viz 0.2.0 changes Jupyter widget Java code to fix vulnerabilities.", "cve": "PVE-2022-47823", "id": "pyup.io-47823", "more_info_path": "/vulnerabilities/PVE-2022-47823/47823", "specs": [ "<0.2.0" ], "v": "<0.2.0" }, { "advisory": "Clara-viz 0.2.2 avoids using unsafe unencrypted HTTP connections on widgets.\r\nhttps://github.com/NVIDIA/clara-viz/commit/d7f2731105c040b590f5d90736db1d61c63e416b", "cve": "PVE-2022-51460", "id": "pyup.io-51460", "more_info_path": "/vulnerabilities/PVE-2022-51460/51460", "specs": [ "<0.2.2" ], "v": "<0.2.2" }, { "advisory": "Clara-viz 0.3.0 updates Jupyter widget Java code packages to include a security fix.\r\nhttps://github.com/NVIDIA/clara-viz/pull/27", "cve": "CVE-2022-46175", "id": "pyup.io-59150", "more_info_path": "/vulnerabilities/CVE-2022-46175/59150", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "claudesync": [ { "advisory": "ClaudeSync addresses the cleartext storage of sensitive session keys. Affected versions stored session keys in plaintext, exposing them to potential unauthorized access. The fix introduced encryption for session keys using the user's SSH key, significantly enhancing the security of stored credentials. This change mitigates the risk of unauthorized access to user accounts in case of local system breaches.", "cve": "PVE-2024-73213", "id": "pyup.io-73213", "more_info_path": "/vulnerabilities/PVE-2024-73213/73213", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "cleanlab": [ { "advisory": "Cleanlab project affected versions contain a security vulnerability in the deserialization process. When loading a data directory, a maliciously crafted datalab.pkl file can execute arbitrary code on the user's system. This vulnerability stems from the use of the pickle module for deserialization without proper safeguards. Attackers can exploit this flaw to compromise systems, potentially leading to data theft, system manipulation, or further malware deployment. Users should exercise extreme caution when loading data from untrusted sources, and consider updating to a patched version if available.", "cve": "CVE-2024-45857", "id": "pyup.io-73323", "more_info_path": "/vulnerabilities/CVE-2024-45857/73323", "specs": [ ">=2.4.0" ], "v": ">=2.4.0" } ], "clearml": [ { "advisory": "Clearml 0.17.5rc3 fixes unsafe call to set_active().\r\nhttps://github.com/allegroai/clearml/commit/b0000df575e830a81674f4e5cf3d89cf6d6441b4", "cve": "PVE-2022-49701", "id": "pyup.io-49701", "more_info_path": "/vulnerabilities/PVE-2022-49701/49701", "specs": [ "<0.17.5rc3" ], "v": "<0.17.5rc3" }, { "advisory": "Clearml 1.0.6rc2 fixes unsafe Google Storage delete object.\r\nhttps://github.com/allegroai/clearml/commit/6e15349b7627bee3847a39e5bdce8c988e39cb38", "cve": "PVE-2022-49700", "id": "pyup.io-49700", "more_info_path": "/vulnerabilities/PVE-2022-49700/49700", "specs": [ "<1.0.6rc2" ], "v": "<1.0.6rc2" }, { "advisory": "A cross-site request forgery (CSRF) vulnerability in all versions up to 1.14.1 of the api server component of Allegro AI\u2019s ClearML platform allows a remote attacker to impersonate a user by sending API requests via maliciously crafted html. Exploitation of the vulnerability allows an attacker to compromise confidential workspaces and files, leak sensitive information, and target instances of the ClearML platform within closed-off networks.", "cve": "CVE-2024-24593", "id": "pyup.io-66780", "more_info_path": "/vulnerabilities/CVE-2024-24593/66780", "specs": [ "<1.14.1" ], "v": "<1.14.1" }, { "advisory": "Clearml 1.4.2rc0 updates its dependency 'pyjwt' requirement to versions '>=2.4.0,<2.5.0' to include a security fix.", "cve": "CVE-2022-29217", "id": "pyup.io-49693", "more_info_path": "/vulnerabilities/CVE-2022-29217/49693", "specs": [ "<1.4.2rc0" ], "v": "<1.4.2rc0" }, { "advisory": "Allegro AI\u2019s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulting in a compromised server leaking all user emails and passwords.", "cve": "CVE-2024-24595", "id": "pyup.io-66778", "more_info_path": "/vulnerabilities/CVE-2024-24595/66778", "specs": [ "<=1.14.2" ], "v": "<=1.14.2" }, { "advisory": "Lack of authentication in all versions of the fileserver component of Allegro AI\u2019s ClearML platform allows a remote attacker to arbitrarily access, create, modify and delete files.", "cve": "CVE-2024-24592", "id": "pyup.io-66781", "more_info_path": "/vulnerabilities/CVE-2024-24592/66781", "specs": [ ">=0" ], "v": ">=0" }, { "advisory": "A cross-site scripting (XSS) vulnerability in all versions of the web server component of Allegro AI\u2019s ClearML platform allows a remote attacker to execute a JavaScript payload when a user views the Debug Samples tab in the web UI.", "cve": "CVE-2024-24594", "id": "pyup.io-66779", "more_info_path": "/vulnerabilities/CVE-2024-24594/66779", "specs": [ ">=0" ], "v": ">=0" }, { "advisory": "Clearml version 1.14.3 introduces a hash check for pickle files to tackle CVE-2024-24590. This vulnerability allowed the deserialization of untrusted data in ClearML versions 0.17.0 and newer, potentially enabling the execution of arbitrary code through maliciously uploaded artifacts.\r\nhttps://github.com/allegroai/clearml/commit/e506831599bd8e072e5e54266abfccdfbe4be2ac", "cve": "CVE-2024-24590", "id": "pyup.io-65114", "more_info_path": "/vulnerabilities/CVE-2024-24590/65114", "specs": [ ">=0.17.0,<1.14.3" ], "v": ">=0.17.0,<1.14.3" }, { "advisory": "Clearml 1.14.2 fixes potential path traversal on file download.\r\nhttps://github.com/allegroai/clearml/commit/831c1394da0d99cc65b0fe060a6dfff13816efab", "cve": "CVE-2024-24591", "id": "pyup.io-65006", "more_info_path": "/vulnerabilities/CVE-2024-24591/65006", "specs": [ ">=1.4.0,<1.14.1" ], "v": ">=1.4.0,<1.14.1" } ], "clearml-agent": [ { "advisory": "Clearml-agent 1.3.0 updates its dependency 'pyjwt' requirement to '>=2.4.0,<2.5.0' to include a security fix.", "cve": "CVE-2022-29217", "id": "pyup.io-49462", "more_info_path": "/vulnerabilities/CVE-2022-29217/49462", "specs": [ "<1.3.0" ], "v": "<1.3.0" } ], "clearml-session": [ { "advisory": "Clearml-session 0.10.0 upgrades the Pillow dependency to versions >=10.0.1 due to vulnerabilities present in earlier versions.\r\nhttps://github.com/allegroai/clearml-session/commit/e6dbd13ca38c58ce2b4057ef8ad2c35cc313eeea", "cve": "PVE-2023-62736", "id": "pyup.io-62736", "more_info_path": "/vulnerabilities/PVE-2023-62736/62736", "specs": [ "<0.10.0" ], "v": "<0.10.0" }, { "advisory": "Clearml-session version 0.13.0 updates its dependency on clearml to version 1.9 or higher from the previously required minimum of 1.1.5, in response to addressing the security issue identified as CVE-2024-24590.", "cve": "CVE-2024-24590", "id": "pyup.io-65935", "more_info_path": "/vulnerabilities/CVE-2024-24590/65935", "specs": [ "<0.13.0" ], "v": "<0.13.0" } ], "clearsilver": [ { "advisory": "Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.", "cve": "CVE-2011-4357", "id": "pyup.io-25655", "more_info_path": "/vulnerabilities/CVE-2011-4357/25655", "specs": [ "<0.10.5" ], "v": "<0.10.5" } ], "cleo": [ { "advisory": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method\r\nhttps://github.com/python-poetry/cleo/pull/285", "cve": "CVE-2022-42966", "id": "pyup.io-54559", "more_info_path": "/vulnerabilities/CVE-2022-42966/54559", "specs": [ ">=0,<1.0.0" ], "v": ">=0,<1.0.0" } ], "clevercsv": [ { "advisory": "Clevercsv 0.6.2 includes a fix for a potential ReDOS vulnerability.\r\nhttps://github.com/alan-turing-institute/CleverCSV/issues/13", "cve": "PVE-2023-61023", "id": "pyup.io-61023", "more_info_path": "/vulnerabilities/PVE-2023-61023/61023", "specs": [ "<0.6.2" ], "v": "<0.6.2" } ], "cliboa": [ { "advisory": "Cliboa 2.0.0b0 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", "cve": "CVE-2021-33503", "id": "pyup.io-42681", "more_info_path": "/vulnerabilities/CVE-2021-33503/42681", "specs": [ "<2.0.0b0" ], "v": "<2.0.0b0" } ], "click": [ { "advisory": "Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.\r\nhttps://github.com/pallets/click/issues/1752", "cve": "PVE-2022-47833", "id": "pyup.io-47833", "more_info_path": "/vulnerabilities/PVE-2022-47833/47833", "specs": [ "<8.0.0" ], "v": "<8.0.0" } ], "clickhouse-driver": [ { "advisory": "clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow.", "cve": "CVE-2020-26759", "id": "pyup.io-42290", "more_info_path": "/vulnerabilities/CVE-2020-26759/42290", "specs": [ "<0.1.5" ], "v": "<0.1.5" } ], "clip-retrieval": [ { "advisory": "Clip-retrieval 2.23.1 addresses a race condition that could lead to data corruption and inconsistent states. Previously, multiple instances of the writer function could attempt to create directories simultaneously, potentially causing conflicts and errors. This version resolves this by replacing 'mkdir' with 'makedirs', which ensures all intermediate directories are created. It also introduces a check to verify the existence of a 'work in progress' file before creation, thereby preventing race conditions.\r\nhttps://github.com/rom1504/clip-retrieval/pull/112", "cve": "PVE-2024-63278", "id": "pyup.io-63278", "more_info_path": "/vulnerabilities/PVE-2024-63278/63278", "specs": [ "<2.23.1" ], "v": "<2.23.1" } ], "clipster-desktop": [ { "advisory": "Clipster-desktop 0.3.0 includes various improvements to make the host more secure:\r\n* All clips are encrypted locally in the client before transmission to the server. \r\n* Server host can't decrypt clips: it never learns the users' password.\r\n* Password is not stored in cleartext anymore. Instead password hash is used.", "cve": "PVE-2021-39388", "id": "pyup.io-39388", "more_info_path": "/vulnerabilities/PVE-2021-39388/39388", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "cliquery": [ { "advisory": "Cliquery 1.10.0 updates the 'lxml' dependency from 4.6.2 to 4.6.3 to fix a security vulnerability.", "cve": "CVE-2021-28957", "id": "pyup.io-40090", "more_info_path": "/vulnerabilities/CVE-2021-28957/40090", "specs": [ "<1.10.0" ], "v": "<1.10.0" }, { "advisory": "Cliquery 1.10.1 updates its dependency 'lxml' to v4.6.5 to include a security fix.", "cve": "CVE-2021-43818", "id": "pyup.io-45291", "more_info_path": "/vulnerabilities/CVE-2021-43818/45291", "specs": [ "<1.10.1" ], "v": "<1.10.1" }, { "advisory": "Cliquery 1.9.3 updates the 'lxml' dependency from 4.3.0 to 4.6.2 to include security fixes.", "cve": "PVE-2021-39195", "id": "pyup.io-43643", "more_info_path": "/vulnerabilities/PVE-2021-39195/43643", "specs": [ "<1.9.3" ], "v": "<1.9.3" }, { "advisory": "Cliquery 1.9.3 updates the 'lxml' dependency from 4.3.0 to 4.6.2 to include security fixes.", "cve": "CVE-2020-27783", "id": "pyup.io-39423", "more_info_path": "/vulnerabilities/CVE-2020-27783/39423", "specs": [ "<1.9.3" ], "v": "<1.9.3" } ], "cloorama": [ { "advisory": "Cloorama is a malicious package. It injects obfuscated JS code that replaces crypto addresses in developer clipboards.", "cve": "PVE-2022-51737", "id": "pyup.io-51737", "more_info_path": "/vulnerabilities/PVE-2022-51737/51737", "specs": [ ">0" ], "v": ">0" } ], "cloudlabeling": [ { "advisory": "The cloudlabeling package in PyPI v0.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.", "cve": "CVE-2022-32999", "id": "pyup.io-62690", "more_info_path": "/vulnerabilities/CVE-2022-32999/62690", "specs": [ "==0.0.1" ], "v": "==0.0.1" } ], "cloudtoken": [ { "advisory": "Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles.", "cve": "CVE-2018-13390", "id": "pyup.io-54005", "more_info_path": "/vulnerabilities/CVE-2018-13390/54005", "specs": [ ">=0.1.1,<0.1.24" ], "v": ">=0.1.1,<0.1.24" } ], "cloudvision": [ { "advisory": "Cloudvision 1.13.0 updates 'cryptography' minimum version to v41.0.3 to include security fixes in bundled OpenSSL.", "cve": "CVE-2023-3446", "id": "pyup.io-61131", "more_info_path": "/vulnerabilities/CVE-2023-3446/61131", "specs": [ "<1.13.0" ], "v": "<1.13.0" }, { "advisory": "Cloudvision 1.13.0 updates 'cryptography' minimum version to v41.0.3 to include security fixes in bundled OpenSSL.", "cve": "CVE-2023-3817", "id": "pyup.io-61129", "more_info_path": "/vulnerabilities/CVE-2023-3817/61129", "specs": [ "<1.13.0" ], "v": "<1.13.0" }, { "advisory": "Cloudvision 1.13.0 updates 'cryptography' minimum version to v41.0.3 to include security fixes in bundled OpenSSL.", "cve": "CVE-2023-2975", "id": "pyup.io-61130", "more_info_path": "/vulnerabilities/CVE-2023-2975/61130", "specs": [ "<1.13.0" ], "v": "<1.13.0" }, { "advisory": "Cloudvision version 1.19.0 has upgraded its cryptography library to version 42.0.4. This update addresses the security vulnerability identified as CVE-2024-26130.", "cve": "CVE-2024-26130", "id": "pyup.io-66933", "more_info_path": "/vulnerabilities/CVE-2024-26130/66933", "specs": [ "<1.19.0" ], "v": "<1.19.0" }, { "advisory": "Cloudvision 1.8.0 updates its dependency 'wheel' to v0.38.4 to include a security fix.", "cve": "CVE-2022-40898", "id": "pyup.io-53080", "more_info_path": "/vulnerabilities/CVE-2022-40898/53080", "specs": [ "<1.8.0" ], "v": "<1.8.0" } ], "cloudwatch-to-graphite": [ { "advisory": "Cloudwatch-To-Graphite 0.11.0 includes a security patch for the function 'get_config' in 'leadbutt.py'. It used the unsafe yaml.load(), that allows instantiation of arbitrary objects. Consider yaml.safe_load().\r\nhttps://github.com/crccheck/cloudwatch-to-graphite/commit/5875100c54a54a9c90cf2fe782cc3df147d32053#diff-ddb0922eafb2fa54199e50bb13de6178b1755e780387144df032f9e26512f15e", "cve": "CVE-2017-18342", "id": "pyup.io-41313", "more_info_path": "/vulnerabilities/CVE-2017-18342/41313", "specs": [ "<0.11.0" ], "v": "<0.11.0" } ], "cloudy-with-a-chance-of-meatballs.cdk-lambda-token-authorizer-jwt": [ { "advisory": "Cloudy-with-a-chance-of-meatballs.cdk-lambda-token-authorizer-jwt 0.1.11 updates NPM dependencies to include security fixes.\r\nhttps://github.com/cloudy-with-a-chance-of-meatballs/cdk-lambda-token-authorizer-jwt/pull/154", "cve": "PVE-2023-53078", "id": "pyup.io-53078", "more_info_path": "/vulnerabilities/PVE-2023-53078/53078", "specs": [ "<0.1.11" ], "v": "<0.1.11" }, { "advisory": "Cloudy-with-a-chance-of-meatballs.cdk-lambda-token-authorizer-jwt 0.1.12 requires the NPM dependency \"json5\": \"^2.2.2\" to include a security fix.", "cve": "CVE-2022-46175", "id": "pyup.io-53287", "more_info_path": "/vulnerabilities/CVE-2022-46175/53287", "specs": [ "<0.1.12" ], "v": "<0.1.12" } ], "cloverly-python-module": [ { "advisory": "Cloverly-python-module 0.2.0 adds a clear session function for security purposes.", "cve": "PVE-2021-41085", "id": "pyup.io-41085", "more_info_path": "/vulnerabilities/PVE-2021-41085/41085", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "cls-python": [ { "advisory": "Cls-python 0.1.4 updates its dependency 'wheel' to v0.38.1 to include a security fix.", "cve": "CVE-2022-40898", "id": "pyup.io-53365", "more_info_path": "/vulnerabilities/CVE-2022-40898/53365", "specs": [ "<0.1.4" ], "v": "<0.1.4" } ], "cmdlr": [ { "advisory": "cmdlr 4.1.0 resists malicious js attack in `run_in_nodejs`", "cve": "PVE-2021-36854", "id": "pyup.io-36854", "more_info_path": "/vulnerabilities/PVE-2021-36854/36854", "specs": [ "<4.1.0" ], "v": "<4.1.0" } ], "cmsis-pack-manager": [ { "advisory": "Cmsis-pack-manager 0.5.1 updates its RUST dependency 'time' to v0.3.17 to include a security fix.", "cve": "CVE-2020-26235", "id": "pyup.io-52547", "more_info_path": "/vulnerabilities/CVE-2020-26235/52547", "specs": [ "<0.5.1" ], "v": "<0.5.1" } ], "cmsplugin-filer": [ { "advisory": "Cmsplugin-filer 0.10.2 includes a fix for a XSS vulnerability in 'firstof' in folder template. Users with Django>1.7 aren't affected.\r\nhttps://github.com/divio/cmsplugin-filer/pull/185", "cve": "PVE-2021-25656", "id": "pyup.io-25656", "more_info_path": "/vulnerabilities/PVE-2021-25656/25656", "specs": [ "<0.10.2" ], "v": "<0.10.2" } ], "cnx-publishing": [ { "advisory": "Cnx-publishing 0.17.6 updates its dependency 'urllib3' to v1.25.8 to include a security fix.", "cve": "CVE-2020-7212", "id": "pyup.io-38128", "more_info_path": "/vulnerabilities/CVE-2020-7212/38128", "specs": [ "<0.17.6" ], "v": "<0.17.6" } ], "coapthon": [ { "advisory": "The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client) when they receive crafted CoAP messages.", "cve": "CVE-2018-12680", "id": "pyup.io-42251", "more_info_path": "/vulnerabilities/CVE-2018-12680/42251", "specs": [ "==3.1", "==4.0.0", "==4.0.1", "==4.0.2" ], "v": "==3.1,==4.0.0,==4.0.1,==4.0.2" } ], "coapthon3": [ { "advisory": "The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, example collect CoAP server and client) when they receive crafted CoAP messages.", "cve": "CVE-2018-12679", "id": "pyup.io-53999", "more_info_path": "/vulnerabilities/CVE-2018-12679/53999", "specs": [ "<=1.0.1" ], "v": "<=1.0.1" } ], "cobbler": [ { "advisory": "The web interface (CobblerWeb) in Cobbler before 1.2.9 allows remote authenticated users to execute arbitrary Python code in cobblerd by editing a Cheetah kickstart template to import arbitrary Python modules.", "cve": "CVE-2008-6954", "id": "pyup.io-61200", "more_info_path": "/vulnerabilities/CVE-2008-6954/61200", "specs": [ "<1.2.9" ], "v": "<1.2.9" }, { "advisory": "Cobbler before 1.6.1 does not properly determine whether an installation has the default password, which makes it easier for attackers to obtain access by using this password.", "cve": "CVE-2009-5021", "id": "pyup.io-61243", "more_info_path": "/vulnerabilities/CVE-2009-5021/61243", "specs": [ "<1.6.1" ], "v": "<1.6.1" }, { "advisory": "Cobbler before 2.0.4 uses an incorrect umask value, which allows local users to have an unspecified impact by leveraging world writable permissions for files and directories.", "cve": "CVE-2010-4512", "id": "pyup.io-61742", "more_info_path": "/vulnerabilities/CVE-2010-4512/61742", "specs": [ "<2.0.4" ], "v": "<2.0.4" }, { "advisory": "Cobbler 2.0.7 includes a fix for CVE-2010-2235: Template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.", "cve": "CVE-2010-2235", "id": "pyup.io-35339", "more_info_path": "/vulnerabilities/CVE-2010-2235/35339", "specs": [ "<2.0.7" ], "v": "<2.0.7" }, { "advisory": "Cobbler v2.1.0 resolves missing CSRF protection in web interface using Django framework.", "cve": "CVE-2011-4952", "id": "pyup.io-62096", "more_info_path": "/vulnerabilities/CVE-2011-4952/62096", "specs": [ "<2.1.0" ], "v": "<2.1.0" }, { "advisory": "Cobbler 2.6.0 includes a fix for CVE-2011-4954: Cobbler has local privilege escalation via the use of insecure location for PYTHON_EGG_CACHE.\r\nhttps://github.com/cobbler/cobbler/commit/3c97edff9f8453536ae5adfe930a8b084b5e4346", "cve": "CVE-2011-4954", "id": "pyup.io-37739", "more_info_path": "/vulnerabilities/CVE-2011-4954/37739", "specs": [ "<2.6.0" ], "v": "<2.6.0" }, { "advisory": "Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via \"network connectivity\". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler_api).", "cve": "CVE-2018-1000225", "id": "pyup.io-67945", "more_info_path": "/vulnerabilities/CVE-2018-1000225/67945", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via \"network connectivity\". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.", "cve": "CVE-2018-1000226", "id": "pyup.io-65837", "more_info_path": "/vulnerabilities/CVE-2018-1000226/65837", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "Cobbler 3.3.0 and 3.2.2 include a fix for CVE-2021-40324: Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.", "cve": "CVE-2021-40324", "id": "pyup.io-45314", "more_info_path": "/vulnerabilities/CVE-2021-40324/45314", "specs": [ "<3.2.2" ], "v": "<3.2.2" }, { "advisory": "Cobbler 3.3.0 and 3.2.2 include a fix for CVE-2021-40323: Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.", "cve": "CVE-2021-40323", "id": "pyup.io-45276", "more_info_path": "/vulnerabilities/CVE-2021-40323/45276", "specs": [ "<3.2.2" ], "v": "<3.2.2" }, { "advisory": "Cobbler before 3.3.0 allows authorization bypass for modification of settings.\r\nhttps://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a", "cve": "CVE-2021-40325", "id": "pyup.io-45315", "more_info_path": "/vulnerabilities/CVE-2021-40325/45315", "specs": [ "<3.3.0" ], "v": "<3.3.0" }, { "advisory": "Cobbler 3.3.0 removes get-loaders code. It is not safe to download bootloaders from unknown sources.\r\nhttps://github.com/cobbler/cobbler/pull/2572", "cve": "PVE-2022-45316", "id": "pyup.io-45316", "more_info_path": "/vulnerabilities/PVE-2022-45316/45316", "specs": [ "<3.3.0" ], "v": "<3.3.0" }, { "advisory": "Cobbler 3.3.1 removes testing module, which was shipping a well known username and password combination.\r\nhttps://github.com/cobbler/cobbler/pull/2908", "cve": "PVE-2022-45320", "id": "pyup.io-45320", "more_info_path": "/vulnerabilities/PVE-2022-45320/45320", "specs": [ "<3.3.1" ], "v": "<3.3.1" }, { "advisory": "Cobbler 3.3.1 validates the data before logging it to avoid log file pollution.\r\nhttps://github.com/cobbler/cobbler/pull/2911", "cve": "PVE-2022-45319", "id": "pyup.io-45319", "more_info_path": "/vulnerabilities/PVE-2022-45319/45319", "specs": [ "<3.3.1" ], "v": "<3.3.1" }, { "advisory": "Cobbler 3.3.1 includes a fix for CVE-2021-45083: Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password.", "cve": "CVE-2021-45083", "id": "pyup.io-45317", "more_info_path": "/vulnerabilities/CVE-2021-45083/45317", "specs": [ "<3.3.1" ], "v": "<3.3.1" }, { "advisory": "Cobbler 3.3.1 stabalizes the MongoDB serializer. In mongodb serializer class, when the config file is read, there is no sanity check. If the file get somewhat corrupted, it can lead to unexpected behaviour.\r\nhttps://github.com/cobbler/cobbler/pull/2919", "cve": "PVE-2022-45318", "id": "pyup.io-45318", "more_info_path": "/vulnerabilities/PVE-2022-45318/45318", "specs": [ "<3.3.1" ], "v": "<3.3.1" }, { "advisory": "An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the \"#from MODULE import\" substring. (Only lines beginning with #import are blocked.)", "cve": "CVE-2021-45082", "id": "pyup.io-45286", "more_info_path": "/vulnerabilities/CVE-2021-45082/45286", "specs": [ "<3.3.1" ], "v": "<3.3.1" }, { "advisory": "Cobbler 3.3.2 includes a fix for CVE-2022-0860: Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.\r\nhttps://github.com/cobbler/cobbler/security/advisories/GHSA-mcg6-h362-cmq5", "cve": "CVE-2022-0860", "id": "pyup.io-45820", "more_info_path": "/vulnerabilities/CVE-2022-0860/45820", "specs": [ "<3.3.2" ], "v": "<3.3.2" }, { "advisory": "The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet.", "cve": "CVE-2011-4953", "id": "pyup.io-62098", "more_info_path": "/vulnerabilities/CVE-2011-4953/62098", "specs": [ "<=2.2.1" ], "v": "<=2.2.1" }, { "advisory": "Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the \"add repo\" component resulting in arbitrary code execution as root user.", "cve": "CVE-2017-1000469", "id": "pyup.io-66896", "more_info_path": "/vulnerabilities/CVE-2017-1000469/66896", "specs": [ "<=2.8.2" ], "v": "<=2.8.2" }, { "advisory": "An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS.", "cve": "CVE-2021-45081", "id": "pyup.io-62201", "more_info_path": "/vulnerabilities/CVE-2021-45081/62201", "specs": [ "<=3.3.1" ], "v": "<=3.3.1" }, { "advisory": "A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation.", "cve": "CVE-2016-9605", "id": "pyup.io-65817", "more_info_path": "/vulnerabilities/CVE-2016-9605/65817", "specs": [ "==2.6.11-1" ], "v": "==2.6.11-1" }, { "advisory": "A Command Injection in action_power.py in Cobbler prior to v2.6.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.", "cve": "CVE-2012-2395", "id": "pyup.io-54074", "more_info_path": "/vulnerabilities/CVE-2012-2395/54074", "specs": [ ">=0,<2.6.0" ], "v": ">=0,<2.6.0" }, { "advisory": "Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile.", "cve": "CVE-2014-3225", "id": "pyup.io-60960", "more_info_path": "/vulnerabilities/CVE-2014-3225/60960", "specs": [ ">=2.4.0,<=2.6.0" ], "v": ">=2.4.0,<=2.6.0" }, { "advisory": "It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.", "cve": "CVE-2018-10931", "id": "pyup.io-53996", "more_info_path": "/vulnerabilities/CVE-2018-10931/53996", "specs": [ ">=2.6.0,<3.0.0" ], "v": ">=2.6.0,<3.0.0" } ], "cockroachdb": [ { "advisory": "Cockroachdb 0.3.2 updates 'urllib3' to v1.25.3 to include security fixes.", "cve": "CVE-2019-11324", "id": "pyup.io-37264", "more_info_path": "/vulnerabilities/CVE-2019-11324/37264", "specs": [ "<0.3.2" ], "v": "<0.3.2" }, { "advisory": "Cockroachdb 0.3.2 updates 'urllib3' to v1.25.3 to include security fixes.", "cve": "CVE-2019-11236", "id": "pyup.io-54885", "more_info_path": "/vulnerabilities/CVE-2019-11236/54885", "specs": [ "<0.3.2" ], "v": "<0.3.2" } ], "codalab": [ { "advisory": "codalab before 0.2.33 was using a version of gunicorn that had security vulnerabilities.", "cve": "PVE-2021-36386", "id": "pyup.io-36386", "more_info_path": "/vulnerabilities/PVE-2021-36386/36386", "specs": [ "<0.2.33" ], "v": "<0.2.33" }, { "advisory": "Codalab 0.5.12 fixes a vulnerability. No description of the vulnerability was included.", "cve": "PVE-2021-38927", "id": "pyup.io-38927", "more_info_path": "/vulnerabilities/PVE-2021-38927/38927", "specs": [ "<0.5.12" ], "v": "<0.5.12" }, { "advisory": "Codalab 0.5.33 includes a fix for some front-end vulnerabilities (with `npm audit fix`).", "cve": "PVE-2021-39434", "id": "pyup.io-39434", "more_info_path": "/vulnerabilities/PVE-2021-39434/39434", "specs": [ "<0.5.33" ], "v": "<0.5.33" } ], "code-snapshot": [ { "advisory": "Code-snapshot 0.2.4 updates its dependency 'requests' minimum requirement to v2.31.0 to include a security fix.", "cve": "CVE-2023-32681", "id": "pyup.io-58812", "more_info_path": "/vulnerabilities/CVE-2023-32681/58812", "specs": [ "<0.2.4" ], "v": "<0.2.4" } ], "codechecker": [ { "advisory": "Codechecker 6.18.2 includes a fix for a XSS vulnerability. To solve this problem the server will always return the escaped version of these values which can be safely rendered on the UI.\r\nhttps://github.com/Ericsson/codechecker/pull/3549", "cve": "PVE-2023-59888", "id": "pyup.io-59888", "more_info_path": "/vulnerabilities/PVE-2023-59888/59888", "specs": [ "<6.18.2" ], "v": "<6.18.2" }, { "advisory": "Codechecker 6.2 includes a fix for a SQL Injection vulnerability.\r\nhttps://github.com/Ericsson/codechecker/pull/1066", "cve": "PVE-2023-60698", "id": "pyup.io-60698", "more_info_path": "/vulnerabilities/PVE-2023-60698/60698", "specs": [ "<6.2" ], "v": "<6.2" }, { "advisory": "Zip files uploaded to the server endpoint of `CodeChecker store` are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of `CodeChecker server`. The vulnerable endpoint is `/Default/v6.53/CodeCheckerService@massStoreRun`. The path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server`. The attack requires a user account on the `CodeChecker server`, with permission to store to a server, and view the stored report. This vulnerability has been patched in version 6.23.", "cve": "CVE-2023-49793", "id": "pyup.io-71853", "more_info_path": "/vulnerabilities/CVE-2023-49793/71853", "specs": [ "<6.23.0" ], "v": "<6.23.0" }, { "advisory": "Codechecker 6.24.2 includes a fix for an endpoint parsing issue that lead to unauthorized access.", "cve": "PVE-2024-73768", "id": "pyup.io-73768", "more_info_path": "/vulnerabilities/PVE-2024-73768/73768", "specs": [ "<6.24.2" ], "v": "<6.24.2" }, { "advisory": "In Ericsson CodeChecker prior to 6.18.2, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.", "cve": "CVE-2021-44217", "id": "pyup.io-54377", "more_info_path": "/vulnerabilities/CVE-2021-44217/54377", "specs": [ ">=0,<6.18.2" ], "v": ">=0,<6.18.2" } ], "codecov": [ { "advisory": "Codecov 2.0.16 includes a fix for CVE-2019-10800: Remote code execution. The vulnerability exists due to improper sanitization of \"gcov\" arguments before being provided to the \"popen\" method. A remote authenticated attacker can execute arbitrary OS commands on the target system.", "cve": "CVE-2019-10800", "id": "pyup.io-37934", "more_info_path": "/vulnerabilities/CVE-2019-10800/37934", "specs": [ "<2.0.16" ], "v": "<2.0.16" }, { "advisory": "Codecov 2.0.17 fixes a reported command injection vulnerability.\r\nhttps://github.com/codecov/codecov-python/commit/f2c93c7893847e50639416c1bc2e38cb375825d8", "cve": "PVE-2021-38075", "id": "pyup.io-38075", "more_info_path": "/vulnerabilities/PVE-2021-38075/38075", "specs": [ "<2.0.17" ], "v": "<2.0.17" } ], "codeforcesapipy": [ { "advisory": "Codeforcesapipy 2.0.8 updates the 'lxml' dependency to 4.6.3 to resolve security issues.", "cve": "CVE-2021-28957", "id": "pyup.io-40099", "more_info_path": "/vulnerabilities/CVE-2021-28957/40099", "specs": [ "<2.0.8" ], "v": "<2.0.8" } ], "codeinterpreterapi": [ { "advisory": "Codeinterpreterapi 0.0.14 updates its dependency 'langchain' to include a security fix.", "cve": "PVE-2023-61536", "id": "pyup.io-61748", "more_info_path": "/vulnerabilities/PVE-2023-61536/61748", "specs": [ "<0.0.14" ], "v": "<0.0.14" } ], "coderedcms": [ { "advisory": "views.py in Wagtail CRX CodeRed Extensions (formerly CodeRed CMS or coderedcms) before 0.22.3 allows upward protected/..%2f..%2f path traversal when serving protected media.", "cve": "CVE-2021-46897", "id": "pyup.io-65838", "more_info_path": "/vulnerabilities/CVE-2021-46897/65838", "specs": [ "<0.22.3" ], "v": "<0.22.3" } ], "cognitojwt": [ { "advisory": "Cognitojwt version 1.5.0 transitions from the outdated python-jose library, which relied on the ecdsa package containing unresolved vulnerabilities, to the more frequently updated joserfc library.", "cve": "CVE-2024-23342", "id": "pyup.io-68046", "more_info_path": "/vulnerabilities/CVE-2024-23342/68046", "specs": [ "<1.5.0" ], "v": "<1.5.0" } ], "cohen3": [ { "advisory": "Cohen3 version 0.8.3 updates its dependency \"requests\" to include a security fix.", "cve": "CVE-2018-18074", "id": "pyup.io-42040", "more_info_path": "/vulnerabilities/CVE-2018-18074/42040", "specs": [ "<0.8.3" ], "v": "<0.8.3" }, { "advisory": "Cohen3 version 0.9.1 updates its dependency \"urlib3\" to v1.24.2 to include a security fix.", "cve": "CVE-2019-11324", "id": "pyup.io-42039", "more_info_path": "/vulnerabilities/CVE-2019-11324/42039", "specs": [ "<0.9.1" ], "v": "<0.9.1" } ], "coinbasepro": [ { "advisory": "Coinbasepro 0.1.0 updates requests version to >=2.20.0 to address a security vulnerability.", "cve": "CVE-2018-18074", "id": "pyup.io-36975", "more_info_path": "/vulnerabilities/CVE-2018-18074/36975", "specs": [ "<0.1.0" ], "v": "<0.1.0" } ], "coincurve": [ { "advisory": "coincurve before 8.0.0 does not support the new GitHub and PyPI security requirements. \r\nBinary wheels on macOS for Python 3.5 now uses Homebrew Python for compilation due to new security requirements.", "cve": "PVE-2021-36299", "id": "pyup.io-36299", "more_info_path": "/vulnerabilities/PVE-2021-36299/36299", "specs": [ "<8.0.0" ], "v": "<8.0.0" } ], "colander": [ { "advisory": "In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis. See CVE-2017-18361.", "cve": "CVE-2017-18361", "id": "pyup.io-42247", "more_info_path": "/vulnerabilities/CVE-2017-18361/42247", "specs": [ "<=1.6" ], "v": "<=1.6" } ], "coldsweat": [ { "advisory": "Coldsweat 0.10.0 updates its dependency 'requests' to version '2.20.1' to include a security fix.\r\nhttps://github.com/passiomatic/coldsweat/commit/646edf0ef75cf62c7ba009a7ce62b4b8ffae26c3", "cve": "CVE-2014-1830", "id": "pyup.io-59447", "more_info_path": "/vulnerabilities/CVE-2014-1830/59447", "specs": [ "<0.10.0" ], "v": "<0.10.0" }, { "advisory": "Coldsweat 0.10.0 updates its dependency 'requests' to version '2.20.1' to include a security fix.\r\nhttps://github.com/passiomatic/coldsweat/commit/646edf0ef75cf62c7ba009a7ce62b4b8ffae26c3", "cve": "CVE-2014-1829", "id": "pyup.io-59446", "more_info_path": "/vulnerabilities/CVE-2014-1829/59446", "specs": [ "<0.10.0" ], "v": "<0.10.0" }, { "advisory": "Coldsweat 0.10.0 updates its dependency 'requests' to version '2.20.1' to include a security fix.\r\nhttps://github.com/passiomatic/coldsweat/commit/646edf0ef75cf62c7ba009a7ce62b4b8ffae26c3", "cve": "CVE-2015-2296", "id": "pyup.io-59448", "more_info_path": "/vulnerabilities/CVE-2015-2296/59448", "specs": [ "<0.10.0" ], "v": "<0.10.0" }, { "advisory": "Coldsweat 0.10.0 updates its dependency 'requests' to version '2.20.1' to include a security fix.\r\nhttps://github.com/passiomatic/coldsweat/commit/646edf0ef75cf62c7ba009a7ce62b4b8ffae26c3", "cve": "CVE-2018-18074", "id": "pyup.io-59432", "more_info_path": "/vulnerabilities/CVE-2018-18074/59432", "specs": [ "<0.10.0" ], "v": "<0.10.0" } ], "collective-contact-core": [ { "advisory": "Collective.contact.core 1.10 fixes a security issue related to AddContact. The vulnerability was found in its dependency Plone CMS. See CVE-2016-7138.\r\nhttps://github.com/collective/collective.contact.core/pull/25", "cve": "CVE-2016-7138", "id": "pyup.io-25657", "more_info_path": "/vulnerabilities/CVE-2016-7138/25657", "specs": [ "<1.10" ], "v": "<1.10" }, { "advisory": "collective-contact-core before 1.10", "cve": "PVE-2021-36089", "id": "pyup.io-36089", "more_info_path": "/vulnerabilities/PVE-2021-36089/36089", "specs": [ "<1.10" ], "v": "<1.10" } ], "collective-contact-widget": [ { "advisory": "collective.contact.widget is an add-on is part of the collective.contact.* suite. A vulnerability classified as problematic was found in collective.contact.widget up to 1.12. This vulnerability affects the function title of the file src/collective/contact/widget/widgets.py. The manipulation leads to cross site scripting. The attack can be initiated remotely. The name of the patch is 5da36305ca7ed433782be8901c47387406fcda12. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216496.", "cve": "CVE-2022-4638", "id": "pyup.io-54608", "more_info_path": "/vulnerabilities/CVE-2022-4638/54608", "specs": [ ">=0,<1.13" ], "v": ">=0,<1.13" } ], "collective-dms-basecontent": [ { "advisory": "A vulnerability, which was classified as problematic, has been found in collective.dms.basecontent. This issue affects the function renderCell of the file src/collective/dms/basecontent/browser/column.py. The manipulation leads to cross site scripting. The attack may be initiated remotely.", "cve": "CVE-2022-4495", "id": "pyup.io-54599", "more_info_path": "/vulnerabilities/CVE-2022-4495/54599", "specs": [ ">=0,<1.7" ], "v": ">=0,<1.7" } ], "collective-documentviewer": [ { "advisory": "Collective.documentviewer 1.5.1 fixes a security issue on file resources permissions.\r\nhttps://github.com/collective/collective.documentviewer/commit/7222b0d30b1976d3f6773553bd6948c39efcbc20", "cve": "PVE-2021-25658", "id": "pyup.io-25658", "more_info_path": "/vulnerabilities/PVE-2021-25658/25658", "specs": [ "<1.5.1" ], "v": "<1.5.1" } ], "collective-easyform": [ { "advisory": "Collective-easyform version 3.0.5 doesn't resolves entities in the modeleditor and removes processing instructions (commit #254).", "cve": "PVE-2021-41911", "id": "pyup.io-41911", "more_info_path": "/vulnerabilities/PVE-2021-41911/41911", "specs": [ "<3.0.5" ], "v": "<3.0.5" }, { "advisory": "The modeleditor in collective.easyform 3.0.5 no longer resolves entities, and it removes processing instructions. This increases the security.\r\nhttps://github.com/collective/collective.easyform/commit/261ea800fbe3bd650a83b1fe7558ba51bd7d0c9e", "cve": "PVE-2021-39144", "id": "pyup.io-39144", "more_info_path": "/vulnerabilities/PVE-2021-39144/39144", "specs": [ "<3.0.5" ], "v": "<3.0.5" } ], "collective-js-datatables": [ { "advisory": "Collective.js.datatables 4.1.1 updates Datatables to 1.10.11, due to a XSS vulnerability in 1.10.4.", "cve": "CVE-2015-6384", "id": "pyup.io-25659", "more_info_path": "/vulnerabilities/CVE-2015-6384/25659", "specs": [ "<4.1.1" ], "v": "<4.1.1" }, { "advisory": "An attacker can seize control of a user session by leveraging a Cross-site scripting vulnerability. This allows the unauthorized user to modify a legitimate user's password and disrupt their session.", "cve": "PVE-2023-99913", "id": "pyup.io-62008", "more_info_path": "/vulnerabilities/PVE-2023-99913/62008", "specs": [ ">=0.0a" ], "v": ">=0.0a" } ], "collective-noticeboard": [ { "advisory": "collective-noticeboard before 0.7.1 has a security issue, anonymous users could modify notes positions.", "cve": "PVE-2021-35879", "id": "pyup.io-35879", "more_info_path": "/vulnerabilities/PVE-2021-35879/35879", "specs": [ "<0.7.1" ], "v": "<0.7.1" }, { "advisory": "Collective.noticeboard 0.7.1 fixes a security issue, anonymous users could modify notes positions.", "cve": "PVE-2021-25660", "id": "pyup.io-25660", "more_info_path": "/vulnerabilities/PVE-2021-25660/25660", "specs": [ "<0.7.1" ], "v": "<0.7.1" } ], "collective-portlet-twitter": [ { "advisory": "Collective.portlet.twitter 1.0b3 fixes a potential XSS (arbitrary injection) issue by escaping and quoting all attributes being set on the rendered portlet.\r\nhttps://github.com/collective/collective.portlet.twitter/pull/2", "cve": "PVE-2021-25661", "id": "pyup.io-25661", "more_info_path": "/vulnerabilities/PVE-2021-25661/25661", "specs": [ "<1.0b3" ], "v": "<1.0b3" } ], "collective-tablepage": [ { "advisory": "collective.tablepage 0.3 fixes a security problem: data inside text cells were transformed to HTML without any check.", "cve": "PVE-2021-25664", "id": "pyup.io-25664", "more_info_path": "/vulnerabilities/PVE-2021-25664/25664", "specs": [ "<0.3" ], "v": "<0.3" } ], "collective-task": [ { "advisory": "Collective-task 3.0.9 includes escaping to fix a XSS vulnerability.\r\nhttps://github.com/collective/collective.task/commit/1aac7f83fa2c2b41d59ba02748912953461f3fac", "cve": "PVE-2022-50678", "id": "pyup.io-50678", "more_info_path": "/vulnerabilities/PVE-2022-50678/50678", "specs": [ "<3.0.9" ], "v": "<3.0.9" }, { "advisory": "A vulnerability was found in collective.task up to 3.0.9. It has been classified as problematic. This affects the function renderCell/AssignedGroupColumn of the file src/collective/task/browser/table.py. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely.", "cve": "CVE-2022-4527", "id": "pyup.io-54600", "more_info_path": "/vulnerabilities/CVE-2022-4527/54600", "specs": [ ">=0,<3.0.9" ], "v": ">=0,<3.0.9" } ], "collective-xmpp-chat": [ { "advisory": "Collective.xmpp.chat 0.3.1 includes an update in 'converse.js' that fixes a security issue.\r\nhttps://github.com/collective/collective.xmpp.chat/commit/4b6cb3a43158f866d84c4ce803b9016aef81adfe", "cve": "PVE-2021-25666", "id": "pyup.io-25666", "more_info_path": "/vulnerabilities/PVE-2021-25666/25666", "specs": [ "<0.3.1" ], "v": "<0.3.1" } ], "collective.contact.widget": [ { "advisory": "Collective.contact.widget 1.13 escapes contact title special characters in 'term-contact' viewlet to prevent XSS vulnerabilities.", "cve": "PVE-2022-49566", "id": "pyup.io-49566", "more_info_path": "/vulnerabilities/PVE-2022-49566/49566", "specs": [ "<1.13" ], "v": "<1.13" }, { "advisory": "A vulnerability classified as problematic was found in collective.contact.widget up to 1.12. This vulnerability affects the function title of the file src/collective/contact/widget/widgets.py. The manipulation leads to cross site scripting. The attack can be initiated remotely.", "cve": "CVE-2022-4638", "id": "pyup.io-72004", "more_info_path": "/vulnerabilities/CVE-2022-4638/72004", "specs": [ "<1.13" ], "v": "<1.13" } ], "collective.dms.basecontent": [ { "advisory": "A vulnerability, which was classified as problematic, has been found in collective.dms.basecontent affected versions. This issue affects the function renderCell of the file src/collective/dms/basecontent/browser/column.py. The manipulation leads to cross-site scripting.", "cve": "CVE-2022-4495", "id": "pyup.io-72005", "more_info_path": "/vulnerabilities/CVE-2022-4495/72005", "specs": [ "<1.7" ], "v": "<1.7" }, { "advisory": "Collective.dms.basecontent 1.7 escapes special characters when rendering to avoid potential XSS vulnerabilities.\r\nhttps://github.com/collective/collective.dms.basecontent/commit/6c4d616fcc771822a14ebae5e23f3f6d96d134bd", "cve": "PVE-2022-49567", "id": "pyup.io-49567", "more_info_path": "/vulnerabilities/PVE-2022-49567/49567", "specs": [ "<1.7" ], "v": "<1.7" } ], "collective.documentgenerator": [ { "advisory": "Collective.documentgenerator 3.33 adds character escaping to avoid XSS attacks via 'TemplatesTable'.", "cve": "PVE-2022-49408", "id": "pyup.io-49408", "more_info_path": "/vulnerabilities/PVE-2022-49408/49408", "specs": [ "<3.33" ], "v": "<3.33" } ], "collective.iconifiedcategory": [ { "advisory": "Collective.iconifiedcategory 0.54 applies escaping to avoid code injection vulnerabilities.\r\nhttps://github.com/collective/collective.iconifiedcategory/commit/7bcd148d7649be0e1df82ec75bbc46e2925eba2d", "cve": "PVE-2022-49411", "id": "pyup.io-49411", "more_info_path": "/vulnerabilities/PVE-2022-49411/49411", "specs": [ "<0.54" ], "v": "<0.54" } ], "collective.task": [ { "advisory": "A vulnerability was found in collective.task affected versions. It has been classified as problematic. This affects the function renderCell/AssignedGroupColumn of the file src/collective/task/browser/table.py. The manipulation leads to cross-site scripting. It is possible to initiate the attack remotely.", "cve": "CVE-2022-4527", "id": "pyup.io-72006", "more_info_path": "/vulnerabilities/CVE-2022-4527/72006", "specs": [ "<3.0.9" ], "v": "<3.0.9" } ], "collored": [ { "advisory": "Collored is a malicious package, typosquatting. It installs Malware in your system.\r\nhttps://blog.sonatype.com/careful-out-there-open-source-attacks-continue-to-be-on-the-uptick", "cve": "PVE-2022-47815", "id": "pyup.io-47815", "more_info_path": "/vulnerabilities/PVE-2022-47815/47815", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "colorsama": [ { "advisory": "Colorsama is a malicious package. It triggers the install of W4SP Stealer in your system.", "cve": "PVE-2022-51685", "id": "pyup.io-51685", "more_info_path": "/vulnerabilities/PVE-2022-51685/51685", "specs": [ ">0" ], "v": ">0" } ], "colorslib": [ { "advisory": "Colorslib is a malicious package. It installs info-stealing Malware.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packages-install-info-stealing-malware", "cve": "PVE-2023-52924", "id": "pyup.io-52924", "more_info_path": "/vulnerabilities/PVE-2023-52924/52924", "specs": [ ">0" ], "v": ">0" } ], "colorwin": [ { "advisory": "Colorwin is a malicious package. It triggers the install of W4SP Stealer in your system.", "cve": "PVE-2022-51683", "id": "pyup.io-51683", "more_info_path": "/vulnerabilities/PVE-2022-51683/51683", "specs": [ ">0" ], "v": ">0" } ], "colossalai": [ { "advisory": "Colossalai 0.1.11rc1 addresses security concerns related to subprocess handling. It specifically rectifies insecure subprocess usage by modifying the way subprocesses are invoked, enhancing the security and reliability of the code. This change is crucial for preventing potential vulnerabilities in the application's execution environment.", "cve": "PVE-2024-65063", "id": "pyup.io-65063", "more_info_path": "/vulnerabilities/PVE-2024-65063/65063", "specs": [ "<0.1.11rc1" ], "v": "<0.1.11rc1" } ], "colourama": [ { "advisory": "Colourama is a typosquatting package. It shows a malicious behavior, for example, it may leak your sensitive data and/or gain unauthorized persistence in your system.\r\nhttps://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/", "cve": "PVE-2022-45412", "id": "pyup.io-45412", "more_info_path": "/vulnerabilities/PVE-2022-45412/45412", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "commlib-py": [ { "advisory": "Commlib-py 0.11.5 updates its dependency 'certifi' to include a security fix.", "cve": "CVE-2024-39689", "id": "pyup.io-73597", "more_info_path": "/vulnerabilities/CVE-2024-39689/73597", "specs": [ "<0.11.5" ], "v": "<0.11.5" } ], "commondatamodel-objectmodel": [ { "advisory": "Microsoft Common Data Model SDK Denial of Service Vulnerability.", "cve": "CVE-2023-36566", "id": "pyup.io-64990", "more_info_path": "/vulnerabilities/CVE-2023-36566/64990", "specs": [ ">=0,<1.7.4" ], "v": ">=0,<1.7.4" } ], "commonground-api-common": [ { "advisory": "Versions of software utilizing the PyJWT library are susceptible to a theoretical privilege escalation due to a non-exploitable weakness in client-supplied JWT verification. Despite using an explicit allow-list of algorithms preventing the use of invalid ones, a hypothetical scenario was identified where, without such a mechanism, tampered client JWTs could lead to an attacker impersonating any client without detection. The JWT verification issue stems from the handling of the algorithm specified in the JWT header, specifically the use of a string for algorithm names rather than a strict list, potentially allowing any substring matching to pass verification checks. However, this vulnerability is considered non-exploitable since PyJWT does not support algorithm substrings that would exploit this issue.", "cve": "PVE-2024-68497", "id": "pyup.io-68497", "more_info_path": "/vulnerabilities/PVE-2024-68497/68497", "specs": [ "<=1.12.1" ], "v": "<=1.12.1" } ], "compas": [ { "advisory": "Compas 1.17.5 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.\r\nhttps://github.com/compas-dev/compas/commit/0d0f9bec24511fe5dbc77ef73ee617dc83b4420e", "cve": "CVE-2007-4559", "id": "pyup.io-61127", "more_info_path": "/vulnerabilities/CVE-2007-4559/61127", "specs": [ "<1.17.5" ], "v": "<1.17.5" } ], "compliance-trestle": [ { "advisory": "Compliance-trestle 0.15.0 updates its dependency 'pydantic' to 1.8.2 for an security issue.", "cve": "CVE-2021-29510", "id": "pyup.io-40566", "more_info_path": "/vulnerabilities/CVE-2021-29510/40566", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Compliance-trestle 0.26.0 removes user names from logs.\r\nhttps://github.com/IBM/compliance-trestle/commit/4d075b89776552a1f58751674e2056ac7afac3cc", "cve": "PVE-2021-42185", "id": "pyup.io-42185", "more_info_path": "/vulnerabilities/PVE-2021-42185/42185", "specs": [ "<0.26.0" ], "v": "<0.26.0" }, { "advisory": "Compliance-trestle 2.4.0 updates its urllib3 dependency to version 1.26.17 due to a vulnerability (CVE-2023-43804). This vulnerability could lead to the unintentional leakage of sensitive information via HTTP redirects to a different origin if the user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.\r\nhttps://github.com/oscal-compass/compliance-trestle/pull/1472/commits/f0ce7047d1b48cc9534b262a5844d52541400d5d", "cve": "CVE-2023-43804", "id": "pyup.io-63243", "more_info_path": "/vulnerabilities/CVE-2023-43804/63243", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { "advisory": "Compliance-trestle 2.5.0 updates its cryptography dependency to version 41.0.6 due to a critical vulnerability (CVE-2023-49083). This vulnerability could lead to a NULL-pointer dereference and segfault when deserializing a PKCS7 blob/certificate, potentially causing a Denial of Service (DoS) and system instability.\r\nhttps://github.com/oscal-compass/compliance-trestle/pull/1479/commits/1ed9f5ccec1e37f625eb9253dd07f8dee994cfe4", "cve": "CVE-2023-49083", "id": "pyup.io-63242", "more_info_path": "/vulnerabilities/CVE-2023-49083/63242", "specs": [ "<2.5.0" ], "v": "<2.5.0" }, { "advisory": "Compliance-trestle 2.5.0 updates its cryptography dependency to version 41.0.6 due to a vulnerability (CVE-2023-48795). This vulnerability, known as the Terrapin attack, allows remote attackers to bypass integrity checks, potentially downgrading or disabling some security features in the SSH transport protocol.\r\nhttps://github.com/oscal-compass/compliance-trestle/pull/1486/commits/5657b72a757b094777773b5e1d7849ce3b970dd1", "cve": "CVE-2023-48795", "id": "pyup.io-63247", "more_info_path": "/vulnerabilities/CVE-2023-48795/63247", "specs": [ "<2.5.0" ], "v": "<2.5.0" }, { "advisory": "Compliance-trestle 2.5.1 updates its dependency 'jinja2' to v3.1.3 to include a security fix.\r\nhttps://github.com/oscal-compass/compliance-trestle/pull/1498", "cve": "CVE-2024-22195", "id": "pyup.io-64313", "more_info_path": "/vulnerabilities/CVE-2024-22195/64313", "specs": [ "<2.5.1" ], "v": "<2.5.1" }, { "advisory": "Compliance-trestle version 2.6.0 upgrades its cryptography library to version 42.0.0 from 41.0.6 to mitigate the security issue CVE-2023-50782.\r\nhttps://github.com/oscal-compass/compliance-trestle/pull/1509/commits/41c880a2122fc52820e6fcee6f1193fd937c0673", "cve": "CVE-2023-50782", "id": "pyup.io-65626", "more_info_path": "/vulnerabilities/CVE-2023-50782/65626", "specs": [ "<2.6.0" ], "v": "<2.6.0" }, { "advisory": "Compliance-trestle 3.3.0 updates its dependency 'Jinja2' from version 3.1.3 to 3.1.4 to include a security fix.", "cve": "CVE-2024-34064", "id": "pyup.io-72184", "more_info_path": "/vulnerabilities/CVE-2024-34064/72184", "specs": [ "<3.3.0" ], "v": "<3.3.0" }, { "advisory": "Compliance-trestle 3.3.0 updates its dependency 'urllib3' from version 1.26.17 to 1.26.19 to include a security fix.", "cve": "CVE-2024-37891", "id": "pyup.io-72186", "more_info_path": "/vulnerabilities/CVE-2024-37891/72186", "specs": [ "<3.3.0" ], "v": "<3.3.0" } ], "composer": [ { "advisory": "Composer 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", "cve": "PVE-2021-44525", "id": "pyup.io-53693", "more_info_path": "/vulnerabilities/PVE-2021-44525/53693", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Composer 0.13.0 updates its dependency 'ipython' to v8.11.0 in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", "cve": "CVE-2023-24816", "id": "pyup.io-53697", "more_info_path": "/vulnerabilities/CVE-2023-24816/53697", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Composer 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", "cve": "CVE-2021-34552", "id": "pyup.io-53694", "more_info_path": "/vulnerabilities/CVE-2021-34552/53694", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Composer 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", "cve": "PVE-2022-44524", "id": "pyup.io-53692", "more_info_path": "/vulnerabilities/PVE-2022-44524/53692", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Composer 0.13.0 updates its dependency 'certifi' requirement to '>=2022.12.7' in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", "cve": "CVE-2022-23491", "id": "pyup.io-53695", "more_info_path": "/vulnerabilities/CVE-2022-23491/53695", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Composer 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", "cve": "CVE-2022-22815", "id": "pyup.io-53687", "more_info_path": "/vulnerabilities/CVE-2022-22815/53687", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Composer 0.13.0 updates its dependency 'urllib3' requirement to '>=1.26.5,<2'' in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", "cve": "CVE-2021-33503", "id": "pyup.io-53696", "more_info_path": "/vulnerabilities/CVE-2021-33503/53696", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Composer 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", "cve": "CVE-2022-22816", "id": "pyup.io-53691", "more_info_path": "/vulnerabilities/CVE-2022-22816/53691", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Composer 0.9.0 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/mosaicml/composer/pull/1328", "cve": "PVE-2023-60601", "id": "pyup.io-60601", "more_info_path": "/vulnerabilities/PVE-2023-60601/60601", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "composio-core": [ { "advisory": "A critical security vulnerability affects the composiohq composio library. The vulnerability exists in the path function of the file composio\\server\\api.py. Attackers can manipulate the 'file' argument to achieve path traversal, potentially accessing unauthorized files on the system. This vulnerability has been publicly disclosed and exploits may exist in the wild. The vendor has not responded to disclosure attempts, underscoring the urgency of this update. Never process file paths from untrusted sources without proper sanitization and validation.", "cve": "CVE-2024-8865", "id": "pyup.io-73299", "more_info_path": "/vulnerabilities/CVE-2024-8865/73299", "specs": [ ">=0" ], "v": ">=0" }, { "advisory": "A security vulnerability affects the composiohq composio library. The vulnerability exists in the Calculator function of the file python/composio/tools/local/mathematical/actions/calculator.py. Attackers can exploit this vulnerability to perform code injection, potentially executing arbitrary code on the target system. This vulnerability has been publicly disclosed and exploits may exist in the wild.", "cve": "CVE-2024-8864", "id": "pyup.io-73301", "more_info_path": "/vulnerabilities/CVE-2024-8864/73301", "specs": [ ">=0" ], "v": ">=0" }, { "advisory": "A security vulnerability affects the composiohq composio library. The vulnerability exists in the path function of the file composio\\server\\api.py. Attackers can manipulate the 'file' argument to achieve path traversal, potentially accessing unauthorized files on the system. This vulnerability has been publicly disclosed and exploits may exist in the wild.", "cve": "CVE-2024-8865", "id": "pyup.io-73300", "more_info_path": "/vulnerabilities/CVE-2024-8865/73300", "specs": [ ">=0" ], "v": ">=0" } ], "conan": [ { "advisory": "Conan 1.49.0 updates its dependency 'pyjwt' requirement to \">=2.4.0, <3.0.0\" to include a security fix.", "cve": "CVE-2022-29217", "id": "pyup.io-49249", "more_info_path": "/vulnerabilities/CVE-2022-29217/49249", "specs": [ "<1.49.0" ], "v": "<1.49.0" }, { "advisory": "Affected versions of the Conan package manager are vulnerable to Improper Authorization (CWE-285). The server's authorization mechanism allowed users to bypass permission checks if the package owner's username matched their own, potentially leading to unauthorized access or modification of packages. This vulnerability can be exploited by any authenticated user who owns a package, resulting in privilege escalation. The affected methods are check_read_conan, check_write_conan, and check_delete_conan in authorize.py, as well as authentication checks in file_downloader.py and file_uploader.py.", "cve": "PVE-2024-73937", "id": "pyup.io-73937", "more_info_path": "/vulnerabilities/PVE-2024-73937/73937", "specs": [ "<2.9.0" ], "v": "<2.9.0" } ], "concrete-datastore": [ { "advisory": "Concrete-datastore 1.22.0 adds checks to prevent unauthorized queries.\r\nhttps://github.com/Netsach/concrete-datastore/pull/69", "cve": "PVE-2021-39449", "id": "pyup.io-39449", "more_info_path": "/vulnerabilities/PVE-2021-39449/39449", "specs": [ "<1.22.0" ], "v": "<1.22.0" }, { "advisory": "Concrete-datastore 1.23.0 adds checks on the url_format for reset password view to avoid template injections.\r\nhttps://github.com/Netsach/concrete-datastore/commit/f852fb003da373b958623dc8fd383c7ac09f0e80", "cve": "PVE-2021-39709", "id": "pyup.io-39709", "more_info_path": "/vulnerabilities/PVE-2021-39709/39709", "specs": [ "<1.23.0" ], "v": "<1.23.0" } ], "conference-scheduler-cli": [ { "advisory": "In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.", "cve": "CVE-2018-14572", "id": "pyup.io-36425", "more_info_path": "/vulnerabilities/CVE-2018-14572/36425", "specs": [ "<=0.10.1" ], "v": "<=0.10.1" } ], "confidant": [ { "advisory": "Confidant 1.1.13 includes a security fix. It was discovered when adding tests after a refactor of some of the KMS authentication code that confidant wasn't properly checking the expiration of KMS auth tokens. If tokens were able to be exfiltrated from a service, they could be used indefinitely. Also, any tokens that are expired will now correctly fail to authenticate.", "cve": "PVE-2021-26670", "id": "pyup.io-26670", "more_info_path": "/vulnerabilities/PVE-2021-26670/26670", "specs": [ "<1.1.13" ], "v": "<1.1.13" }, { "advisory": "confidant 1.1.14 contains a security fix: While preparing for the 1.1 stable release Lyft found a KMS authentication vulnerability in the unreleased 1.1 branch while performing an audit of the code. The vulnerability was introduced while adding the scoped auth key feature (for limiting authentication keys and services to specific AWS accounts), where the key was not properly checked after decryption. This check is an additional verification to add additional safety on-top of the IAM policy of your KMS keys. If IAM policy allows users to use KMS keys without limits on encryption context, a KMS key that wasn't intended to be used for auth, could be used for auth.", "cve": "PVE-2021-25668", "id": "pyup.io-25668", "more_info_path": "/vulnerabilities/PVE-2021-25668/25668", "specs": [ "<1.1.14" ], "v": "<1.1.14" }, { "advisory": "Confidant 1.10.0 upgrade 'gevent' and 'greenlet' dependencies to fix CVE-2016-5180.", "cve": "CVE-2016-5180", "id": "pyup.io-38504", "more_info_path": "/vulnerabilities/CVE-2016-5180/38504", "specs": [ "<1.10.0" ], "v": "<1.10.0" }, { "advisory": "Confidant 1.6.0 updates python-saml to address CVE-2016-1000252.", "cve": "CVE-2016-1000252", "id": "pyup.io-38505", "more_info_path": "/vulnerabilities/CVE-2016-1000252/38505", "specs": [ "<1.6.0" ], "v": "<1.6.0" }, { "advisory": "In confidant 5.0.0 updates its dependency 'gunicorn' to a version >=19.9.0 to include security fixes.", "cve": "PVE-2021-40103", "id": "pyup.io-45038", "more_info_path": "/vulnerabilities/PVE-2021-40103/45038", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "In confidant 5.0.0 updates its dependency 'python3-saml' to v1.8.0 to include a security fix.", "cve": "PVE-2021-39454", "id": "pyup.io-45042", "more_info_path": "/vulnerabilities/PVE-2021-39454/45042", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "In confidant 5.0.0 updates its dependency 'gunicorn' to a version >=19.9.0 to include security fixes.", "cve": "CVE-2018-1000164", "id": "pyup.io-45037", "more_info_path": "/vulnerabilities/CVE-2018-1000164/45037", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "Confidant 5.0.0 updates its dependency 'werkzeug' to v0.15.6 to include a security fix.", "cve": "CVE-2019-14806", "id": "pyup.io-45043", "more_info_path": "/vulnerabilities/CVE-2019-14806/45043", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "In confidant 5.0.0 updates its dependency 'lxml' to v4.4.1 to include security fixes.", "cve": "PVE-2021-39195", "id": "pyup.io-45041", "more_info_path": "/vulnerabilities/PVE-2021-39195/45041", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "In confidant 5.0.0 updates its dependency 'lxml' to v4.4.1 to include security fixes.", "cve": "CVE-2018-19787", "id": "pyup.io-45040", "more_info_path": "/vulnerabilities/CVE-2018-19787/45040", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "In confidant 5.0.0 updates its dependency 'requests' to a version >=2.22.0 to include a security fix.", "cve": "CVE-2018-18074", "id": "pyup.io-45035", "more_info_path": "/vulnerabilities/CVE-2018-18074/45035", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "In confidant 5.0.0 updates its dependency 'flask' to v1.1.1 to include security fixes.", "cve": "CVE-2019-1010083", "id": "pyup.io-45033", "more_info_path": "/vulnerabilities/CVE-2019-1010083/45033", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "In confidant 5.0.0 updates its dependency 'pyopenssl' to v19.0.0 to include security fixes.", "cve": "CVE-2018-1000808", "id": "pyup.io-45032", "more_info_path": "/vulnerabilities/CVE-2018-1000808/45032", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "Confidant 5.0.0 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", "cve": "CVE-2019-10906", "id": "pyup.io-45039", "more_info_path": "/vulnerabilities/CVE-2019-10906/45039", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "Confidant 5.0.0 updates its dependency 'pyopenssl' to v19.0.0 to include security fixes.", "cve": "CVE-2018-1000807", "id": "pyup.io-37471", "more_info_path": "/vulnerabilities/CVE-2018-1000807/37471", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "In confidant 5.0.0 updates its dependency 'pyyaml' to v5.1.2 to include a security fix.", "cve": "CVE-2017-18342", "id": "pyup.io-45036", "more_info_path": "/vulnerabilities/CVE-2017-18342/45036", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "In confidant 5.0.0 updates its dependency 'flask' to v1.1.1 to include security fixes.", "cve": "CVE-2018-1000656", "id": "pyup.io-45034", "more_info_path": "/vulnerabilities/CVE-2018-1000656/45034", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { "advisory": "Confidant 6.3.0 adds support for keeping track of when credentials should be rotated. It therefore adds three new fields to the Credential model, two of which improve the security (`last_decrypted_date` and `last_rotation_date`). The former explicitly stores when someone viewed a credential. Certain credentials can potentially be highly vulnerable and could benefit from being rotated the moment the credential pair is viewed. The latter stores when a credential was last rotated. Some credentials might need to periodically be rotated for security purposes.", "cve": "PVE-2021-38560", "id": "pyup.io-38560", "more_info_path": "/vulnerabilities/PVE-2021-38560/38560", "specs": [ "<6.3.0" ], "v": "<6.3.0" }, { "advisory": "Confidant affected versions contain a critical Cross-Site Scripting (XSS) vulnerability affecting multiple API endpoints for credential and service operations. This stored XSS flaw enables authenticated attackers with credential creation privileges to inject malicious scripts, potentially compromising other users' sessions, stealing sensitive information, or executing unauthorized actions. Inadequate input sanitization and improper content-type headers in API responses cause this vulnerability. Developers have patched the issue by implementing robust XSS protection measures, including security headers and proper content-type settings for API responses.", "cve": "CVE-2024-45793", "id": "pyup.io-73295", "more_info_path": "/vulnerabilities/CVE-2024-45793/73295", "specs": [ "<6.6.2" ], "v": "<6.6.2" } ], "confidence": [ { "advisory": "Confidence before 0.4 uses unsafe 'yaml.load()' which may lead to code execution.\r\nhttps://github.com/NetherlandsForensicInstitute/confidence/commit/c94f3510aabf1d8f67e58ae0d3350c98821d296b", "cve": "PVE-2021-36308", "id": "pyup.io-36308", "more_info_path": "/vulnerabilities/PVE-2021-36308/36308", "specs": [ "<0.4" ], "v": "<0.4" } ], "configframework": [ { "advisory": "Configframework 4.0.1 updates its dependency 'pygments' to version '2.15.0' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/Rud356/ConfigFramework/commit/3eb83b9099fff6bf2d80bf2cd79fb3e62933fde6", "cve": "CVE-2022-40896", "id": "pyup.io-60146", "more_info_path": "/vulnerabilities/CVE-2022-40896/60146", "specs": [ "<4.0.1" ], "v": "<4.0.1" } ], "configobj": [ { "advisory": "The configobj package affected versions contains a Regular Expression Denial of Service (ReDoS) vulnerability in its validate function. The vulnerable regex (.+?)\\((.*)\\) allows attackers to cause denial of service using specially crafted input with nested parentheses. This issue primarily affects server-side applications using configobj for configuration parsing. The vulnerability is patched by modifying the regex to ([^\\(\\)]+?)\\((.*)\\), preventing matching of nested parentheses. \r\nNOTE: This is only exploitable in the case of a developer putting the offending value in a server side configuration file.", "cve": "CVE-2023-26112", "id": "pyup.io-54843", "more_info_path": "/vulnerabilities/CVE-2023-26112/54843", "specs": [ "<5.0.9" ], "v": "<5.0.9" } ], "confire": [ { "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from \"~/.confire.yaml\" using the yaml.load function, a YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.", "cve": "CVE-2017-16763", "id": "pyup.io-35721", "more_info_path": "/vulnerabilities/CVE-2017-16763/35721", "specs": [ "<=0.2.0" ], "v": "<=0.2.0" } ], "confluent-kafka": [ { "advisory": "Confluent-kafka 1.1.0 securely clears the private key data from memory after last use.", "cve": "PVE-2021-37508", "id": "pyup.io-37508", "more_info_path": "/vulnerabilities/PVE-2021-37508/37508", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Confluent-kafka 1.3.0 updates builtin C dependency 'lz4' to v1.9.2 to include a security fix.", "cve": "CVE-2019-17543", "id": "pyup.io-38072", "more_info_path": "/vulnerabilities/CVE-2019-17543/38072", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { "advisory": "Confluent-kafka 1.4.0 fixes a security issue in the SASL SCRAM protocol handler the client nonce, which is expected to be a random string, was a static string.", "cve": "PVE-2021-38165", "id": "pyup.io-38165", "more_info_path": "/vulnerabilities/PVE-2021-38165/38165", "specs": [ "<1.4.0" ], "v": "<1.4.0" }, { "advisory": "Confluent-kafka 1.4.0 fixes a security issue in the SASL SCRAM protocol handler: If 'sasl.username' and 'sasl.password' contained characters that needed escaping, a buffer overflow and heap corruption would occur. This was protected, but too late, by an assertion.", "cve": "PVE-2022-48601", "id": "pyup.io-48601", "more_info_path": "/vulnerabilities/PVE-2022-48601/48601", "specs": [ "<1.4.0" ], "v": "<1.4.0" }, { "advisory": "Confluent-kafka enhances the security of the client by removing the usage of the strcpy function. The use of strcpy can lead to security vulnerabilities, such as buffer overflows because it does not perform bounds checking. By eliminating this function, the update mitigates potential risks associated with unsafe string handling.", "cve": "PVE-2024-72117", "id": "pyup.io-72117", "more_info_path": "/vulnerabilities/PVE-2024-72117/72117", "specs": [ "<2.5.0" ], "v": "<2.5.0" } ], "conn-check": [ { "advisory": "conn-check 1.0.18 ensures pyOpenSSL is always used instead of the ssl modules, see https://urllib3.readthedocs.org/en/latest/security.htmlpyopenssl.", "cve": "PVE-2021-25669", "id": "pyup.io-25669", "more_info_path": "/vulnerabilities/PVE-2021-25669/25669", "specs": [ "<1.0.18" ], "v": "<1.0.18" } ], "connect-openapi-client": [ { "advisory": "Connect-openapi-client 25.4 updates its dependency 'httpx' to version '0.23.0' to include a security fix.\r\nhttps://github.com/cloudblue/connect-python-openapi-client/commit/42595a51a66f1c4832d8f38fbcdca201a0bfded2\r\nhttps://github.com/advisories/==GHSA==-h8pj-cxx2-jfg2", "cve": "CVE-2021-41945", "id": "pyup.io-59114", "more_info_path": "/vulnerabilities/CVE-2021-41945/59114", "specs": [ "<25.4" ], "v": "<25.4" } ], "connect-sdk-python2": [ { "advisory": "Connect-sdk-python2 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.", "cve": "CVE-2020-26137", "id": "pyup.io-51386", "more_info_path": "/vulnerabilities/CVE-2020-26137/51386", "specs": [ "<3.33.0" ], "v": "<3.33.0" }, { "advisory": "Connect-sdk-python2 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.", "cve": "CVE-2019-11324", "id": "pyup.io-51385", "more_info_path": "/vulnerabilities/CVE-2019-11324/51385", "specs": [ "<3.33.0" ], "v": "<3.33.0" }, { "advisory": "Connect-sdk-python2 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.", "cve": "CVE-2018-20060", "id": "pyup.io-51359", "more_info_path": "/vulnerabilities/CVE-2018-20060/51359", "specs": [ "<3.33.0" ], "v": "<3.33.0" }, { "advisory": "Connect-sdk-python2 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.", "cve": "CVE-2019-11236", "id": "pyup.io-51384", "more_info_path": "/vulnerabilities/CVE-2019-11236/51384", "specs": [ "<3.33.0" ], "v": "<3.33.0" }, { "advisory": "Connect-sdk-python2 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.", "cve": "CVE-2021-33503", "id": "pyup.io-51387", "more_info_path": "/vulnerabilities/CVE-2021-33503/51387", "specs": [ "<3.33.0" ], "v": "<3.33.0" } ], "connect-sdk-python3": [ { "advisory": "Connect-sdk-python3 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.", "cve": "CVE-2020-26137", "id": "pyup.io-51380", "more_info_path": "/vulnerabilities/CVE-2020-26137/51380", "specs": [ "<3.33.0" ], "v": "<3.33.0" }, { "advisory": "Connect-sdk-python3 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.", "cve": "CVE-2019-11236", "id": "pyup.io-51382", "more_info_path": "/vulnerabilities/CVE-2019-11236/51382", "specs": [ "<3.33.0" ], "v": "<3.33.0" }, { "advisory": "Connect-sdk-python3 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.", "cve": "CVE-2019-11324", "id": "pyup.io-51381", "more_info_path": "/vulnerabilities/CVE-2019-11324/51381", "specs": [ "<3.33.0" ], "v": "<3.33.0" }, { "advisory": "Connect-sdk-python3 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.", "cve": "CVE-2018-20060", "id": "pyup.io-51383", "more_info_path": "/vulnerabilities/CVE-2018-20060/51383", "specs": [ "<3.33.0" ], "v": "<3.33.0" }, { "advisory": "Connect-sdk-python3 3.33.0 updates the minimum 'requests' version from 2.20.0 to 2.25.0, as earlier versions depend on a vulnerable 'urllib3' version.", "cve": "CVE-2021-33503", "id": "pyup.io-51360", "more_info_path": "/vulnerabilities/CVE-2021-33503/51360", "specs": [ "<3.33.0" ], "v": "<3.33.0" } ], "connexion": [ { "advisory": "Connexion 3.0 updates its dependency 'httpx' to include a security fix.", "cve": "CVE-2021-41945", "id": "pyup.io-62142", "more_info_path": "/vulnerabilities/CVE-2021-41945/62142", "specs": [ "<3.0" ], "v": "<3.0" } ], "consoleme": [ { "advisory": "Consoleme 1.2.2 includes a fix for CVE-2022-27177: A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2.\r\nhttps://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2022-001.md", "cve": "CVE-2022-27177", "id": "pyup.io-47925", "more_info_path": "/vulnerabilities/CVE-2022-27177/47925", "specs": [ "<1.2.2" ], "v": "<1.2.2" }, { "advisory": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Netflix ConsoleMe allows Command Injection.", "cve": "CVE-2024-5023", "id": "pyup.io-71910", "more_info_path": "/vulnerabilities/CVE-2024-5023/71910", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "container-service-extension": [ { "advisory": "Container-service-extension 1.2.5 updates kubernetes packages and docker images for both Ubuntu and Photon OS templates to include a security fix.\r\nhttps://github.com/vmware/container-service-extension/commit/d4e6bf2d546a622d9fc20deb919b20a29264e071", "cve": "CVE-2018-1002105", "id": "pyup.io-36876", "more_info_path": "/vulnerabilities/CVE-2018-1002105/36876", "specs": [ "<1.2.5" ], "v": "<1.2.5" }, { "advisory": "Container-service-extension 1.2.7 updates docker images to include a fix for CVE-2019-5736.\r\nhttps://github.com/vmware/container-service-extension/commit/1f03f960871afe8774541747712d4a72f6378839", "cve": "CVE-2019-5736", "id": "pyup.io-37100", "more_info_path": "/vulnerabilities/CVE-2019-5736/37100", "specs": [ "<1.2.7" ], "v": "<1.2.7" }, { "advisory": "Container-service-extension 2.5.0b1 updates the hardcoded_password_string: false positives and test environment password strings marked not vulnerable.", "cve": "PVE-2021-37529", "id": "pyup.io-37529", "more_info_path": "/vulnerabilities/PVE-2021-37529/37529", "specs": [ "<2.5.0b1" ], "v": "<2.5.0b1" } ], "contentful": [ { "advisory": "Contentful 1.11.3 updates 'requests' version due to a vulnerability found in versions '2.19' and below.", "cve": "CVE-2018-18074", "id": "pyup.io-36633", "more_info_path": "/vulnerabilities/CVE-2018-18074/36633", "specs": [ "<1.11.3" ], "v": "<1.11.3" }, { "advisory": "Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py.", "cve": "CVE-2020-13258", "id": "pyup.io-38314", "more_info_path": "/vulnerabilities/CVE-2020-13258/38314", "specs": [ "<=1.12.3" ], "v": "<=1.12.3" } ], "contentful-management": [ { "advisory": "Contentful-management 2.5.0 updates 'requests' version due to a vulnerability found in previous versions.", "cve": "CVE-2018-18074", "id": "pyup.io-36599", "more_info_path": "/vulnerabilities/CVE-2018-18074/36599", "specs": [ "<2.5.0" ], "v": "<2.5.0" } ], "contestms": [ { "advisory": "contestms 1.2.0 fixes several security bugs around an unsafe use of isolate. These won't be backported to 1.1, so make sure you update.", "cve": "PVE-2021-34249", "id": "pyup.io-34249", "more_info_path": "/vulnerabilities/PVE-2021-34249/34249", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { "advisory": "Plaintext Password vulnerability in AddAdmin.py in cms-dev/cms v1.4.rc1, allows attackers to gain sensitive information via audit logs.", "cve": "CVE-2020-24804", "id": "pyup.io-70899", "more_info_path": "/vulnerabilities/CVE-2020-24804/70899", "specs": [ "<=1.4.rc1" ], "v": "<=1.4.rc1" } ], "cookie-manager": [ { "advisory": "Cookie-manager 1.0.3 updates its dependency 'bleach' to v3.1.2 to include a security fix.", "cve": "CVE-2020-6816", "id": "pyup.io-38106", "more_info_path": "/vulnerabilities/CVE-2020-6816/38106", "specs": [ "<1.0.3" ], "v": "<1.0.3" }, { "advisory": "Cookie-manager 1.1.0 updates its dependency Bleach to include a security fix.", "cve": "CVE-2020-6817", "id": "pyup.io-38153", "more_info_path": "/vulnerabilities/CVE-2020-6817/38153", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Cookie-manager 1.2.1 fixes a security vulnerability discovered and patched in a dependency. See Bleach 3.3.0 for further details.", "cve": "PVE-2021-40165", "id": "pyup.io-40165", "more_info_path": "/vulnerabilities/PVE-2021-40165/40165", "specs": [ "<1.2.1" ], "v": "<1.2.1" } ], "cookiecutter": [ { "advisory": "Cookiecutter 1.1.0 sets explicitly the list of allowed hosts for security reasons.", "cve": "PVE-2021-37672", "id": "pyup.io-37672", "more_info_path": "/vulnerabilities/PVE-2021-37672/37672", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Cookiecutter 2.1.1 includes a fix for CVE-2022-24065: Cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.", "cve": "CVE-2022-24065", "id": "pyup.io-49337", "more_info_path": "/vulnerabilities/CVE-2022-24065/49337", "specs": [ "<2.1.1" ], "v": "<2.1.1" }, { "advisory": "Cookiecutter, a command-line utility for creating projects, is susceptible to a vulnerability where credentials are insufficiently protected because of insecure retrieval of the gitlab_token. This issue concerns versions of Cookiecutter and poses a risk to the security of users' credentials.", "cve": "PVE-2024-99814", "id": "pyup.io-65970", "more_info_path": "/vulnerabilities/PVE-2024-99814/65970", "specs": [ ">=0,<0.1" ], "v": ">=0,<0.1" } ], "coordination-network-toolkit": [ { "advisory": "Coordination-network-toolkit 1.0.2 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", "cve": "CVE-2021-33503", "id": "pyup.io-40624", "more_info_path": "/vulnerabilities/CVE-2021-33503/40624", "specs": [ "<1.0.2" ], "v": "<1.0.2" } ], "copy-spotter": [ { "advisory": "Copy-spotter version 0.0.1 has upgraded its nltk dependency from 3.6.3 to 3.6.6 to address the security issue identified in CVE-2021-3842.", "cve": "CVE-2021-3842", "id": "pyup.io-68082", "more_info_path": "/vulnerabilities/CVE-2021-3842/68082", "specs": [ "<0.0.1" ], "v": "<0.0.1" } ], "copyparty": [ { "advisory": "Copyparty 0.11.31 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/9001/copyparty/commit/a5120d4f6fe4afe91eb0e091063de6b9ba9e81e1", "cve": "PVE-2023-59586", "id": "pyup.io-59586", "more_info_path": "/vulnerabilities/PVE-2023-59586/59586", "specs": [ "<0.11.31" ], "v": "<0.11.31" }, { "advisory": "Copyparty 0.12.3 fixes a bug where malicious POSTs through an nginx reverse-proxy could put the connection in a bad state, causing the next legit request to fail with bad headers.", "cve": "PVE-2023-53478", "id": "pyup.io-53478", "more_info_path": "/vulnerabilities/PVE-2023-53478/53478", "specs": [ "<0.12.3" ], "v": "<0.12.3" }, { "advisory": "Copyparty 1.0.10 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/9001/copyparty/commit/8399e95bda9a43c3c68c55c948bd4696a9374c27", "cve": "PVE-2023-59584", "id": "pyup.io-59584", "more_info_path": "/vulnerabilities/PVE-2023-59584/59584", "specs": [ "<1.0.10" ], "v": "<1.0.10" }, { "advisory": "Copyparty 1.0.8 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/9001/copyparty/commit/bd5cfc2f1b90c278157fd5593735703763dbaf05", "cve": "PVE-2023-59585", "id": "pyup.io-59585", "more_info_path": "/vulnerabilities/PVE-2023-59585/59585", "specs": [ "<1.0.8" ], "v": "<1.0.8" }, { "advisory": "Copyparty 1.2.11 includes a fix for a Denial of Service vulnerability.\r\nhttps://github.com/9001/copyparty/issues/9", "cve": "PVE-2023-59370", "id": "pyup.io-59370", "more_info_path": "/vulnerabilities/PVE-2023-59370/59370", "specs": [ "<1.2.11" ], "v": "<1.2.11" }, { "advisory": "Copyparty 1.2.8 includes a fix for a theoretical XSS vulnerability.\r\nhttps://github.com/9001/copyparty/commit/73fa70b41f182c7077332a3460364bf625c099d7", "cve": "PVE-2023-53475", "id": "pyup.io-53475", "more_info_path": "/vulnerabilities/PVE-2023-53475/53475", "specs": [ "<1.2.8" ], "v": "<1.2.8" }, { "advisory": "Copyparty 1.8.2 includes a fix for a Path Traversal vulnerability: An attacker may use the /.cpr endpoint to have full access to the server filesystem.\r\nhttps://github.com/9001/copyparty/commit/043e3c7dd683113e2b1c15cacb9c8e68f76513ff\r\nhttps://github.com/9001/copyparty/security/advisories/GHSA-pxfv-7rr3-2qjg", "cve": "CVE-2023-37474", "id": "pyup.io-59466", "more_info_path": "/vulnerabilities/CVE-2023-37474/59466", "specs": [ "<1.8.2" ], "v": "<1.8.2" }, { "advisory": "Copyparty 1.8.2 includes a fix for a Race Condition vulnerability. Impact is on availability.\r\nhttps://github.com/9001/copyparty/commit/77f1e5144455eb946db7368792ea11c934f0f6da\r\nhttps://github.com/9001/copyparty/commit/8f59afb1593a75b8ce8c91ceee304097a07aea6e", "cve": "PVE-2023-59475", "id": "pyup.io-59475", "more_info_path": "/vulnerabilities/PVE-2023-59475/59475", "specs": [ "<1.8.2" ], "v": "<1.8.2" }, { "advisory": "Copyparty 1.8.6 includes a fix for a Reflected XSS vulnerability.\r\nhttps://github.com/9001/copyparty/security/advisories/GHSA-cw7j-v52w-fp5r", "cve": "PVE-2023-59775", "id": "pyup.io-59775", "more_info_path": "/vulnerabilities/PVE-2023-59775/59775", "specs": [ "<1.8.6" ], "v": "<1.8.6" }, { "advisory": "Copyparty 1.8.7 includes a fix for a Reflected cross-site scripting vulnerability in k304 parameter.\r\nhttps://github.com/9001/copyparty/security/advisories/GHSA-f54q-j679-p9hh", "cve": "CVE-2023-38501", "id": "pyup.io-59838", "more_info_path": "/vulnerabilities/CVE-2023-38501/59838", "specs": [ "<1.8.7" ], "v": "<1.8.7" }, { "advisory": "Copyparty 1.9.6 updates its dependency 'pillow' to v10.0.1 to include a security fix in Windows wheels (libwebp vulnerability).", "cve": "CVE-2023-4863", "id": "pyup.io-61515", "more_info_path": "/vulnerabilities/CVE-2023-4863/61515", "specs": [ "<1.9.6" ], "v": "<1.9.6" } ], "cornflow": [ { "advisory": "Cornflow version 1.0.11 updates its Werkzeug dependency to version 3.0.3 or lower (previously <=2.3.8) to address the security vulnerability identified as CVE-2024-34069.", "cve": "CVE-2024-34069", "id": "pyup.io-71012", "more_info_path": "/vulnerabilities/CVE-2024-34069/71012", "specs": [ "<1.0.11" ], "v": "<1.0.11" }, { "advisory": "Cornflow version 1.0.11 updates its `flask-cors` dependency from version 3.0.10 or lower to version 4.0.1 or lower in response to CVE-2024-1681.", "cve": "CVE-2024-1681", "id": "pyup.io-71025", "more_info_path": "/vulnerabilities/CVE-2024-1681/71025", "specs": [ "<1.0.11" ], "v": "<1.0.11" }, { "advisory": "Cornflow 1.0.5 updates its dependency 'flask' to v2.3.2 to include a security fix.", "cve": "CVE-2023-30861", "id": "pyup.io-61559", "more_info_path": "/vulnerabilities/CVE-2023-30861/61559", "specs": [ "<1.0.5" ], "v": "<1.0.5" }, { "advisory": "Cornflow 1.0.6 updates its dependency 'gevent' to v23.9.0.post1 to include a security fix.", "cve": "CVE-2023-41419", "id": "pyup.io-61558", "more_info_path": "/vulnerabilities/CVE-2023-41419/61558", "specs": [ "<1.0.6" ], "v": "<1.0.6" }, { "advisory": "Cornflow 1.1.1 updates its dependency 'requests' to v2.32.3 to include a security fix.", "cve": "CVE-2024-35195", "id": "pyup.io-73262", "more_info_path": "/vulnerabilities/CVE-2024-35195/73262", "specs": [ "<1.1.1" ], "v": "<1.1.1" } ], "cortex": [ { "advisory": "cortex before 0.32.0", "cve": "PVE-2021-40128", "id": "pyup.io-40128", "more_info_path": "/vulnerabilities/PVE-2021-40128/40128", "specs": [ "<0.32.0" ], "v": "<0.32.0" } ], "cos-alerter": [ { "advisory": "Cos-alerter 0.6.0 includes a fix for a potential cross-site scripting vulnerability.\r\nhttps://github.com/canonical/cos-alerter/commit/63c09cf14942ea2b4275a645a2297725a1a6bddc", "cve": "PVE-2023-62563", "id": "pyup.io-62563", "more_info_path": "/vulnerabilities/PVE-2023-62563/62563", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "cosmos-wfm": [ { "advisory": "cosmos-wfm before 2.1.1 is vulnerable to an attack where malicious hackers can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).", "cve": "PVE-2021-34181", "id": "pyup.io-34181", "more_info_path": "/vulnerabilities/PVE-2021-34181/34181", "specs": [ "<2.1.1" ], "v": "<2.1.1" } ], "cova": [ { "advisory": "Cova 0.7.4 updates its dependency 'dask' to v2021.10.0 to include a security fix.", "cve": "CVE-2021-42343", "id": "pyup.io-44672", "more_info_path": "/vulnerabilities/CVE-2021-42343/44672", "specs": [ "<0.7.4" ], "v": "<0.7.4" } ], "covalent": [ { "advisory": "Covalent 0.7.4 updates its dependency 'dask' to v2021.10.0 to include a security fix.", "cve": "CVE-2021-42343", "id": "pyup.io-49737", "more_info_path": "/vulnerabilities/CVE-2021-42343/49737", "specs": [ "<0.7.4" ], "v": "<0.7.4" } ], "covalent-ec2-plugin": [ { "advisory": "Covalent-ec2-plugin 0.8.1 includes a fix for a potential race condition vulnerability.\r\nhttps://github.com/AgnostiqHQ/covalent-ec2-plugin/pull/30", "cve": "PVE-2023-61341", "id": "pyup.io-61341", "more_info_path": "/vulnerabilities/PVE-2023-61341/61341", "specs": [ "<0.8.1" ], "v": "<0.8.1" } ], "coveralls": [ { "advisory": "coveralls 0.1.1 removes repo_token from verbose output for security reasons.", "cve": "PVE-2021-25671", "id": "pyup.io-25671", "more_info_path": "/vulnerabilities/PVE-2021-25671/25671", "specs": [ "<0.1.1" ], "v": "<0.1.1" } ], "covert": [ { "advisory": "Covert 0.2.1 ensures that all authentication tokens are unique, also for repeated public keys.\r\nhttps://github.com/covert-encryption/covert/commit/1a40aa80bb9f0401e2eb59d93df5e531c4ec1623", "cve": "PVE-2021-42679", "id": "pyup.io-42679", "more_info_path": "/vulnerabilities/PVE-2021-42679/42679", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Covert 0.6.0 fixes an indistinguishability flaw in the ephemeral keys: encrypted archives could be easily distinguishable from random.\r\nhttps://github.com/covert-encryption/covert/issues/55", "cve": "PVE-2022-44428", "id": "pyup.io-44428", "more_info_path": "/vulnerabilities/PVE-2022-44428/44428", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "cplay-ng": [ { "advisory": "cplay-ng 1.50 fixes insecure /tmp handling.", "cve": "PVE-2021-25672", "id": "pyup.io-25672", "more_info_path": "/vulnerabilities/PVE-2021-25672/25672", "specs": [ "<1.50" ], "v": "<1.50" } ], "crate-docs-theme": [ { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", "cve": "CVE-2018-14040", "id": "pyup.io-49066", "more_info_path": "/vulnerabilities/CVE-2018-14040/49066", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", "cve": "CVE-2019-11358", "id": "pyup.io-49060", "more_info_path": "/vulnerabilities/CVE-2019-11358/49060", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", "cve": "CVE-2019-11358", "id": "pyup.io-49061", "more_info_path": "/vulnerabilities/CVE-2019-11358/49061", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", "cve": "CVE-2018-14042", "id": "pyup.io-49067", "more_info_path": "/vulnerabilities/CVE-2018-14042/49067", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", "cve": "CVE-2018-20677", "id": "pyup.io-49064", "more_info_path": "/vulnerabilities/CVE-2018-20677/49064", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", "cve": "CVE-2020-7656", "id": "pyup.io-49062", "more_info_path": "/vulnerabilities/CVE-2020-7656/49062", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", "cve": "CVE-2016-10735", "id": "pyup.io-49068", "more_info_path": "/vulnerabilities/CVE-2016-10735/49068", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", "cve": "CVE-2015-9251", "id": "pyup.io-49058", "more_info_path": "/vulnerabilities/CVE-2015-9251/49058", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", "cve": "CVE-2011-4969", "id": "pyup.io-39529", "more_info_path": "/vulnerabilities/CVE-2011-4969/39529", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", "cve": "CVE-2019-8331", "id": "pyup.io-49063", "more_info_path": "/vulnerabilities/CVE-2019-8331/49063", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", "cve": "CVE-2018-20676", "id": "pyup.io-49065", "more_info_path": "/vulnerabilities/CVE-2018-20676/49065", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", "cve": "CVE-2012-6708", "id": "pyup.io-49057", "more_info_path": "/vulnerabilities/CVE-2012-6708/49057", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", "cve": "CVE-2012-6708", "id": "pyup.io-49056", "more_info_path": "/vulnerabilities/CVE-2012-6708/49056", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", "cve": "CVE-2015-9251", "id": "pyup.io-49059", "more_info_path": "/vulnerabilities/CVE-2015-9251/49059", "specs": [ "<0.13.0" ], "v": "<0.13.0" } ], "creavel": [ { "advisory": "Creavel 0.11.0 prevents XSS on FAB list views.\r\nhttps://github.com/apache/superset/commit/b62d7e3e8eaa80e201af3141fb4fe26c39e1ff79", "cve": "PVE-2021-25673", "id": "pyup.io-25673", "more_info_path": "/vulnerabilities/PVE-2021-25673/25673", "specs": [ "<0.11.0" ], "v": "<0.11.0" }, { "advisory": "Creavel 0.11.0 has a vulnerability associated with jinja2.\r\nhttps://github.com/airbnb/superset/commit/bce02e3f518237c03273e3ed4d9d1a13d9f8f6a9", "cve": "PVE-2021-25674", "id": "pyup.io-25674", "more_info_path": "/vulnerabilities/PVE-2021-25674/25674", "specs": [ "<=0.11.0" ], "v": "<=0.11.0" } ], "credstash": [ { "advisory": "Credstash 1.16.0 updates its dependency pyyaml to a version >=4.2b1 to include a security fix.", "cve": "CVE-2017-18342", "id": "pyup.io-37852", "more_info_path": "/vulnerabilities/CVE-2017-18342/37852", "specs": [ "<1.16.0" ], "v": "<1.16.0" } ], "creopyson": [ { "advisory": "Creopyson 0.4.2 modifies the pipenv config for the bleach security alert.", "cve": "PVE-2021-37964", "id": "pyup.io-37964", "more_info_path": "/vulnerabilities/PVE-2021-37964/37964", "specs": [ "<0.4.2" ], "v": "<0.4.2" } ], "crmsh": [ { "advisory": "An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call \"crm history\" (when \"crm\" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges.", "cve": "CVE-2020-35459", "id": "pyup.io-65839", "more_info_path": "/vulnerabilities/CVE-2020-35459/65839", "specs": [ "<=4.2.1" ], "v": "<=4.2.1" } ], "cromwell-tools": [ { "advisory": "Cromwell-tools 1.0.0 updates requests to v2.20.0 to avoid security issues.", "cve": "CVE-2018-18074", "id": "pyup.io-36659", "more_info_path": "/vulnerabilities/CVE-2018-18074/36659", "specs": [ "<1.0.0" ], "v": "<1.0.0" } ], "crossbar": [ { "advisory": "In crossbar before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.", "cve": "PVE-2021-25675", "id": "pyup.io-25675", "more_info_path": "/vulnerabilities/PVE-2021-25675/25675", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Crossbar 20.12.3 updates its dependency Autobahn to v20.12.3, which in turn fixes a potential security issue when enabling the Web status page ('enable_webstatus') on WebSocket-WAMP listening transports.", "cve": "CVE-2020-35678", "id": "pyup.io-39329", "more_info_path": "/vulnerabilities/CVE-2020-35678/39329", "specs": [ "<20.12.3" ], "v": "<20.12.3" } ], "croud": [ { "advisory": "Croud 0.3.0 includes a fix for CVE-2017-18342, an arbitrary code execution vulnerability in yaml.load().\r\nhttps://github.com/crate/croud/commit/821f2ba47285f5b5ad3e2e2782c44f867da931ee", "cve": "CVE-2017-18342", "id": "pyup.io-42353", "more_info_path": "/vulnerabilities/CVE-2017-18342/42353", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "crpytography": [ { "advisory": "Crpytography is a malicious package. It injects obfuscated JS code that replaces crypto addresses in developer clipboards.", "cve": "PVE-2022-51739", "id": "pyup.io-51739", "more_info_path": "/vulnerabilities/PVE-2022-51739/51739", "specs": [ ">0" ], "v": ">0" } ], "crypt": [ { "advisory": "crypt is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", "cve": "PVE-2021-34981", "id": "pyup.io-34981", "more_info_path": "/vulnerabilities/PVE-2021-34981/34981", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "cryptacular": [ { "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.", "cve": "CVE-2011-2483", "id": "pyup.io-42230", "more_info_path": "/vulnerabilities/CVE-2011-2483/42230", "specs": [ "<1.2" ], "v": "<1.2" } ], "cryptice": [ { "advisory": "Cryptice 2.0 improves user data validation to avoid security issues.\r\nhttps://github.com/RenardDev/CryptICE/commit/2a8627747ab1a180e1466a21cf2fb6a9f665489a", "cve": "PVE-2022-43753", "id": "pyup.io-43753", "more_info_path": "/vulnerabilities/PVE-2022-43753/43753", "specs": [ "<2.0" ], "v": "<2.0" } ], "crypto-candlesticks": [ { "advisory": "Crypto-candlesticks 0.1.5 updates its dependency 'jinja2' to v2.11.3 to include a security fix.", "cve": "CVE-2020-28493", "id": "pyup.io-39697", "more_info_path": "/vulnerabilities/CVE-2020-28493/39697", "specs": [ "<0.1.5" ], "v": "<0.1.5" } ], "cryptoadvance.specter": [ { "advisory": "Cryptoadvance.specter 0.5.0 updates its dependency 'hwi' to v1.1.2 to include a security fix.\r\nhttps://github.com/cryptoadvance/specter-desktop/pull/178\r\nhttps://github.com/cryptoadvance/specter-desktop/issues/150", "cve": "CVE-2020-14199", "id": "pyup.io-59423", "more_info_path": "/vulnerabilities/CVE-2020-14199/59423", "specs": [ "<0.5.0" ], "v": "<0.5.0" }, { "advisory": "Cryptoadvance.specter 1.7.2 includes a fix for a CSRF vulnerability.\r\nhttps://github.com/cryptoadvance/specter-desktop/pull/1478", "cve": "PVE-2023-59421", "id": "pyup.io-59421", "more_info_path": "/vulnerabilities/PVE-2023-59421/59421", "specs": [ "<1.7.2" ], "v": "<1.7.2" }, { "advisory": "Cryptoadvance.specter version 2.0.2 has updated its Electron dependency from version 22.1.0 to 22.3.21 to address security concerns outlined in CVE-2023-39956.", "cve": "CVE-2023-39956", "id": "pyup.io-67912", "more_info_path": "/vulnerabilities/CVE-2023-39956/67912", "specs": [ "<2.0.2" ], "v": "<2.0.2" }, { "advisory": "Cryptoadvance.specter version 2.0.2 addresses a security issue where the \"next\" parameter during the login process on Specter desktop could be manipulated to redirect users to an unauthorized domain after login. This vulnerability posed a phishing risk, as attackers could easily direct users to malicious sites by altering the \"next\" parameter in the URL. The update rectifies this issue to prevent potential phishing attacks.", "cve": "PVE-2024-67911", "id": "pyup.io-67911", "more_info_path": "/vulnerabilities/PVE-2024-67911/67911", "specs": [ "<2.0.2" ], "v": "<2.0.2" } ], "cryptoasset-data-downloader": [ { "advisory": "The cryptoasset-data-downloader package in PyPI v1.0.0 to v1.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.", "cve": "CVE-2022-32998", "id": "pyup.io-54223", "more_info_path": "/vulnerabilities/CVE-2022-32998/54223", "specs": [ ">=1.0.0,<1.0.2" ], "v": ">=1.0.0,<1.0.2" } ], "cryptoauthlib": [ { "advisory": "cryptoauthlib before 3.2.3 (20200912) is susceptible to a Denial of Service (DoS) attack due to buffer and stack overflow vulnerabilities. These vulnerabilities originate from the deprecated USB kit enumeration feature, where an attacker can impersonate a device and send malformed packets of arbitrary length, leading the protocol stack to write these packets to the stack, potentially causing a system crash or service disruption. DoS attacks, including this, aim to make the system unavailable to legitimate users, without necessarily breaching security.", "cve": "PVE-2024-99808", "id": "pyup.io-65985", "more_info_path": "/vulnerabilities/PVE-2024-99808/65985", "specs": [ ">=0,<20200728" ], "v": ">=0,<20200728" }, { "advisory": "Cryptoauthlib 20200912 includes a security fix: Buffer overflow in deprecated USB HALs and stack overflow in USB enumeration.\r\nhttps://github.com/MicrochipTech/cryptoauthlib/security/advisories/GHSA-f366-4rvv-95x2", "cve": "PVE-2023-55197", "id": "pyup.io-55197", "more_info_path": "/vulnerabilities/PVE-2023-55197/55197", "specs": [ ">=0,<20200912" ], "v": ">=0,<20200912" } ], "cryptofeed": [ { "advisory": "Cryptofeed 2.2.3 mitigates a race condition that had the potential to introduce security vulnerabilities. Specifically, this issue arose during the resetting of feeds with multiple connections, leading to potential unauthorized access or data corruption.\r\nhttps://github.com/bmoscon/cryptofeed/pull/851\r\nhttps://github.com/bmoscon/cryptofeed/commit/d6ce63b9a392b42e4ea936007e82da94f7566401", "cve": "PVE-2024-63280", "id": "pyup.io-63280", "more_info_path": "/vulnerabilities/PVE-2024-63280/63280", "specs": [ "<2.2.3" ], "v": "<2.2.3" } ], "cryptography": [ { "advisory": "Cryptography 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures.\r\nhttps://github.com/pyca/cryptography/pull/2013", "cve": "PVE-2021-25678", "id": "pyup.io-25678", "more_info_path": "/vulnerabilities/PVE-2021-25678/25678", "specs": [ "<0.9.1" ], "v": "<0.9.1" }, { "advisory": "Cryptography 1.0.2 fixes a vulnerability. The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with '-O' these asserts are optimized away. If a user ran Python with this flag and got an invalid response code, this could lead to undefined behavior or worse.", "cve": "PVE-2021-25679", "id": "pyup.io-25679", "more_info_path": "/vulnerabilities/PVE-2021-25679/25679", "specs": [ "<1.0.2" ], "v": "<1.0.2" }, { "advisory": "Cryptography 1.5.3 includes a fix for CVE-2016-9243: HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.\r\nhttps://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874", "cve": "CVE-2016-9243", "id": "pyup.io-25680", "more_info_path": "/vulnerabilities/CVE-2016-9243/25680", "specs": [ "<1.5.3" ], "v": "<1.5.3" }, { "advisory": "Cryptography 2.1.3 updates Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0g, that includes security fixes.", "cve": "CVE-2017-3735", "id": "pyup.io-50724", "more_info_path": "/vulnerabilities/CVE-2017-3735/50724", "specs": [ "<2.1.3" ], "v": "<2.1.3" }, { "advisory": "Cryptography 2.1.3 updates Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0g, that includes security fixes.", "cve": "CVE-2017-3736", "id": "pyup.io-50725", "more_info_path": "/vulnerabilities/CVE-2017-3736/50725", "specs": [ "<2.1.3" ], "v": "<2.1.3" }, { "advisory": "Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.\r\nhttps://github.com/pyca/cryptography/pull/5592", "cve": "PVE-2021-39252", "id": "pyup.io-39252", "more_info_path": "/vulnerabilities/PVE-2021-39252/39252", "specs": [ "<3.3" ], "v": "<3.3" }, { "advisory": "Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.", "cve": "CVE-2020-36242", "id": "pyup.io-39606", "more_info_path": "/vulnerabilities/CVE-2020-36242/39606", "specs": [ "<3.3.2" ], "v": "<3.3.2" }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "cve": "CVE-2023-0401", "id": "pyup.io-53307", "more_info_path": "/vulnerabilities/CVE-2023-0401/53307", "specs": [ "<39.0.1" ], "v": "<39.0.1" }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "cve": "CVE-2023-0217", "id": "pyup.io-53306", "more_info_path": "/vulnerabilities/CVE-2023-0217/53306", "specs": [ "<39.0.1" ], "v": "<39.0.1" }, { "advisory": "Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl.\r\nhttps://github.com/pyca/cryptography/issues/7940", "cve": "CVE-2022-3996", "id": "pyup.io-53298", "more_info_path": "/vulnerabilities/CVE-2022-3996/53298", "specs": [ "<39.0.1" ], "v": "<39.0.1" }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "cve": "CVE-2022-4203", "id": "pyup.io-53301", "more_info_path": "/vulnerabilities/CVE-2022-4203/53301", "specs": [ "<39.0.1" ], "v": "<39.0.1" }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "cve": "CVE-2023-0216", "id": "pyup.io-53302", "more_info_path": "/vulnerabilities/CVE-2023-0216/53302", "specs": [ "<39.0.1" ], "v": "<39.0.1" }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "cve": "CVE-2022-4304", "id": "pyup.io-53303", "more_info_path": "/vulnerabilities/CVE-2022-4304/53303", "specs": [ "<39.0.1" ], "v": "<39.0.1" }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "cve": "CVE-2023-0286", "id": "pyup.io-53304", "more_info_path": "/vulnerabilities/CVE-2023-0286/53304", "specs": [ "<39.0.1" ], "v": "<39.0.1" }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "cve": "CVE-2022-4450", "id": "pyup.io-53299", "more_info_path": "/vulnerabilities/CVE-2022-4450/53299", "specs": [ "<39.0.1" ], "v": "<39.0.1" }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", "cve": "CVE-2023-0215", "id": "pyup.io-53305", "more_info_path": "/vulnerabilities/CVE-2023-0215/53305", "specs": [ "<39.0.1" ], "v": "<39.0.1" }, { "advisory": "Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix.\r\nhttps://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22", "cve": "CVE-2023-2650", "id": "pyup.io-59062", "more_info_path": "/vulnerabilities/CVE-2023-2650/59062", "specs": [ "<41.0.0" ], "v": "<41.0.0" }, { "advisory": "The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.", "cve": "CVE-2023-38325", "id": "pyup.io-59473", "more_info_path": "/vulnerabilities/CVE-2023-38325/59473", "specs": [ "<41.0.2" ], "v": "<41.0.2" }, { "advisory": "Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix.\r\nhttps://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512", "cve": "CVE-2023-4807", "id": "pyup.io-62451", "more_info_path": "/vulnerabilities/CVE-2023-4807/62451", "specs": [ "<41.0.4" ], "v": "<41.0.4" }, { "advisory": "Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix.", "cve": "CVE-2023-5363", "id": "pyup.io-62452", "more_info_path": "/vulnerabilities/CVE-2023-5363/62452", "specs": [ "<41.0.5" ], "v": "<41.0.5" }, { "advisory": "Affected versions of Cryptography may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.", "cve": "CVE-2023-50782", "id": "pyup.io-65278", "more_info_path": "/vulnerabilities/CVE-2023-50782/65278", "specs": [ "<42.0.0" ], "v": "<42.0.0" }, { "advisory": "Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters.", "cve": "CVE-2023-5678", "id": "pyup.io-65510", "more_info_path": "/vulnerabilities/CVE-2023-5678/65510", "specs": [ "<42.0.0" ], "v": "<42.0.0" }, { "advisory": "The cryptography library has updated its OpenSSL dependency in CI due to security concerns. This vulnerability arises when processing maliciously formatted PKCS12 files, which can cause OpenSSL to crash, leading to a potential Denial of Service (DoS) attack. PKCS12 files, often containing certificates and keys, may come from untrusted sources. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly handle these cases, resulting in a NULL pointer dereference and subsequent crash. Applications using OpenSSL APIs, such as PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes(), and PKCS12_newpass(), are vulnerable if they process PKCS12 files from untrusted sources. Although a similar issue in SMIME_write_PKCS7() was fixed, it is not considered significant for security as it pertains to data writing. This issue does not affect the FIPS modules in versions 3.2, 3.1, and 3.0.", "cve": "CVE-2024-0727", "id": "pyup.io-71680", "more_info_path": "/vulnerabilities/CVE-2024-0727/71680", "specs": [ "<42.0.2" ], "v": "<42.0.2" }, { "advisory": "Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks.\r\nhttps://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f", "cve": "PVE-2024-65647", "id": "pyup.io-65647", "more_info_path": "/vulnerabilities/PVE-2024-65647/65647", "specs": [ "<42.0.5" ], "v": "<42.0.5" }, { "advisory": "The `cryptography` library has updated its BoringSSL and OpenSSL dependencies in CI due to a security concern. Specifically, the issue involves the functions `EVP_PKEY_param_check()` and `EVP_PKEY_public_check()`, which are used to check DSA public keys or parameters. These functions can experience significant delays when processing excessively long DSA keys or parameters, potentially leading to a Denial of Service (DoS) if the input is from an untrusted source. The vulnerability arises because the key and parameter check functions do not limit the modulus size during checks, despite OpenSSL not allowing public keys with a modulus over 10,000 bits for signature verification. This issue affects applications that directly call these functions and the OpenSSL `pkey` and `pkeyparam` command-line applications with the `-check` option. The OpenSSL SSL/TLS implementation is not impacted, but the OpenSSL 3.0 and 3.1 FIPS providers are affected by this vulnerability.", "cve": "CVE-2024-4603", "id": "pyup.io-71681", "more_info_path": "/vulnerabilities/CVE-2024-4603/71681", "specs": [ "<42.0.8" ], "v": "<42.0.8" }, { "advisory": "Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.", "cve": "CVE-2020-25659", "id": "pyup.io-38932", "more_info_path": "/vulnerabilities/CVE-2020-25659/38932", "specs": [ "<=3.2" ], "v": "<=3.2" }, { "advisory": "Cryptography before 1.1 is susceptible to TLS truncation attacks. This vulnerability allows an attacker to prevent the complete retrieval of a message by injecting a TCP termination code into the communication, falsely indicating the message has ended.\r\nhttps://github.com/pyca/cryptography/commit/41aabcbd2326ae154a16a1a050ee01fb9a54bd19", "cve": "PVE-2024-99809", "id": "pyup.io-65984", "more_info_path": "/vulnerabilities/PVE-2024-99809/65984", "specs": [ ">=0,<1.1" ], "v": ">=0,<1.1" }, { "advisory": "Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d\r\nhttps://www.openssl.org/news/secadv/20230731.txt", "cve": "CVE-2023-3817", "id": "pyup.io-60223", "more_info_path": "/vulnerabilities/CVE-2023-3817/60223", "specs": [ ">=0.8,<41.0.3" ], "v": ">=0.8,<41.0.3" }, { "advisory": "Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries.\r\nhttps://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2\r\nhttps://www.openssl.org/news/secadv/20230714.txt", "cve": "CVE-2023-2975", "id": "pyup.io-60224", "more_info_path": "/vulnerabilities/CVE-2023-2975/60224", "specs": [ ">=0.8,<41.0.3" ], "v": ">=0.8,<41.0.3" }, { "advisory": "Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2\r\nhttps://www.openssl.org/news/secadv/20230719.txt", "cve": "CVE-2023-3446", "id": "pyup.io-60225", "more_info_path": "/vulnerabilities/CVE-2023-3446/60225", "specs": [ ">=0.8,<41.0.3" ], "v": ">=0.8,<41.0.3" }, { "advisory": "Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8.", "cve": "CVE-2023-23931", "id": "pyup.io-53048", "more_info_path": "/vulnerabilities/CVE-2023-23931/53048", "specs": [ ">=1.8,<39.0.1" ], "v": ">=1.8,<39.0.1" }, { "advisory": "A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903.", "cve": "CVE-2018-10903", "id": "pyup.io-36351", "more_info_path": "/vulnerabilities/CVE-2018-10903/36351", "specs": [ ">=1.9.0,<2.3" ], "v": ">=1.9.0,<2.3" }, { "advisory": "Affected versions of Cryptography are vulnerable to NULL-dereference when loading PKCS7 certificates. Calling 'load_pem_pkcs7_certificates' or 'load_der_pkcs7_certificates' could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability.", "cve": "CVE-2023-49083", "id": "pyup.io-62556", "more_info_path": "/vulnerabilities/CVE-2023-49083/62556", "specs": [ ">=3.1,<41.0.6" ], "v": ">=3.1,<41.0.6" }, { "advisory": "Checking excessively long invalid RSA public keys may take a long time. Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source, this may lead to a Denial of Service. When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function EVP_PKEY_public_check() is not called from other OpenSSL functions, however it is called from the OpenSSL pkey command line application. For that reason, that application is also vulnerable if used with the '-pubin' and '-check' options on untrusted data. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", "cve": "CVE-2023-6237", "id": "pyup.io-66777", "more_info_path": "/vulnerabilities/CVE-2023-6237/66777", "specs": [ ">=35.0.0,<42.0.2" ], "v": ">=35.0.0,<42.0.2" }, { "advisory": "Versions of Cryptograph starting from 35.0.0 are susceptible to a security flaw in the POLY1305 MAC algorithm on PowerPC CPUs, which allows an attacker to disrupt the application's state. This disruption might result in false calculations or cause a denial of service. The vulnerability's exploitation hinges on the attacker's ability to alter the algorithm's application and the dependency of the software on non-volatile XMM registers.\r\nhttps://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", "cve": "CVE-2023-6129", "id": "pyup.io-65212", "more_info_path": "/vulnerabilities/CVE-2023-6129/65212", "specs": [ ">=35.0.0,<42.0.2" ], "v": ">=35.0.0,<42.0.2" }, { "advisory": "The `cryptography` library updates its BoringSSL and OpenSSL dependencies in CI due to a security concern. Specifically, certain non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions, leading to a potential Denial of Service (DoS) attack. The issue arises when the `SSL_OP_NO_TICKET` option is used without early data support and default anti-replay protection. Under these conditions, the session cache can become misconfigured, preventing it from flushing properly and causing it to grow indefinitely. A malicious client can exploit this scenario to trigger a DoS attack, although it can also occur accidentally during normal operations. This vulnerability affects only TLS servers supporting TLSv1.3 and does not impact TLS clients. Additionally, the FIPS modules in versions 3.2, 3.1, and 3.0, as well as OpenSSL 1.0.2, are not affected by this issue.", "cve": "CVE-2024-2511", "id": "pyup.io-71684", "more_info_path": "/vulnerabilities/CVE-2024-2511/71684", "specs": [ ">=35.0.0,<42.0.6" ], "v": ">=35.0.0,<42.0.6" }, { "advisory": "Cryptography versions from 37.0.0 and before 38.0.2 include a statically linked copy of OpenSSL that has known vulnerabilities.\r\nhttps://github.com/pyca/cryptography/security/advisories/GHSA-39hc-v87j-747x", "cve": "CVE-2022-3602", "id": "pyup.io-52174", "more_info_path": "/vulnerabilities/CVE-2022-3602/52174", "specs": [ ">=37.0.0,<38.0.3" ], "v": ">=37.0.0,<38.0.3" }, { "advisory": "Cryptography versions from 37.0.0 and before 38.0.2 include a statically linked copy of OpenSSL that has known vulnerabilities.\r\nhttps://github.com/pyca/cryptography/security/advisories/GHSA-39hc-v87j-747x", "cve": "CVE-2022-3786", "id": "pyup.io-52173", "more_info_path": "/vulnerabilities/CVE-2022-3786/52173", "specs": [ ">=37.0.0,<38.0.3" ], "v": ">=37.0.0,<38.0.3" }, { "advisory": "Affected versions of Cryptography have a vulnerable statically linked copy of OpenSSL included in cryptography wheels.", "cve": "PVE-2024-73711", "id": "pyup.io-73711", "more_info_path": "/vulnerabilities/PVE-2024-73711/73711", "specs": [ ">=37.0.0,<43.0.1" ], "v": ">=37.0.0,<43.0.1" }, { "advisory": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and before version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.", "cve": "CVE-2024-26130", "id": "pyup.io-66704", "more_info_path": "/vulnerabilities/CVE-2024-26130/66704", "specs": [ ">=38.0.0,<42.0.4" ], "v": ">=38.0.0,<42.0.4" } ], "cryptograpyh": [ { "advisory": "Cryptograpyh is a malicious package. It injects obfuscated JS code that replaces crypto addresses in developer clipboards.", "cve": "PVE-2022-51738", "id": "pyup.io-51738", "more_info_path": "/vulnerabilities/PVE-2022-51738/51738", "specs": [ ">0" ], "v": ">0" } ], "crystal-web": [ { "advisory": "Crystal-web fixes a race condition that occurs when closing a project. This issue could cause a use-after-free of wxPython objects, leading to memory corruption and potentially crashing Crystal later. The fix ensures proper handling of project closure to prevent these issues and enhance the application's stability.", "cve": "PVE-2024-71737", "id": "pyup.io-71737", "more_info_path": "/vulnerabilities/PVE-2024-71737/71737", "specs": [ "<1.9.0b" ], "v": "<1.9.0b" } ], "crytic-compile": [ { "advisory": "Crytic-compile 0.3.2 includes a fix for a path traversal vulnerability.\r\nhttps://github.com/crytic/crytic-compile/pull/425", "cve": "PVE-2023-59180", "id": "pyup.io-59180", "more_info_path": "/vulnerabilities/PVE-2023-59180/59180", "specs": [ "<0.3.2" ], "v": "<0.3.2" } ], "cslbot": [ { "advisory": "Cslbot 0.18 fixes a possible path traversal vulnerability if logs were generated for a channel name such as foo../../../bar.\r\nhttps://github.com/tjcsl/cslbot/commit/408be8bca294e2949cc4e39c549081044904f34a", "cve": "PVE-2021-34354", "id": "pyup.io-34354", "more_info_path": "/vulnerabilities/PVE-2021-34354/34354", "specs": [ "<0.18" ], "v": "<0.18" } ], "cssutils": [ { "advisory": "Cssutils 0.9.6a2 uses only the import rules' href and not the absolute href of the referenced sheets for comments added by 'cssutils.resolveImports'. Prior behavior may have been a security hole when showing a full local path to a sheet in a combined but not minified sheet.", "cve": "PVE-2021-25684", "id": "pyup.io-25684", "more_info_path": "/vulnerabilities/PVE-2021-25684/25684", "specs": [ "<0.9.6a2" ], "v": "<0.9.6a2" } ], "cstar": [ { "advisory": "Cstar 0.5.0 fixes a security problem in a dependency (spotify). See: .", "cve": "PVE-2021-39224", "id": "pyup.io-39224", "more_info_path": "/vulnerabilities/PVE-2021-39224/39224", "specs": [ "<0.5.0" ], "v": "<0.5.0" } ], "csv-parakeet": [ { "advisory": "Csv-parakeet 1.0.1 updates its dependency 'requests' to v2.31.0 to include a security fix.", "cve": "PVE-2023-58772", "id": "pyup.io-58772", "more_info_path": "/vulnerabilities/PVE-2023-58772/58772", "specs": [ "<1.0.1" ], "v": "<1.0.1" } ], "ctx": [ { "advisory": "Ctx has been hijacked and replaced with malicious code that sends all your environment variables to a URL.\r\nhttps://www.reddit.com/r/Python/comments/uwhzkj/i_think_the_ctx_package_on_pypi_has_been_hacked\r\nhttps://github.com/advisories/GHSA-4g82-3jcr-q52w", "cve": "PVE-2022-48996", "id": "pyup.io-48996", "more_info_path": "/vulnerabilities/PVE-2022-48996/48996", "specs": [ ">0" ], "v": ">0" } ], "cumulusci": [ { "advisory": "Cumulusci 3.67.0 uses 'defusedxml' to prevent XXE vulnerabilities.\r\nhttps://github.com/SFDO-Tooling/CumulusCI/pull/3375", "cve": "PVE-2022-52125", "id": "pyup.io-52125", "more_info_path": "/vulnerabilities/PVE-2022-52125/52125", "specs": [ "<3.67.0" ], "v": "<3.67.0" }, { "advisory": "Cumulusci 3.68.0 fixes an injection vulnerability related to unquoted CSV writers.\r\nhttps://github.com/SFDO-Tooling/CumulusCI/pull/3404", "cve": "PVE-2022-51629", "id": "pyup.io-51629", "more_info_path": "/vulnerabilities/PVE-2022-51629/51629", "specs": [ "<3.68.0" ], "v": "<3.68.0" } ], "cupy": [ { "advisory": "Cupy 12.3.0 fixes a race condition in the function csr2dense. It occurred during the conversion of Compressed Sparse Row (CSR) matrices to dense matrices in multithreaded environments.\r\nhttps://github.com/cupy/cupy/pull/7724/commits/734dc0e1a3e9af928f622b80f16148f8c47393ea", "cve": "PVE-2024-64284", "id": "pyup.io-64284", "more_info_path": "/vulnerabilities/PVE-2024-64284/64284", "specs": [ "<12.3.0" ], "v": "<12.3.0" }, { "advisory": "Cupy 2.0 addresses a race condition in the cupyx.scipy.sparse.csr_matrix function when handling boolean data types. The problem arose from the function's incorrect handling of duplicate entries in non-canonical data, leading to inconsistent behavior compared to scipy.sparse.csr_matrix. The fix involved implementing atomic operations in the kernel where the bug was located, ensuring thread safety during read-modify-write operations.\r\nhttps://github.com/cupy/cupy/pull/7724/commits/734dc0e1a3e9af928f622b80f16148f8c47393ea", "cve": "PVE-2024-64283", "id": "pyup.io-64283", "more_info_path": "/vulnerabilities/PVE-2024-64283/64283", "specs": [ "<2.0" ], "v": "<2.0" }, { "advisory": "`cupy.load` in cupy 7.0.0b2 specifies `allow_pickle=False` by default to follow the security fix made in NumPy 1.16.3 (see https://github.com/numpy/numpy/pull/13359 and https://github.com/cupy/cupy/pull/2290). Most users should not be affected by this change; users loading `ndarray` serialized using pickle may need to explicitly specify `allow_pickle=True`.", "cve": "PVE-2021-37395", "id": "pyup.io-37395", "more_info_path": "/vulnerabilities/PVE-2021-37395/37395", "specs": [ "<7.0.0b2" ], "v": "<7.0.0b2" }, { "advisory": "Cupy 12.0.0b3 and 11.5.0 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/cupy/cupy/pull/7259\r\nhttps://github.com/cupy/cupy/pull/7266", "cve": "PVE-2023-60262", "id": "pyup.io-60262", "more_info_path": "/vulnerabilities/PVE-2023-60262/60262", "specs": [ ">=11.0.0a1,<11.5.0", ">=12.0.0a1,<12.0.0b3" ], "v": ">=11.0.0a1,<11.5.0,>=12.0.0a1,<12.0.0b3" } ], "curl-cffi": [ { "advisory": "Curl-cffi 0.5.10b4 and prior releases ship with a version of 'libcurl' that has a high-severity vulnerability.", "cve": "CVE-2023-38545", "id": "pyup.io-61772", "more_info_path": "/vulnerabilities/CVE-2023-38545/61772", "specs": [ "<=0.5.10b4" ], "v": "<=0.5.10b4" } ], "curlapi": [ { "advisory": "Curlapi is a malicious package. It triggers the install of W4SP Stealer in your system.", "cve": "PVE-2022-51697", "id": "pyup.io-51697", "more_info_path": "/vulnerabilities/PVE-2022-51697/51697", "specs": [ ">0" ], "v": ">0" } ], "curses-menu": [ { "advisory": "Curses-menu 0.6.8 updates its dependency 'certifi' to v2022.12.7 to include a security fix.", "cve": "CVE-2022-23491", "id": "pyup.io-52590", "more_info_path": "/vulnerabilities/CVE-2022-23491/52590", "specs": [ "<0.6.8" ], "v": "<0.6.8" } ], "curved": [ { "advisory": "Curved 0.1.2 updates its Rust dependency 'crossbeam-utils' to v0.8.11 to include a security fix.", "cve": "CVE-2022-23639", "id": "pyup.io-50811", "more_info_path": "/vulnerabilities/CVE-2022-23639/50811", "specs": [ "<0.1.2" ], "v": "<0.1.2" }, { "advisory": "Curved 0.1.2 updates its Rust dependency 'regex' to v1.6.0 to include a security fix.", "cve": "CVE-2022-24713", "id": "pyup.io-50812", "more_info_path": "/vulnerabilities/CVE-2022-24713/50812", "specs": [ "<0.1.2" ], "v": "<0.1.2" } ], "custom-e-celery": [ { "advisory": "Custom-e-celery 4.0.2 (fork of Celery) is affected by CVE-2021-23727.", "cve": "CVE-2021-23727", "id": "pyup.io-47074", "more_info_path": "/vulnerabilities/CVE-2021-23727/47074", "specs": [ "==4.0.2" ], "v": "==4.0.2" } ], "cutty": [ { "advisory": "Cutty 0.14.0 updates its dependency 'babel' to v2.9.1 to include a security fix.", "cve": "CVE-2021-42771", "id": "pyup.io-42219", "more_info_path": "/vulnerabilities/CVE-2021-42771/42219", "specs": [ "<0.14.0" ], "v": "<0.14.0" } ], "cvat-cli": [ { "advisory": "CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue.", "cve": "CVE-2022-31188", "id": "pyup.io-70772", "more_info_path": "/vulnerabilities/CVE-2022-31188/70772", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "cvat-sdk": [ { "advisory": "CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue.", "cve": "CVE-2022-31188", "id": "pyup.io-70773", "more_info_path": "/vulnerabilities/CVE-2022-31188/70773", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "cve-bin-tool": [ { "advisory": "Cve-bin-tool version 3.3rc3 updates its Pillow dependency to version 10.0.1 from 9.5.0 to address the security vulnerability outlined in CVE-2023-44271.", "cve": "CVE-2023-44271", "id": "pyup.io-67593", "more_info_path": "/vulnerabilities/CVE-2023-44271/67593", "specs": [ "<3.3rc3" ], "v": "<3.3rc3" }, { "advisory": "Cve-bin-tool version 3.3rc3 updates its Pillow dependency to version 10.0.1 from 9.5.0 to address the security vulnerability outlined in CVE-2023-4863.", "cve": "CVE-2023-4863", "id": "pyup.io-67586", "more_info_path": "/vulnerabilities/CVE-2023-4863/67586", "specs": [ "<3.3rc3" ], "v": "<3.3rc3" } ], "cve-py": [ { "advisory": "Cve-py 1.2.1 includes a fix for a XXE vulnerability.\r\nhttps://github.com/Pavel-Sushko/cve-py/pull/13", "cve": "PVE-2023-58811", "id": "pyup.io-58811", "more_info_path": "/vulnerabilities/PVE-2023-58811/58811", "specs": [ "<1.2.1" ], "v": "<1.2.1" } ], "cvrf2csaf": [ { "advisory": "CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.", "cve": "CVE-2022-27193", "id": "pyup.io-54282", "more_info_path": "/vulnerabilities/CVE-2022-27193/54282", "specs": [ ">=0,<1.0.0rc2" ], "v": ">=0,<1.0.0rc2" } ], "cvxopt": [ { "advisory": "Incomplete string comparison vulnerability exits in cvxopt.org cvxop <= 1.2.6 in APIs (cvxopt.cholmod.diag, cvxopt.cholmod.getfactor, cvxopt.cholmod.solve, cvxopt.cholmod.spsolve), which allows attackers to conduct Denial of Service attacks by construct fake Capsule objects.", "cve": "CVE-2021-41500", "id": "pyup.io-54293", "more_info_path": "/vulnerabilities/CVE-2021-41500/54293", "specs": [ ">=0,<1.2.7" ], "v": ">=0,<1.2.7" } ], "cwltool": [ { "advisory": "Cwltool 3.1.20230906142556 includes a fix for a race condition.\r\nhttps://github.com/common-workflow-language/cwltool/pull/1890", "cve": "PVE-2023-61006", "id": "pyup.io-61006", "more_info_path": "/vulnerabilities/PVE-2023-61006/61006", "specs": [ "<3.1.20230906142556" ], "v": "<3.1.20230906142556" } ], "cycode": [ { "advisory": "Cycode 0.2.0 updates its dependency 'gitpython' to v3.1.30 to include a security fix.", "cve": "CVE-2022-24439", "id": "pyup.io-53553", "more_info_path": "/vulnerabilities/CVE-2022-24439/53553", "specs": [ "<0.2.0" ], "v": "<0.2.0" }, { "advisory": "Cycode 0.2.0 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", "cve": "CVE-2022-40897", "id": "pyup.io-53554", "more_info_path": "/vulnerabilities/CVE-2022-40897/53554", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "cylc-uiserver": [ { "advisory": "The Cylc-UIServer version 1.4.0 has implemented an upgrade to its dependency, Jupyter-Server, in response to the identification of vulnerability CVE-2023-39968.", "cve": "CVE-2023-39968", "id": "pyup.io-65034", "more_info_path": "/vulnerabilities/CVE-2023-39968/65034", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "cypress": [ { "advisory": "Cypress is a malicious package. It triggers the install of W4SP Stealer in your system.", "cve": "PVE-2022-51689", "id": "pyup.io-51689", "more_info_path": "/vulnerabilities/PVE-2022-51689/51689", "specs": [ ">0" ], "v": ">0" } ], "cytools": [ { "advisory": "Cytools 0.1.0 changes permissions of Docker image for better security.\r\nhttps://github.com/LiamMcAllisterGroup/cytools/commit/12262a4f43cb8e35a7265597a8757e96443d5631", "cve": "PVE-2022-51565", "id": "pyup.io-51565", "more_info_path": "/vulnerabilities/PVE-2022-51565/51565", "specs": [ "<0.1.0" ], "v": "<0.1.0" } ], "cyvcf2": [ { "advisory": "Cyvcf2 0.30.22 and prior releases ship with a version of 'libcurl' that has a high-severity vulnerability.", "cve": "CVE-2023-38545", "id": "pyup.io-61773", "more_info_path": "/vulnerabilities/CVE-2023-38545/61773", "specs": [ "<=0.30.22" ], "v": "<=0.30.22" } ], "d8s-algorithms": [ { "advisory": "D8s-algorithms 0.1.0 is vulnerable to CVE-2022-42040: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-dicts package.", "cve": "CVE-2022-42040", "id": "pyup.io-51413", "more_info_path": "/vulnerabilities/CVE-2022-42040/51413", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-archives": [ { "advisory": "D8s-archives 0.1.0 is vulnerable to CVE-2022-38881: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package.", "cve": "CVE-2022-38881", "id": "pyup.io-51122", "more_info_path": "/vulnerabilities/CVE-2022-38881/51122", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-archives 0.1.0 is vulnerable to CVE-2022-41383: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package.", "cve": "CVE-2022-41383", "id": "pyup.io-51404", "more_info_path": "/vulnerabilities/CVE-2022-41383/51404", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-asns": [ { "advisory": "D8s-asns 0.1.0 is vulnerable to CVE-2022-40426: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package.", "cve": "CVE-2022-40426", "id": "pyup.io-51131", "more_info_path": "/vulnerabilities/CVE-2022-40426/51131", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-asns 0.1.0 is vulnerable to CVE-2022-42037: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package.", "cve": "CVE-2022-42037", "id": "pyup.io-51410", "more_info_path": "/vulnerabilities/CVE-2022-42037/51410", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-asns 0.1.0 is vulnerable to CVE-2022-42044: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package.", "cve": "CVE-2022-42044", "id": "pyup.io-51417", "more_info_path": "/vulnerabilities/CVE-2022-42044/51417", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-dates": [ { "advisory": "D8s-dates 0.1.0 is vulnerable to CVE-2022-40808: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package.", "cve": "CVE-2022-40808", "id": "pyup.io-51141", "more_info_path": "/vulnerabilities/CVE-2022-40808/51141", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-dates 0.1.0 includes a potential code-execution backdoor inserted by a third party: the democritus-timezones package.", "cve": "CVE-2022-44052", "id": "pyup.io-51732", "more_info_path": "/vulnerabilities/CVE-2022-44052/51732", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-dicts": [ { "advisory": "D8s-dicts 0.1.0 is vulnerable to CVE-2022-40809: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package.", "cve": "CVE-2022-40809", "id": "pyup.io-51142", "more_info_path": "/vulnerabilities/CVE-2022-40809/51142", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-domains": [ { "advisory": "D8s-domains 0.1.0 is vulnerable to CVE-2022-40427: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package.", "cve": "CVE-2022-40427", "id": "pyup.io-51132", "more_info_path": "/vulnerabilities/CVE-2022-40427/51132", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-domains 0.1.0 is vulnerable to CVE-2022-40807: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package.", "cve": "CVE-2022-40807", "id": "pyup.io-51140", "more_info_path": "/vulnerabilities/CVE-2022-40807/51140", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-domains 0.1.0 is vulnerable to CVE-2022-41384: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package.", "cve": "CVE-2022-41384", "id": "pyup.io-51405", "more_info_path": "/vulnerabilities/CVE-2022-41384/51405", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-file-system": [ { "advisory": "D8s-file-system 0.1.0 is vulnerable to CVE-2022-42041: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hashes package.", "cve": "CVE-2022-42041", "id": "pyup.io-51414", "more_info_path": "/vulnerabilities/CVE-2022-42041/51414", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-grammars": [ { "advisory": "D8s-grammars 0.1.0 is vulnerable to CVE-2022-38884: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package.", "cve": "CVE-2022-38884", "id": "pyup.io-51125", "more_info_path": "/vulnerabilities/CVE-2022-38884/51125", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-html": [ { "advisory": "D8s-html 0.1.0 is vulnerable to CVE-2022-40425: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package.", "cve": "CVE-2022-40425", "id": "pyup.io-51130", "more_info_path": "/vulnerabilities/CVE-2022-40425/51130", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-html 0.1.0 is vulnerable to CVE-2022-41385: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package.", "cve": "CVE-2022-41385", "id": "pyup.io-51406", "more_info_path": "/vulnerabilities/CVE-2022-41385/51406", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-ip-addresses": [ { "advisory": "D8s-ip-addresses 0.1.0 is vulnerable to CVE-2022-40429: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package.", "cve": "CVE-2022-40429", "id": "pyup.io-51134", "more_info_path": "/vulnerabilities/CVE-2022-40429/51134", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-ip-addresses 0.1.0 is vulnerable to CVE-2022-40810: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package.", "cve": "CVE-2022-40810", "id": "pyup.io-51143", "more_info_path": "/vulnerabilities/CVE-2022-40810/51143", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-ip-addresses 0.1.0 is vulnerable to CVE-2022-42038: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package.", "cve": "CVE-2022-42038", "id": "pyup.io-51411", "more_info_path": "/vulnerabilities/CVE-2022-42038/51411", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-json": [ { "advisory": "D8s-json 0.1.0 is vulnerable to CVE-2022-38882: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package.", "cve": "CVE-2022-38882", "id": "pyup.io-51123", "more_info_path": "/vulnerabilities/CVE-2022-38882/51123", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-json 0.1.0 is vulnerable to CVE-2022-41382: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package.", "cve": "CVE-2022-41382", "id": "pyup.io-51403", "more_info_path": "/vulnerabilities/CVE-2022-41382/51403", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-lists": [ { "advisory": "D8s-lists 0.1.0 is vulnerable to CVE-2022-42039: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-dicts package.", "cve": "CVE-2022-42039", "id": "pyup.io-51412", "more_info_path": "/vulnerabilities/CVE-2022-42039/51412", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-math": [ { "advisory": "D8s-math 0.1.0 is vulnerable to CVE-2022-38883: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package.", "cve": "CVE-2022-38883", "id": "pyup.io-51124", "more_info_path": "/vulnerabilities/CVE-2022-38883/51124", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-mpeg": [ { "advisory": "D8s-mpeg 0.1.0 is vulnerable to CVE-2022-40428: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package.", "cve": "CVE-2022-40428", "id": "pyup.io-51133", "more_info_path": "/vulnerabilities/CVE-2022-40428/51133", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-netstrings": [ { "advisory": "D8s-netstrings 0.1.0 is vulnerable to CVE-2022-38885: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package.", "cve": "CVE-2022-38885", "id": "pyup.io-51126", "more_info_path": "/vulnerabilities/CVE-2022-38885/51126", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-networking": [ { "advisory": "D8s-networking 0.1.0 includes a potential code-execution backdoor inserted by a third party: the democritus-json package.", "cve": "CVE-2022-44050", "id": "pyup.io-51730", "more_info_path": "/vulnerabilities/CVE-2022-44050/51730", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-networking 0.1.0 is vulnerable to CVE-2022-42042: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hashes package.", "cve": "CVE-2022-42042", "id": "pyup.io-51415", "more_info_path": "/vulnerabilities/CVE-2022-42042/51415", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-networking 0.1.0 includes a potential code-execution backdoor inserted by a third party: the democritus-user-agents package.", "cve": "CVE-2022-44053", "id": "pyup.io-51733", "more_info_path": "/vulnerabilities/CVE-2022-44053/51733", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-pdfs": [ { "advisory": "D8s-pdfs 0.1.0 is vulnerable to CVE-2022-40431: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package.", "cve": "CVE-2022-40431", "id": "pyup.io-51136", "more_info_path": "/vulnerabilities/CVE-2022-40431/51136", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-pdfs 0.1.0 is vulnerable to CVE-2022-40812: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package.", "cve": "CVE-2022-40812", "id": "pyup.io-51145", "more_info_path": "/vulnerabilities/CVE-2022-40812/51145", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-pdfs 0.1.0 is vulnerable to CVE-2022-41387: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package.", "cve": "CVE-2022-41387", "id": "pyup.io-51408", "more_info_path": "/vulnerabilities/CVE-2022-41387/51408", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-python": [ { "advisory": "D8s-python 0.1.0 is vulnerable to CVE-2022-38887: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package.", "cve": "CVE-2022-38887", "id": "pyup.io-51128", "more_info_path": "/vulnerabilities/CVE-2022-38887/51128", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-python 0.1.0 includes a potential code-execution backdoor inserted by a third party: the democritus-algorithms package.", "cve": "CVE-2022-43305", "id": "pyup.io-51726", "more_info_path": "/vulnerabilities/CVE-2022-43305/51726", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-python 0.1.0 includes a potential code-execution backdoor inserted by a third party: the democritus-grammars package.", "cve": "CVE-2022-44049", "id": "pyup.io-51729", "more_info_path": "/vulnerabilities/CVE-2022-44049/51729", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-stats": [ { "advisory": "D8s-stats 0.1.0 includes a potential code-execution backdoor inserted by a third party: the democritus-math package.", "cve": "CVE-2022-44051", "id": "pyup.io-51731", "more_info_path": "/vulnerabilities/CVE-2022-44051/51731", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-strings": [ { "advisory": "D8s-strings 0.1.0 is vulnerable to CVE-2022-40432: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package.", "cve": "CVE-2022-40432", "id": "pyup.io-51137", "more_info_path": "/vulnerabilities/CVE-2022-40432/51137", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-strings 0.1.0 includes a potential code-execution backdoor inserted by a third party: the democritus-uuids package.", "cve": "CVE-2022-43303", "id": "pyup.io-51724", "more_info_path": "/vulnerabilities/CVE-2022-43303/51724", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-timer": [ { "advisory": "D8s-timer 0.1.0 includes a potential code-execution backdoor inserted by a third party: the democritus-uuids package.", "cve": "CVE-2022-43304", "id": "pyup.io-51725", "more_info_path": "/vulnerabilities/CVE-2022-43304/51725", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-timer 0.1.0 includes a potential code-execution backdoor inserted by a third party: the democritus-dates package.", "cve": "CVE-2022-43306", "id": "pyup.io-51727", "more_info_path": "/vulnerabilities/CVE-2022-43306/51727", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-urls": [ { "advisory": "D8s-urls 0.1.0 is vulnerable to CVE-2022-40811: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package.", "cve": "CVE-2022-40811", "id": "pyup.io-51144", "more_info_path": "/vulnerabilities/CVE-2022-40811/51144", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-urls 0.1.0 includes a potential code-execution backdoor inserted by a third party: the democritus-domains package.", "cve": "CVE-2022-44048", "id": "pyup.io-51728", "more_info_path": "/vulnerabilities/CVE-2022-44048/51728", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-urls 0.1.0 is vulnerable to CVE-2022-40424: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package.", "cve": "CVE-2022-40424", "id": "pyup.io-51129", "more_info_path": "/vulnerabilities/CVE-2022-40424/51129", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-urls 0.1.0 is vulnerable to CVE-2022-38880: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package.", "cve": "CVE-2022-38880", "id": "pyup.io-51121", "more_info_path": "/vulnerabilities/CVE-2022-38880/51121", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-urls 0.1.0 is vulnerable to CVE-2022-40805: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package.", "cve": "CVE-2022-40805", "id": "pyup.io-51138", "more_info_path": "/vulnerabilities/CVE-2022-40805/51138", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-urls 0.1.0 is vulnerable to CVE-2022-42036: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package.", "cve": "CVE-2022-42036", "id": "pyup.io-51409", "more_info_path": "/vulnerabilities/CVE-2022-42036/51409", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-utility": [ { "advisory": "D8s-utility 0.1.0 is vulnerable to CVE-2022-41386: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package.", "cve": "CVE-2022-41386", "id": "pyup.io-51407", "more_info_path": "/vulnerabilities/CVE-2022-41386/51407", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-utility 0.1.0 is vulnerable to CVE-2022-40430: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package.", "cve": "CVE-2022-40430", "id": "pyup.io-51135", "more_info_path": "/vulnerabilities/CVE-2022-40430/51135", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-utility 0.1.0 is vulnerable to CVE-2022-41381: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package.", "cve": "CVE-2022-41381", "id": "pyup.io-51402", "more_info_path": "/vulnerabilities/CVE-2022-41381/51402", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-uuids": [ { "advisory": "D8s-uuids 0.1.0 is vulnerable to CVE-2022-40806: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package.", "cve": "CVE-2022-40806", "id": "pyup.io-51139", "more_info_path": "/vulnerabilities/CVE-2022-40806/51139", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-xml": [ { "advisory": "D8s-xml 0.1.0 is vulnerable to CVE-2022-38886: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package.", "cve": "CVE-2022-38886", "id": "pyup.io-51127", "more_info_path": "/vulnerabilities/CVE-2022-38886/51127", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-xml 0.1.0 is vulnerable to CVE-2022-42043: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package.", "cve": "CVE-2022-42043", "id": "pyup.io-51416", "more_info_path": "/vulnerabilities/CVE-2022-42043/51416", "specs": [ "==0.1.0" ], "v": "==0.1.0" }, { "advisory": "D8s-xml 0.1.0 includes a potential code-execution backdoor inserted by a third party: the democritus-utility package.", "cve": "CVE-2022-44054", "id": "pyup.io-51734", "more_info_path": "/vulnerabilities/CVE-2022-44054/51734", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "d8s-yaml": [ { "advisory": "D8s-yaml 0.1.0 is vulnerable to CVE-2022-41380: It included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package.", "cve": "CVE-2022-41380", "id": "pyup.io-51401", "more_info_path": "/vulnerabilities/CVE-2022-41380/51401", "specs": [ "==0.1.0" ], "v": "==0.1.0" } ], "dact": [ { "advisory": "Dact 1.1.1 includes a few security patches.", "cve": "PVE-2021-39403", "id": "pyup.io-39403", "more_info_path": "/vulnerabilities/PVE-2021-39403/39403", "specs": [ "<1.1.1" ], "v": "<1.1.1" } ], "dagster": [ { "advisory": "Dagster 0.14.15 defaults to use more security headers that prevent XSS, sniffing and other attack vectors.\r\nhttps://github.com/dagster-io/dagster/pull/7764", "cve": "PVE-2022-48543", "id": "pyup.io-48543", "more_info_path": "/vulnerabilities/PVE-2022-48543/48543", "specs": [ "<0.14.15" ], "v": "<0.14.15" }, { "advisory": "Dagster 0.14.8 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/dagster-io/dagster/pull/7192", "cve": "PVE-2023-59761", "id": "pyup.io-59761", "more_info_path": "/vulnerabilities/PVE-2023-59761/59761", "specs": [ "<0.14.8" ], "v": "<0.14.8" }, { "advisory": "Dagster 0.15.5 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/dagster-io/dagster/pull/8729\r\nhttps://github.com/dagster-io/dagster/pull/8720", "cve": "PVE-2023-59759", "id": "pyup.io-59759", "more_info_path": "/vulnerabilities/PVE-2023-59759/59759", "specs": [ "<0.15.5" ], "v": "<0.15.5" }, { "advisory": "Dagster 1.0.17 treats SSH keys as secrets to avoid printing them to the console or logs.\r\nhttps://github.com/dagster-io/dagster/commit/649ea0e7bec95788debb60df7da9bf14b7257ec6", "cve": "PVE-2022-51815", "id": "pyup.io-51815", "more_info_path": "/vulnerabilities/PVE-2022-51815/51815", "specs": [ "<1.0.17" ], "v": "<1.0.17" }, { "advisory": "Dagster 1.1.10 addresses a race condition where Dagster Daemon and Dagit were concurrently attempting to create the same directory. This update resolves the issue by handling the 'FileExistsError', ensuring robust directory creation even in simultaneous operation scenarios.\r\nhttps://github.com/dagster-io/dagster/pull/11652/commits/5829ecbf3ee776990b90435f01a28aae91df2e9b", "cve": "PVE-2024-63916", "id": "pyup.io-63916", "more_info_path": "/vulnerabilities/PVE-2024-63916/63916", "specs": [ "<1.1.10" ], "v": "<1.1.10" } ], "dagster-cloud": [ { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-0778", "id": "pyup.io-52165", "more_info_path": "/vulnerabilities/CVE-2022-0778/52165", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2021-46828", "id": "pyup.io-52164", "more_info_path": "/vulnerabilities/CVE-2021-46828/52164", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-1664", "id": "pyup.io-52146", "more_info_path": "/vulnerabilities/CVE-2022-1664/52146", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2018-25032", "id": "pyup.io-52166", "more_info_path": "/vulnerabilities/CVE-2018-25032/52166", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-2509", "id": "pyup.io-52163", "more_info_path": "/vulnerabilities/CVE-2022-2509/52163", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-34903", "id": "pyup.io-52167", "more_info_path": "/vulnerabilities/CVE-2022-34903/52167", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2021-33574", "id": "pyup.io-52153", "more_info_path": "/vulnerabilities/CVE-2021-33574/52153", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2021-3999", "id": "pyup.io-52160", "more_info_path": "/vulnerabilities/CVE-2021-3999/52160", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-1587", "id": "pyup.io-52157", "more_info_path": "/vulnerabilities/CVE-2022-1587/52157", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2021-3997", "id": "pyup.io-52170", "more_info_path": "/vulnerabilities/CVE-2021-3997/52170", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-37434", "id": "pyup.io-52156", "more_info_path": "/vulnerabilities/CVE-2022-37434/52156", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-1292", "id": "pyup.io-52154", "more_info_path": "/vulnerabilities/CVE-2022-1292/52154", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-1586", "id": "pyup.io-52158", "more_info_path": "/vulnerabilities/CVE-2022-1586/52158", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-1271", "id": "pyup.io-52159", "more_info_path": "/vulnerabilities/CVE-2022-1271/52159", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-23219", "id": "pyup.io-52151", "more_info_path": "/vulnerabilities/CVE-2022-23219/52151", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-40674", "id": "pyup.io-52150", "more_info_path": "/vulnerabilities/CVE-2022-40674/52150", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-23218", "id": "pyup.io-52152", "more_info_path": "/vulnerabilities/CVE-2022-23218/52152", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2022-2068", "id": "pyup.io-52155", "more_info_path": "/vulnerabilities/CVE-2022-2068/52155", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2021-4160", "id": "pyup.io-52169", "more_info_path": "/vulnerabilities/CVE-2021-4160/52169", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", "cve": "CVE-2021-4209", "id": "pyup.io-52168", "more_info_path": "/vulnerabilities/CVE-2021-4209/52168", "specs": [ "<1.1.4" ], "v": "<1.1.4" } ], "dajngo": [ { "advisory": "Dajngo is a typosquatting package. It shows a malicious behavior, for example, it may leak your sensitive data and/or gain unauthorized persistence in your system.\r\nhttps://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/", "cve": "PVE-2022-45422", "id": "pyup.io-45422", "more_info_path": "/vulnerabilities/PVE-2022-45422/45422", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "daphne": [ { "advisory": "Daphne 4.0.0 updates its dependency 'twisted' to versions '>=22.4' to include security fixes.", "cve": "CVE-2020-10108", "id": "pyup.io-51379", "more_info_path": "/vulnerabilities/CVE-2020-10108/51379", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "Daphne 4.0.0 updates its dependency 'twisted' to versions '>=22.4' to include security fixes.", "cve": "CVE-2022-21712", "id": "pyup.io-51377", "more_info_path": "/vulnerabilities/CVE-2022-21712/51377", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "Daphne 4.0.0 updates its dependency 'twisted' to versions '>=22.4' to include security fixes.", "cve": "CVE-2022-24801", "id": "pyup.io-51374", "more_info_path": "/vulnerabilities/CVE-2022-24801/51374", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "Daphne 4.0.0 updates its dependency 'twisted' to versions '>=22.4' to include security fixes.", "cve": "CVE-2020-10109", "id": "pyup.io-51378", "more_info_path": "/vulnerabilities/CVE-2020-10109/51378", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.", "cve": "CVE-2020-10109", "id": "pyup.io-50816", "more_info_path": "/vulnerabilities/CVE-2020-10109/50816", "specs": [ "<4.0.0b1" ], "v": "<4.0.0b1" }, { "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.", "cve": "CVE-2020-10108", "id": "pyup.io-50815", "more_info_path": "/vulnerabilities/CVE-2020-10108/50815", "specs": [ "<4.0.0b1" ], "v": "<4.0.0b1" }, { "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.", "cve": "CVE-2019-12387", "id": "pyup.io-50818", "more_info_path": "/vulnerabilities/CVE-2019-12387/50818", "specs": [ "<4.0.0b1" ], "v": "<4.0.0b1" }, { "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.", "cve": "CVE-2019-12855", "id": "pyup.io-50817", "more_info_path": "/vulnerabilities/CVE-2019-12855/50817", "specs": [ "<4.0.0b1" ], "v": "<4.0.0b1" }, { "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.", "cve": "CVE-2022-21712", "id": "pyup.io-50814", "more_info_path": "/vulnerabilities/CVE-2022-21712/50814", "specs": [ "<4.0.0b1" ], "v": "<4.0.0b1" }, { "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.", "cve": "CVE-2022-24801", "id": "pyup.io-50768", "more_info_path": "/vulnerabilities/CVE-2022-24801/50768", "specs": [ "<4.0.0b1" ], "v": "<4.0.0b1" } ], "dapla-toolbelt-pseudo": [ { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", "cve": "CVE-2023-0286", "id": "pyup.io-53733", "more_info_path": "/vulnerabilities/CVE-2023-0286/53733", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", "cve": "CVE-2022-4203", "id": "pyup.io-53736", "more_info_path": "/vulnerabilities/CVE-2022-4203/53736", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", "cve": "CVE-2023-0401", "id": "pyup.io-53714", "more_info_path": "/vulnerabilities/CVE-2023-0401/53714", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", "cve": "CVE-2023-0215", "id": "pyup.io-53731", "more_info_path": "/vulnerabilities/CVE-2023-0215/53731", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", "cve": "CVE-2022-4304", "id": "pyup.io-53734", "more_info_path": "/vulnerabilities/CVE-2022-4304/53734", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", "cve": "CVE-2023-0217", "id": "pyup.io-53732", "more_info_path": "/vulnerabilities/CVE-2023-0217/53732", "specs": [ "<0.2.1" ], "v": "<0.2.1" }, { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", "cve": "CVE-2022-4450", "id": "pyup.io-53735", "more_info_path": "/vulnerabilities/CVE-2022-4450/53735", "specs": [ "<0.2.1" ], "v": "<0.2.1" } ], "dark-matter": [ { "advisory": "Dark-matter 4.0.42 updates its dependency 'mysql-connector-python' to v8.0.19 to include a security fix.", "cve": "CVE-2019-2435", "id": "pyup.io-51160", "more_info_path": "/vulnerabilities/CVE-2019-2435/51160", "specs": [ "<4.0.42" ], "v": "<4.0.42" } ], "darwin-py": [ { "advisory": "Affected versions of darwin-py include workflows with overly broad permissions, which attackers could exploit to perform unauthorized actions. This poses a significant security risk, especially when strict access control is crucial.", "cve": "PVE-2024-72920", "id": "pyup.io-72920", "more_info_path": "/vulnerabilities/PVE-2024-72920/72920", "specs": [ "<1.0.7" ], "v": "<1.0.7" } ], "dash": [ { "advisory": "Dash 1.20.0 fixes a potential XSS vulnerability by starting to validate callback request fields.\r\nhttps://github.com/plotly/dash/pull/1546", "cve": "PVE-2021-40183", "id": "pyup.io-40183", "more_info_path": "/vulnerabilities/PVE-2021-40183/40183", "specs": [ "<1.20.0" ], "v": "<1.20.0" }, { "advisory": "Dash 1.21.0 updates its dependency 'Plotly.js' to v2.2.1 to include a security fix.", "cve": "PVE-2021-40962", "id": "pyup.io-40962", "more_info_path": "/vulnerabilities/PVE-2021-40962/40962", "specs": [ "<1.21.0" ], "v": "<1.21.0" }, { "advisory": "Earlier versions of Dash and its components are susceptible to an XSS vulnerability, specifically through the manipulation of the href attribute in a tags by an attacker. This flaw could potentially allow an authenticated attacker to access or manipulate user data and tokens, assuming the ability to store and present manipulated views to other users. The vulnerability notably requires the presence of user input storage mechanisms within Dash applications to be exploitable. Further details are covered under CVE-2024-21485.\r\n#Note: This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user. See CVE-2024-21485.", "cve": "CVE-2024-21485", "id": "pyup.io-65284", "more_info_path": "/vulnerabilities/CVE-2024-21485/65284", "specs": [ "<2.13.0", ">=2.14.0,<2.15.0" ], "v": "<2.13.0,>=2.14.0,<2.15.0" }, { "advisory": "Dash 2.15.0 validates the URL to prevent XSS attacks identified on the 'dash-core-components'. \r\nhttps://github.com/plotly/dash/pull/2732", "cve": "PVE-2024-64770", "id": "pyup.io-64770", "more_info_path": "/vulnerabilities/PVE-2024-64770/64770", "specs": [ "<2.15.0" ], "v": "<2.15.0" } ], "dash-ag-grid": [ { "advisory": "Dash-ag-grid 2.0.0 adds 'dangerously_allow_html' to grid props only provided at render, to prevent 'columnDefs' from showing unsafe html.\r\nhttps://github.com/plotly/dash-ag-grid/commit/b888d6ab4fcb4afac187492e8b6c9cf0d0f8842b", "cve": "PVE-2023-58907", "id": "pyup.io-58907", "more_info_path": "/vulnerabilities/PVE-2023-58907/58907", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "dash-bio": [ { "advisory": "Dash-bio 0.5.1 fixes an abandoned resource vulnerability with CircosJS fork.", "cve": "PVE-2021-39411", "id": "pyup.io-39411", "more_info_path": "/vulnerabilities/PVE-2021-39411/39411", "specs": [ "<0.5.1" ], "v": "<0.5.1" } ], "dash-core-components": [ { "advisory": "Dash-core-components affected versions are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that's visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server. \r\n#Note: This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.", "cve": "CVE-2024-21485", "id": "pyup.io-71638", "more_info_path": "/vulnerabilities/CVE-2024-21485/71638", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "dash-extensions": [ { "advisory": "Dash-extensions 0.1.1 updates its dependency 'jsbeautifier' to v1.14.3 to include a fix for a ReDoS vulnerability.", "cve": "PVE-2022-48568", "id": "pyup.io-48568", "more_info_path": "/vulnerabilities/PVE-2022-48568/48568", "specs": [ "<0.1.1" ], "v": "<0.1.1" }, { "advisory": "Dash-extensions 0.1.1 updates its NPM dependency 'mermaid' to v9.0.1 to include a security fix.", "cve": "CVE-2021-43861", "id": "pyup.io-48567", "more_info_path": "/vulnerabilities/CVE-2021-43861/48567", "specs": [ "<0.1.1" ], "v": "<0.1.1" }, { "advisory": "Dash-extensions 0.1.1 updates its NPM dependency 'minimist' to v1.2.6 to include a security fix.", "cve": "CVE-2021-44906", "id": "pyup.io-48546", "more_info_path": "/vulnerabilities/CVE-2021-44906/48546", "specs": [ "<0.1.1" ], "v": "<0.1.1" }, { "advisory": "Dash-extensions 0.1.8 updates its dependency 'cryptography' to v 38.0.3 to include security fixes.", "cve": "CVE-2022-3602", "id": "pyup.io-52356", "more_info_path": "/vulnerabilities/CVE-2022-3602/52356", "specs": [ "<0.1.8" ], "v": "<0.1.8" }, { "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'loader-utils' to v3.2.1 to include security fixes.", "cve": "CVE-2022-37603", "id": "pyup.io-52353", "more_info_path": "/vulnerabilities/CVE-2022-37603/52353", "specs": [ "<0.1.8" ], "v": "<0.1.8" }, { "advisory": "Dash-extensions 0.1.8 updates its dependency 'cryptography' to v 38.0.3 to include security fixes.", "cve": "CVE-2022-3786", "id": "pyup.io-52355", "more_info_path": "/vulnerabilities/CVE-2022-3786/52355", "specs": [ "<0.1.8" ], "v": "<0.1.8" }, { "advisory": "Dash-extensions 0.1.8 updates its NPM dependency \"mermaid\" requirement to \"^9.2.2\" to include a security fix.", "cve": "CVE-2022-31108", "id": "pyup.io-52354", "more_info_path": "/vulnerabilities/CVE-2022-31108/52354", "specs": [ "<0.1.8" ], "v": "<0.1.8" }, { "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'loader-utils' to v3.2.1 to include security fixes.", "cve": "CVE-2022-37601", "id": "pyup.io-52351", "more_info_path": "/vulnerabilities/CVE-2022-37601/52351", "specs": [ "<0.1.8" ], "v": "<0.1.8" }, { "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'loader-utils' to v3.2.1 to include security fixes.", "cve": "CVE-2022-37599", "id": "pyup.io-52352", "more_info_path": "/vulnerabilities/CVE-2022-37599/52352", "specs": [ "<0.1.8" ], "v": "<0.1.8" }, { "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'minimatch' to v3.1.2 to include a security fix.", "cve": "CVE-2022-3517", "id": "pyup.io-52303", "more_info_path": "/vulnerabilities/CVE-2022-3517/52303", "specs": [ "<0.1.8" ], "v": "<0.1.8" }, { "advisory": "Dash-extensions 0.1.9 updates its dependency 'certifi' to v2022.12.7 to include a security fix.", "cve": "CVE-2022-23491", "id": "pyup.io-52623", "more_info_path": "/vulnerabilities/CVE-2022-23491/52623", "specs": [ "<0.1.9" ], "v": "<0.1.9" }, { "advisory": "Dash-extensions 0.1.9 updates its NPM dependency 'loader-utils' requirement to '>=3.2.1' to include security fixes.", "cve": "CVE-2022-37599", "id": "pyup.io-52653", "more_info_path": "/vulnerabilities/CVE-2022-37599/52653", "specs": [ "<0.1.9" ], "v": "<0.1.9" }, { "advisory": "Dash-extensions 0.1.9 updates its dependency 'certifi' to v2022.12.7 to include a security fix.", "cve": "CVE-2022-23491", "id": "pyup.io-52654", "more_info_path": "/vulnerabilities/CVE-2022-23491/52654", "specs": [ "<0.1.9" ], "v": "<0.1.9" } ], "dash-html-components": [ { "advisory": "Dash-html-components affected versions are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that's visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server. \r\n#Note: This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.", "cve": "CVE-2024-21485", "id": "pyup.io-71639", "more_info_path": "/vulnerabilities/CVE-2024-21485/71639", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "dash-io": [ { "advisory": "Dash-io 0.0.1.post1 removes the 'Pickle' library for security reasons.\r\nhttps://github.com/plotly/dash-io/commit/848565e688595c6d106663f41a6a7113b4c6fa67", "cve": "PVE-2021-40961", "id": "pyup.io-40961", "more_info_path": "/vulnerabilities/PVE-2021-40961/40961", "specs": [ "<0.0.1" ], "v": "<0.0.1" } ], "dash-jbrowse": [ { "advisory": "Dash-jbrowse 1.0.1 updates its NPM dependency 'object-path' to v0.11.8 to include security fixes.", "cve": "CVE-2021-23434", "id": "pyup.io-44694", "more_info_path": "/vulnerabilities/CVE-2021-23434/44694", "specs": [ "<1.0.1" ], "v": "<1.0.1" }, { "advisory": "Dash-jbrowse 1.0.1 updates its NPM dependency 'follow-redirects' to v1.14.7 to include a security fix.", "cve": "CVE-2022-0155", "id": "pyup.io-44687", "more_info_path": "/vulnerabilities/CVE-2022-0155/44687", "specs": [ "<1.0.1" ], "v": "<1.0.1" }, { "advisory": "Dash-jbrowse 1.0.1 updates its NPM dependency 'object-path' to v0.11.8 to include security fixes.", "cve": "CVE-2021-3805", "id": "pyup.io-44693", "more_info_path": "/vulnerabilities/CVE-2021-3805/44693", "specs": [ "<1.0.1" ], "v": "<1.0.1" } ], "dash-table": [ { "advisory": "Dash-table 4.7.0 sanitizes table \"id\" to prevent stylesheet injection.\r\nhttps://github.com/plotly/dash-table/pull/766", "cve": "PVE-2021-41222", "id": "pyup.io-41222", "more_info_path": "/vulnerabilities/PVE-2021-41222/41222", "specs": [ "<4.7.0" ], "v": "<4.7.0" } ], "dash-tools": [ { "advisory": "Dash-tools 1.10.7 pins its dependency 'setuptools' to versions '>=65.5.1' to include a security fix.", "cve": "CVE-2022-40897", "id": "pyup.io-52553", "more_info_path": "/vulnerabilities/CVE-2022-40897/52553", "specs": [ "<1.10.7" ], "v": "<1.10.7" } ], "dask": [ { "advisory": "Dask 2021.10.0 includes a fix for CVE-2021-42343: An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters starting with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.", "cve": "CVE-2021-42343", "id": "pyup.io-42345", "more_info_path": "/vulnerabilities/CVE-2021-42343/42345", "specs": [ "<2021.10.0" ], "v": "<2021.10.0" } ], "dask-image": [ { "advisory": "Dask-image 2023.03.0 updates its dependency 'dask' to v2021.10.0 to include a security fix.", "cve": "CVE-2021-42343", "id": "pyup.io-53874", "more_info_path": "/vulnerabilities/CVE-2021-42343/53874", "specs": [ "<2023.3.0" ], "v": "<2023.3.0" } ], "data-safe-haven": [ { "advisory": "Data Safe Haven affected versions incorrectly handled CRAN package case sensitivity and privilege configurations, increasing the risk of typosquatting attacks. The update addresses these issues by preserving the original case of CRAN package names and correcting privilege path expressions. These changes prevent unauthorized package access, ensure accurate package allowlisting, and protect against typosquatting.", "cve": "PVE-2024-72914", "id": "pyup.io-72914", "more_info_path": "/vulnerabilities/PVE-2024-72914/72914", "specs": [ "<4.1.0" ], "v": "<4.1.0" } ], "database-sanitizer": [ { "advisory": "Database-Sanitizer 1.1.0 includes a security patch for the function 'from_file' in 'database_sanitizer/config.py'. It used the unsafe yaml.load(), that allows instantiation of arbitrary objects. Consider yaml.safe_load().\r\nhttps://github.com/andersinno/python-database-sanitizer/commit/ace4e0823d7b81c6f3bf683eb97193b36cc6c040#diff-6090be0559642595d2ff5ff2e9d265c6d152a75ef98845380436d0f06e0b3c19", "cve": "CVE-2017-18342", "id": "pyup.io-41314", "more_info_path": "/vulnerabilities/CVE-2017-18342/41314", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "datacube": [ { "advisory": "datacube 1.6.2 is a Patch release to build a new Docker container, to resolve an upstream security bug.", "cve": "PVE-2021-36835", "id": "pyup.io-36835", "more_info_path": "/vulnerabilities/PVE-2021-36835/36835", "specs": [ "<1.6.2" ], "v": "<1.6.2" }, { "advisory": "Datacube 1.8.7 updates its dependency 'paramiko' to versions '>=2.10.1' to include a security fix.", "cve": "CVE-2022-24302", "id": "pyup.io-49318", "more_info_path": "/vulnerabilities/CVE-2022-24302/49318", "specs": [ "<1.8.7" ], "v": "<1.8.7" }, { "advisory": "Datacube 1.8.7 updates its dependency 'dask' to v2021.10.0 to include a security fix.", "cve": "CVE-2021-42343", "id": "pyup.io-49320", "more_info_path": "/vulnerabilities/CVE-2021-42343/49320", "specs": [ "<1.8.7" ], "v": "<1.8.7" }, { "advisory": "Affected versions of `datacube` suffer from a race condition in the configuration API. This vulnerability can lead to potential data inconsistencies or application crashes when configuration data is accessed concurrently in a multi-threaded environment.", "cve": "PVE-2024-71557", "id": "pyup.io-71557", "more_info_path": "/vulnerabilities/PVE-2024-71557/71557", "specs": [ "<1.9.0rc5" ], "v": "<1.9.0rc5" } ], "datacube-ows": [ { "advisory": "Datacube-ows version 1.8.37 has upgraded its owslib dependency to versions greater than 0.29.2, moving from previous versions below 0.28.1\r\nhttps://github.com/opendatacube/datacube-ows/pull/973/commits/e7403ce5cccdbcc2d7b231679bb9b98bfbaa7ceb", "cve": "CVE-2023-27476", "id": "pyup.io-65698", "more_info_path": "/vulnerabilities/CVE-2023-27476/65698", "specs": [ "<1.8.37" ], "v": "<1.8.37" }, { "advisory": "Datacube-ows version 1.8.40 has updated its Pillow dependency to version 10.2.0 to address security concerns outlined in CVE-2023-4863.", "cve": "CVE-2023-4863", "id": "pyup.io-70566", "more_info_path": "/vulnerabilities/CVE-2023-4863/70566", "specs": [ "<1.8.40" ], "v": "<1.8.40" }, { "advisory": "Datacube-ows 1.8.8 removes the CodeCov token from ows to fix a security breach.\r\nhttps://github.com/opendatacube/datacube-ows/pull/585", "cve": "PVE-2021-42558", "id": "pyup.io-42558", "more_info_path": "/vulnerabilities/PVE-2021-42558/42558", "specs": [ "<1.8.8" ], "v": "<1.8.8" } ], "datagristle": [ { "advisory": "Datagristle 0.1.7 updates its dependency 'jinja2' to v2.11 to include security fixes.", "cve": "CVE-2016-10745", "id": "pyup.io-40237", "more_info_path": "/vulnerabilities/CVE-2016-10745/40237", "specs": [ "<0.1.7" ], "v": "<0.1.7" }, { "advisory": "Datagristle 0.1.7 updates its dependency 'werkzeug' to v1.0 to include security fixes.", "cve": "CVE-2020-28724", "id": "pyup.io-49137", "more_info_path": "/vulnerabilities/CVE-2020-28724/49137", "specs": [ "<0.1.7" ], "v": "<0.1.7" }, { "advisory": "Datagristle 0.1.7 updates its dependency 'werkzeug' to v1.0 to include security fixes.", "cve": "CVE-2016-10516", "id": "pyup.io-49135", "more_info_path": "/vulnerabilities/CVE-2016-10516/49135", "specs": [ "<0.1.7" ], "v": "<0.1.7" }, { "advisory": "Datagristle 0.1.7 updates its dependency 'werkzeug' to v1.0 to include security fixes.", "cve": "CVE-2019-14806", "id": "pyup.io-49136", "more_info_path": "/vulnerabilities/CVE-2019-14806/49136", "specs": [ "<0.1.7" ], "v": "<0.1.7" }, { "advisory": "Datagristle 0.1.7 updates its dependency 'pyyaml' to v5.3 to include a security fix.", "cve": "CVE-2017-18342", "id": "pyup.io-49134", "more_info_path": "/vulnerabilities/CVE-2017-18342/49134", "specs": [ "<0.1.7" ], "v": "<0.1.7" }, { "advisory": "Datagristle 0.1.7 updates its dependency 'jinja2' to v2.11 to include security fixes.", "cve": "CVE-2019-10906", "id": "pyup.io-49133", "more_info_path": "/vulnerabilities/CVE-2019-10906/49133", "specs": [ "<0.1.7" ], "v": "<0.1.7" } ], "datahub": [ { "advisory": "DataHub is an open-source metadata platform. DataHub Frontend's sessions are configured using Play Framework's default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever. DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.", "cve": "CVE-2023-47628", "id": "pyup.io-70896", "more_info_path": "/vulnerabilities/CVE-2023-47628/70896", "specs": [ "<0.12.1" ], "v": "<0.12.1" }, { "advisory": "DataHub is an open-source metadata platform. In affected versions sign-up through an invite link does not properly restrict users from signing up as privileged accounts. If a user is given an email sign-up link they can potentially create an admin account given certain preconditions. If the default datahub user has been removed, then the user can sign up for an account that leverages the default policies giving admin privileges to the datahub user. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.", "cve": "CVE-2023-47629", "id": "pyup.io-70897", "more_info_path": "/vulnerabilities/CVE-2023-47629/70897", "specs": [ "<0.12.1" ], "v": "<0.12.1" }, { "advisory": "DataHub's AuthServiceClient, specifically versions prior to 0.8.45, creates JSON strings using format strings containing user-controlled data. This method enables potential attackers to manipulate these JSON strings and forward them to the backend, leading to potential misuse and authentication bypasses. Such misuse could result in the generation of system accounts, potentially leading to full system compromise. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-080.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-6rpf-5cfg-h8f3", "cve": "CVE-2023-25560", "id": "pyup.io-63335", "more_info_path": "/vulnerabilities/CVE-2023-25560/63335", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { "advisory": "In DataHub versions prior to 0.8.45, session cookies are only cleared upon new sign-ins, not during logouts. This allows potential attackers to bypass authentication checks using the AuthUtils.hasValidSessionCookie() method by using a cookie from a logged-out session. Consequently, any logged-out session cookie might be considered valid, leading to an authentication bypass. Users are advised to upgrade to version 0.8.45 to rectify this vulnerability. Currently, there are no known workarounds. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-083.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-3974-hxjh-m3jj\r\nhttps://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/datahub-frontend/app/auth/AuthUtils.java#L78", "cve": "CVE-2023-25562", "id": "pyup.io-63337", "more_info_path": "/vulnerabilities/CVE-2023-25562/63337", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { "advisory": "DataHub under 0.8.45 uses the X-DataHub-Actor HTTP header to identify the user making requests without authentication. However, this can be exploited by attackers who can manipulate the case of the header (e.g., X-DATAHUB-ACTOR), leading to potential authorization bypass and unauthorized actions. This issue, identified and reported by GitHub Security Lab, is known as GHSL-2022-079.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-qgp2-qr66-j8r8", "cve": "CVE-2023-25559", "id": "pyup.io-63333", "more_info_path": "/vulnerabilities/CVE-2023-25559/63333", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { "advisory": "DataHub's AuthServiceClient, particularly versions below 0.8.45, creates JSON strings using format strings with user-controlled data. This approach lets potential attackers alter these JSON strings and forward them to the backend, causing potential misuse and authentication bypasses. This could lead to the creation of system accounts, potentially resulting in full system compromise. This vulnerability was discovered and reported by the GitHub Security lab and is being tracked under GHSL-2022-081.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-7wc6-p6c4-522c", "cve": "CVE-2023-25561", "id": "pyup.io-63336", "more_info_path": "/vulnerabilities/CVE-2023-25561/63336", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { "advisory": "DataHub under 0.8.45 frontend, acting as a proxy, is found to have a vulnerability where it doesn't properly construct URLs when forwarding data to the DataHub Metadata Store (GMS), potentially allowing external users to reroute requests from the DataHub Frontend to any host. This could enable attackers to reroute a request from the frontend proxy to any other server and return the result. The vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-076.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-5w2h-q83m-65xg", "cve": "CVE-2023-25557", "id": "pyup.io-63334", "more_info_path": "/vulnerabilities/CVE-2023-25557/63334", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { "advisory": "DataHub under 0.9.5 uses the X-DataHub-Actor HTTP header to infer the user sending requests on behalf of the frontend. However, due to case-insensitivity, an attacker could potentially exploit this by sending a header with different casing (e.g., X-DATAHUB-ACTOR), leading to potential authorization bypass. This allows any user to impersonate the system user account and perform actions on its behalf. This vulnerability, tracked as GHSL-2022-079, was discovered and reported by the GitHub Security lab.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-hrwp-2q5c-86wv\r\nhttps://github.com/datahub-project/datahub/commit/2a182f484677d056730d6b4e9f0143e67368359f", "cve": "CVE-2023-25558", "id": "pyup.io-63332", "more_info_path": "/vulnerabilities/CVE-2023-25558/63332", "specs": [ "<0.9.5" ], "v": "<0.9.5" } ], "dataiku-api-client": [ { "advisory": "Dataiku-api-client 11.1.0 and before interact with Dataiku DSS 11.2.1 or prior versions, which are vulnerable to CVE-2023-24045.", "cve": "CVE-2023-24045", "id": "pyup.io-59543", "more_info_path": "/vulnerabilities/CVE-2023-24045/59543", "specs": [ "<=11.1.0" ], "v": "<=11.1.0" } ], "dataiku-scoring": [ { "advisory": "Dataiku-scoring 11.1.0 and before interact with Dataiku DSS 11.2.1 or prior versions, which are vulnerable to CVE-2023-24045.", "cve": "CVE-2023-24045", "id": "pyup.io-59544", "more_info_path": "/vulnerabilities/CVE-2023-24045/59544", "specs": [ "<=11.1.0" ], "v": "<=11.1.0" } ], "datajob": [ { "advisory": "Datajob 0.6.0 includes a patch to shell out commands more securely.", "cve": "PVE-2021-40144", "id": "pyup.io-40144", "more_info_path": "/vulnerabilities/PVE-2021-40144/40144", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "datalad": [ { "advisory": "Datalad 0.16.0 removes deprecated and unsafe mktemp from add-archive-content.\r\nhttps://github.com/datalad/datalad/pull/6428/commits/157db552b386f1719cc2efc3c3cb52e1e9c84f3e", "cve": "PVE-2022-48027", "id": "pyup.io-48027", "more_info_path": "/vulnerabilities/PVE-2022-48027/48027", "specs": [ "<0.16.0" ], "v": "<0.16.0" } ], "datalite": [ { "advisory": "Datalite 0.7.2 adds some protection against SQL injections in field values. Maintainers highlight that this does not apply to class names, which should be under the programmer's control.", "cve": "PVE-2022-49140", "id": "pyup.io-49140", "more_info_path": "/vulnerabilities/PVE-2022-49140/49140", "specs": [ "<0.7.2" ], "v": "<0.7.2" } ], "dataplaybook": [ { "advisory": "Dataplaybook has updated its pyyaml dependency from >=3.11,<4 to pyyaml>=4.2b1,<5 in response to CVE-2017-18342.", "cve": "CVE-2017-18342", "id": "pyup.io-73539", "more_info_path": "/vulnerabilities/CVE-2017-18342/73539", "specs": [ "<1.0.2" ], "v": "<1.0.2" } ], "datasets": [ { "advisory": "Datasets version 2.14.7 updates its dependency to include pyarrow version 14.0.1. This update addresses the security vulnerability CVE-2023-47248.\r\nhttps://github.com/huggingface/datasets/pull/6404/commits/04a3f006a1a88c894ea10610d66dfddd73ad1490", "cve": "CVE-2023-47248", "id": "pyup.io-65477", "more_info_path": "/vulnerabilities/CVE-2023-47248/65477", "specs": [ "<2.14.7" ], "v": "<2.14.7" } ], "datasette": [ { "advisory": "Datasette 0.29.1 fixes a bug where static mounts used relative paths, which could lead to traversal exploits.\r\nhttps://github.com/simonw/datasette/commit/82889507cafa4b823e89af90b6674fd76653fb86", "cve": "PVE-2021-42226", "id": "pyup.io-42226", "more_info_path": "/vulnerabilities/PVE-2021-42226/42226", "specs": [ "<0.29.1" ], "v": "<0.29.1" }, { "advisory": "Datasette 0.44 adds CSRF protection for /-/messages tool and writable canned queries.\r\nhttps://github.com/simonw/datasette/issues/793\r\nhttps://github.com/simonw/datasette/commit/84a9c4ff75460f91c049bd30bba3cee1fd89d9e2", "cve": "PVE-2021-42225", "id": "pyup.io-42225", "more_info_path": "/vulnerabilities/PVE-2021-42225/42225", "specs": [ "<0.44" ], "v": "<0.44" }, { "advisory": "Datasette 0.46 contains a security fix related to authenticated writable canned queries. CSRF tokens were incorrectly included in read-only canned query forms, which could allow them to be leaked to a sophisticated attacker.\r\nhttps://github.com/simonw/datasette/security/advisories/GHSA-q6j3-c4wc-63vw", "cve": "PVE-2021-38671", "id": "pyup.io-38671", "more_info_path": "/vulnerabilities/PVE-2021-38671/38671", "specs": [ "<0.46" ], "v": "<0.46" }, { "advisory": "Datasette 0.55 starts to use Python 3.7.10 in official Docker image, applying the latest security fix.", "cve": "CVE-2021-3177", "id": "pyup.io-48388", "more_info_path": "/vulnerabilities/CVE-2021-3177/48388", "specs": [ "<0.55" ], "v": "<0.55" }, { "advisory": "Datasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.\r\nhttps://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g", "cve": "CVE-2021-32670", "id": "pyup.io-42314", "more_info_path": "/vulnerabilities/CVE-2021-32670/42314", "specs": [ "<0.56.1", ">=0.57a0,<0.57" ], "v": "<0.56.1,>=0.57a0,<0.57" }, { "advisory": "Datasette 0.57 fixes a reflected cross-site scripting security hole with the '?_trace=1' feature.", "cve": "PVE-2021-40618", "id": "pyup.io-40618", "more_info_path": "/vulnerabilities/PVE-2021-40618/40618", "specs": [ "<0.57" ], "v": "<0.57" }, { "advisory": "Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords. The `/-/api` API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user. Datasette 1.0a4 has a fix for this issue. This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette `/database` hierarchy. This issue is patched in version 1.0a4.", "cve": "CVE-2023-40570", "id": "pyup.io-65378", "more_info_path": "/vulnerabilities/CVE-2023-40570/65378", "specs": [ ">=1.0a0,<1.0a4" ], "v": ">=1.0a0,<1.0a4" } ], "datasette-auth-passwords": [ { "advisory": "Datasette-auth-passwords 0.4.1 now depends on the 'datasette' >=0.56.1, to avoid a security vulnerability.", "cve": "CVE-2021-32670", "id": "pyup.io-40620", "more_info_path": "/vulnerabilities/CVE-2021-32670/40620", "specs": [ "<0.4.1" ], "v": "<0.4.1" } ], "datasette-css-properties": [ { "advisory": "Datasette-css-properties 0.2 makes the '.css' pages send the 'x-content-type-options: nosniff' header to protect against browsers incorrectly rendering the CSS as HTML which could be an XSS security hole.\r\nhttps://github.com/simonw/datasette-css-properties/commit/faf181430667af0e4f4954163fefcc32e8fdbd9c", "cve": "PVE-2021-39422", "id": "pyup.io-39422", "more_info_path": "/vulnerabilities/PVE-2021-39422/39422", "specs": [ "<0.2" ], "v": "<0.2" } ], "datasette-edit-templates": [ { "advisory": "Datasette-edit-templates 0.2 fixes a vulnerability. Logged out users were able to edit templates.", "cve": "PVE-2022-51931", "id": "pyup.io-51931", "more_info_path": "/vulnerabilities/PVE-2022-51931/51931", "specs": [ "<0.2" ], "v": "<0.2" } ], "datasette-graphql": [ { "advisory": "Datasette-graphql before 1.2 included a plugin that could expose schema details of databases that should not be visible.\r\nhttps://github.com/simonw/datasette-graphql/security/advisories/GHSA-74hv-qjjq-h7g5", "cve": "PVE-2021-39174", "id": "pyup.io-39174", "more_info_path": "/vulnerabilities/PVE-2021-39174/39174", "specs": [ "<1.2" ], "v": "<1.2" } ], "datasette-indieauth": [ { "advisory": "Datasette-indieauth before 1.1 trusts the \"me\" field returned by the authorization server without verifying it.\r\nhttps://github.com/simonw/datasette-indieauth/security/advisories/GHSA-mjcr-rqjg-rhg3", "cve": "PVE-2021-39164", "id": "pyup.io-39164", "more_info_path": "/vulnerabilities/PVE-2021-39164/39164", "specs": [ "<1.1" ], "v": "<1.1" } ], "datasette-insert": [ { "advisory": "Datasette-insert 0.6 is locked down by default. This plugin no longer defaults to allowing all, reducing the risk that someone may deploy it without sufficient security.", "cve": "PVE-2021-38644", "id": "pyup.io-38644", "more_info_path": "/vulnerabilities/PVE-2021-38644/38644", "specs": [ "<0.6" ], "v": "<0.6" } ], "datasette-query-links": [ { "advisory": "Datasette-query-links 0.1.1 fixes an XSS security bug.\r\nhttps://github.com/simonw/datasette-query-links/issues/2", "cve": "PVE-2021-41092", "id": "pyup.io-41092", "more_info_path": "/vulnerabilities/PVE-2021-41092/41092", "specs": [ "<0.1.1" ], "v": "<0.1.1" } ], "datasette-seaborn": [ { "advisory": "The maintainers or the datasette-seaborn package acknowledge that version 0.1a0 is buggy and probably not secure.", "cve": "PVE-2021-38782", "id": "pyup.io-38782", "more_info_path": "/vulnerabilities/PVE-2021-38782/38782", "specs": [ "==0.1a0" ], "v": "==0.1a0" } ], "dateable-chronos": [ { "advisory": "Dateable.chronos 0.8 includes a fix for a XSS vulnerability in the get_view_day method.\r\nhttps://github.com/collective/dateable.chronos/commit/fd91af02186e61b3e161a2f620da9422eb228c71", "cve": "PVE-2021-25685", "id": "pyup.io-25685", "more_info_path": "/vulnerabilities/PVE-2021-25685/25685", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Dateable-chronos 0.8 includes a fix for a XSS vulnerability in the get_view_day method.\r\nhttps://github.com/collective/dateable.chronos/commit/fd91af02186e61b3e161a2f620da9422eb228c71", "cve": "PVE-2021-35988", "id": "pyup.io-35988", "more_info_path": "/vulnerabilities/PVE-2021-35988/35988", "specs": [ "<0.8" ], "v": "<0.8" } ], "dateparser": [ { "advisory": "Dateparser 1.1.6 includes a fix for a ReDoS vulnerability in Spanish sentence splitting regex.\r\nhttps://github.com/scrapinghub/dateparser/pull/1084", "cve": "PVE-2023-62361", "id": "pyup.io-62361", "more_info_path": "/vulnerabilities/PVE-2023-62361/62361", "specs": [ "<1.1.6" ], "v": "<1.1.6" } ], "datera-cinder": [ { "advisory": "Datera-cinder 2018.10.30.0 updates the required 'requests' version to >=2.20.0 to include a fix for CVE-2018-18074.", "cve": "CVE-2018-18074", "id": "pyup.io-37204", "more_info_path": "/vulnerabilities/CVE-2018-18074/37204", "specs": [ "<2018.10.30.0" ], "v": "<2018.10.30.0" } ], "datum": [ { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23587", "id": "pyup.io-50393", "more_info_path": "/vulnerabilities/CVE-2022-23587/50393", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23589", "id": "pyup.io-50395", "more_info_path": "/vulnerabilities/CVE-2022-23589/50395", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21727", "id": "pyup.io-50347", "more_info_path": "/vulnerabilities/CVE-2022-21727/50347", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23561", "id": "pyup.io-50367", "more_info_path": "/vulnerabilities/CVE-2022-23561/50367", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-27779", "id": "pyup.io-50404", "more_info_path": "/vulnerabilities/CVE-2022-27779/50404", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23571", "id": "pyup.io-50377", "more_info_path": "/vulnerabilities/CVE-2022-23571/50377", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23573", "id": "pyup.io-50379", "more_info_path": "/vulnerabilities/CVE-2022-23573/50379", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21728", "id": "pyup.io-50348", "more_info_path": "/vulnerabilities/CVE-2022-21728/50348", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23568", "id": "pyup.io-50374", "more_info_path": "/vulnerabilities/CVE-2022-23568/50374", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21738", "id": "pyup.io-50358", "more_info_path": "/vulnerabilities/CVE-2022-21738/50358", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21735", "id": "pyup.io-50355", "more_info_path": "/vulnerabilities/CVE-2022-21735/50355", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21736", "id": "pyup.io-50356", "more_info_path": "/vulnerabilities/CVE-2022-21736/50356", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21730", "id": "pyup.io-50350", "more_info_path": "/vulnerabilities/CVE-2022-21730/50350", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21731", "id": "pyup.io-50351", "more_info_path": "/vulnerabilities/CVE-2022-21731/50351", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21740", "id": "pyup.io-50360", "more_info_path": "/vulnerabilities/CVE-2022-21740/50360", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23566", "id": "pyup.io-50372", "more_info_path": "/vulnerabilities/CVE-2022-23566/50372", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23572", "id": "pyup.io-50378", "more_info_path": "/vulnerabilities/CVE-2022-23572/50378", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23567", "id": "pyup.io-50373", "more_info_path": "/vulnerabilities/CVE-2022-23567/50373", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23584", "id": "pyup.io-50390", "more_info_path": "/vulnerabilities/CVE-2022-23584/50390", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23569", "id": "pyup.io-50375", "more_info_path": "/vulnerabilities/CVE-2022-23569/50375", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23594", "id": "pyup.io-50398", "more_info_path": "/vulnerabilities/CVE-2022-23594/50398", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23595", "id": "pyup.io-50399", "more_info_path": "/vulnerabilities/CVE-2022-23595/50399", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29193", "id": "pyup.io-50410", "more_info_path": "/vulnerabilities/CVE-2022-29193/50410", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29211", "id": "pyup.io-50427", "more_info_path": "/vulnerabilities/CVE-2022-29211/50427", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23574", "id": "pyup.io-50380", "more_info_path": "/vulnerabilities/CVE-2022-23574/50380", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23562", "id": "pyup.io-50368", "more_info_path": "/vulnerabilities/CVE-2022-23562/50368", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23591", "id": "pyup.io-50397", "more_info_path": "/vulnerabilities/CVE-2022-23591/50397", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23588", "id": "pyup.io-50394", "more_info_path": "/vulnerabilities/CVE-2022-23588/50394", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23575", "id": "pyup.io-50381", "more_info_path": "/vulnerabilities/CVE-2022-23575/50381", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29216", "id": "pyup.io-50430", "more_info_path": "/vulnerabilities/CVE-2022-29216/50430", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23579", "id": "pyup.io-50385", "more_info_path": "/vulnerabilities/CVE-2022-23579/50385", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29192", "id": "pyup.io-50409", "more_info_path": "/vulnerabilities/CVE-2022-29192/50409", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23580", "id": "pyup.io-50386", "more_info_path": "/vulnerabilities/CVE-2022-23580/50386", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21726", "id": "pyup.io-50346", "more_info_path": "/vulnerabilities/CVE-2022-21726/50346", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-27774", "id": "pyup.io-50400", "more_info_path": "/vulnerabilities/CVE-2022-27774/50400", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29212", "id": "pyup.io-50428", "more_info_path": "/vulnerabilities/CVE-2022-29212/50428", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29213", "id": "pyup.io-50429", "more_info_path": "/vulnerabilities/CVE-2022-29213/50429", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29201", "id": "pyup.io-50418", "more_info_path": "/vulnerabilities/CVE-2022-29201/50418", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21729", "id": "pyup.io-50349", "more_info_path": "/vulnerabilities/CVE-2022-21729/50349", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21739", "id": "pyup.io-50359", "more_info_path": "/vulnerabilities/CVE-2022-21739/50359", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23559", "id": "pyup.io-50365", "more_info_path": "/vulnerabilities/CVE-2022-23559/50365", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23564", "id": "pyup.io-50370", "more_info_path": "/vulnerabilities/CVE-2022-23564/50370", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23578", "id": "pyup.io-50384", "more_info_path": "/vulnerabilities/CVE-2022-23578/50384", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23583", "id": "pyup.io-50389", "more_info_path": "/vulnerabilities/CVE-2022-23583/50389", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29196", "id": "pyup.io-50413", "more_info_path": "/vulnerabilities/CVE-2022-29196/50413", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29198", "id": "pyup.io-50415", "more_info_path": "/vulnerabilities/CVE-2022-29198/50415", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2020-10531", "id": "pyup.io-50344", "more_info_path": "/vulnerabilities/CVE-2020-10531/50344", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-27782", "id": "pyup.io-50407", "more_info_path": "/vulnerabilities/CVE-2022-27782/50407", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29197", "id": "pyup.io-50414", "more_info_path": "/vulnerabilities/CVE-2022-29197/50414", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21732", "id": "pyup.io-50352", "more_info_path": "/vulnerabilities/CVE-2022-21732/50352", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21733", "id": "pyup.io-50353", "more_info_path": "/vulnerabilities/CVE-2022-21733/50353", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21734", "id": "pyup.io-50354", "more_info_path": "/vulnerabilities/CVE-2022-21734/50354", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21737", "id": "pyup.io-50357", "more_info_path": "/vulnerabilities/CVE-2022-21737/50357", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21741", "id": "pyup.io-50361", "more_info_path": "/vulnerabilities/CVE-2022-21741/50361", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23560", "id": "pyup.io-50366", "more_info_path": "/vulnerabilities/CVE-2022-23560/50366", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23565", "id": "pyup.io-50371", "more_info_path": "/vulnerabilities/CVE-2022-23565/50371", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23582", "id": "pyup.io-50388", "more_info_path": "/vulnerabilities/CVE-2022-23582/50388", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23576", "id": "pyup.io-50382", "more_info_path": "/vulnerabilities/CVE-2022-23576/50382", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23577", "id": "pyup.io-50383", "more_info_path": "/vulnerabilities/CVE-2022-23577/50383", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23581", "id": "pyup.io-50387", "more_info_path": "/vulnerabilities/CVE-2022-23581/50387", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23586", "id": "pyup.io-50392", "more_info_path": "/vulnerabilities/CVE-2022-23586/50392", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23585", "id": "pyup.io-50391", "more_info_path": "/vulnerabilities/CVE-2022-23585/50391", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-27775", "id": "pyup.io-50401", "more_info_path": "/vulnerabilities/CVE-2022-27775/50401", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29194", "id": "pyup.io-50411", "more_info_path": "/vulnerabilities/CVE-2022-29194/50411", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29195", "id": "pyup.io-50412", "more_info_path": "/vulnerabilities/CVE-2022-29195/50412", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29199", "id": "pyup.io-50416", "more_info_path": "/vulnerabilities/CVE-2022-29199/50416", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29203", "id": "pyup.io-50420", "more_info_path": "/vulnerabilities/CVE-2022-29203/50420", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29205", "id": "pyup.io-50422", "more_info_path": "/vulnerabilities/CVE-2022-29205/50422", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29209", "id": "pyup.io-50426", "more_info_path": "/vulnerabilities/CVE-2022-29209/50426", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-30115", "id": "pyup.io-50431", "more_info_path": "/vulnerabilities/CVE-2022-30115/50431", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-22576", "id": "pyup.io-50362", "more_info_path": "/vulnerabilities/CVE-2022-22576/50362", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29208", "id": "pyup.io-50425", "more_info_path": "/vulnerabilities/CVE-2022-29208/50425", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23563", "id": "pyup.io-50369", "more_info_path": "/vulnerabilities/CVE-2022-23563/50369", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23570", "id": "pyup.io-50376", "more_info_path": "/vulnerabilities/CVE-2022-23570/50376", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-27778", "id": "pyup.io-50403", "more_info_path": "/vulnerabilities/CVE-2022-27778/50403", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-27780", "id": "pyup.io-50405", "more_info_path": "/vulnerabilities/CVE-2022-27780/50405", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29202", "id": "pyup.io-50419", "more_info_path": "/vulnerabilities/CVE-2022-29202/50419", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-27781", "id": "pyup.io-50406", "more_info_path": "/vulnerabilities/CVE-2022-27781/50406", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29200", "id": "pyup.io-50417", "more_info_path": "/vulnerabilities/CVE-2022-29200/50417", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29206", "id": "pyup.io-50423", "more_info_path": "/vulnerabilities/CVE-2022-29206/50423", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29204", "id": "pyup.io-50421", "more_info_path": "/vulnerabilities/CVE-2022-29204/50421", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21725", "id": "pyup.io-50345", "more_info_path": "/vulnerabilities/CVE-2022-21725/50345", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29207", "id": "pyup.io-50424", "more_info_path": "/vulnerabilities/CVE-2022-29207/50424", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23590", "id": "pyup.io-50396", "more_info_path": "/vulnerabilities/CVE-2022-23590/50396", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29191", "id": "pyup.io-50408", "more_info_path": "/vulnerabilities/CVE-2022-29191/50408", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23557", "id": "pyup.io-50363", "more_info_path": "/vulnerabilities/CVE-2022-23557/50363", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23558", "id": "pyup.io-50364", "more_info_path": "/vulnerabilities/CVE-2022-23558/50364", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2018-25032", "id": "pyup.io-50343", "more_info_path": "/vulnerabilities/CVE-2018-25032/50343", "specs": [ "<1.5.0" ], "v": "<1.5.0" }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-27776", "id": "pyup.io-50402", "more_info_path": "/vulnerabilities/CVE-2022-27776/50402", "specs": [ "<1.5.0" ], "v": "<1.5.0" } ], "datumaro": [ { "advisory": "Datumaro version 0.1.10 includes a fix for an arbitrary code execution vulnerability: Cifar implementation is based on pickle, which can run arbitrary code on unpickling.\r\nhttps://github.com/openvinotoolkit/datumaro/issues/327", "cve": "PVE-2021-41817", "id": "pyup.io-41817", "more_info_path": "/vulnerabilities/PVE-2021-41817/41817", "specs": [ "<0.1.10" ], "v": "<0.1.10" } ], "dawgie": [ { "advisory": "Dawgie 1.2.3 includes a vulnerability fix.\r\nhttps://github.com/al-niessner/DAWGIE/commit/137cd7933be87ce13780c07ead0263e9da29ec8e", "cve": "PVE-2021-40122", "id": "pyup.io-40122", "more_info_path": "/vulnerabilities/PVE-2021-40122/40122", "specs": [ "<1.2.3" ], "v": "<1.2.3" }, { "advisory": "Dawgie 1.2.9 adds clean methods to limit malicious code.", "cve": "PVE-2021-40121", "id": "pyup.io-40121", "more_info_path": "/vulnerabilities/PVE-2021-40121/40121", "specs": [ "<1.2.9" ], "v": "<1.2.9" }, { "advisory": "Dawgie 1.3.0 and 1.2.13 adds HTML sanitization to prevent injection attacks.\r\nhttps://github.com/al-niessner/DAWGIE/pull/93/commits/c4a4a2ffd88ea80a7c68a57c10d159c1e429e169", "cve": "PVE-2022-50444", "id": "pyup.io-50444", "more_info_path": "/vulnerabilities/PVE-2022-50444/50444", "specs": [ ">=1.3.0rc0,<1.3.0", "<1.2.13" ], "v": ">=1.3.0rc0,<1.3.0,<1.2.13" }, { "advisory": "Dawgie 1.3.0 and 1.2.13 include a fix for an open redirect vulnerability.\r\nhttps://github.com/al-niessner/DAWGIE/issues/146", "cve": "PVE-2022-50443", "id": "pyup.io-50443", "more_info_path": "/vulnerabilities/PVE-2022-50443/50443", "specs": [ ">=1.3.0rc0,<1.3.0", "<1.2.13" ], "v": ">=1.3.0rc0,<1.3.0,<1.2.13" } ], "db-able": [ { "advisory": "Db-able 2.1.4 updates its NPM dependency 'shelljs' to v0.8.5 to include a security fix.", "cve": "CVE-2022-0144", "id": "pyup.io-44568", "more_info_path": "/vulnerabilities/CVE-2022-0144/44568", "specs": [ "<2.1.4" ], "v": "<2.1.4" } ], "dbcat": [ { "advisory": "Dbcat 0.3.1 updates its dependency 'cryptography' to v3.4.4 to include a security fix.", "cve": "CVE-2020-36242", "id": "pyup.io-42696", "more_info_path": "/vulnerabilities/CVE-2020-36242/42696", "specs": [ "<0.3.1" ], "v": "<0.3.1" } ], "dbpool": [ { "advisory": "Dbpool 1.2.1 updates its dependency 'protobuf' to v3.19.5 to include a security fix.", "cve": "CVE-2022-1941", "id": "pyup.io-51237", "more_info_path": "/vulnerabilities/CVE-2022-1941/51237", "specs": [ "<1.2.1" ], "v": "<1.2.1" } ], "dbt-core": [ { "advisory": "Dbt-core 0.20.0rc1 updates its dependency 'jinja2' to v2.11.3 to include a security fix.", "cve": "CVE-2020-28493", "id": "pyup.io-42229", "more_info_path": "/vulnerabilities/CVE-2020-28493/42229", "specs": [ "<0.20.0rc1" ], "v": "<0.20.0rc1" }, { "advisory": "In DBT affected versions, binding to INADDR_ANY (0.0.0.0) or IN6ADDR_ANY (::) exposes an application on all network interfaces, increasing the risk of unauthorized access. While doing some static analysis and code inspection, I found the following code binding a socket to INADDR_ANY by passing \"\" as the address. This effectively binds to any network interface on the local system, not just localhost (127.0.0.1).", "cve": "CVE-2024-36105", "id": "pyup.io-71635", "more_info_path": "/vulnerabilities/CVE-2024-36105/71635", "specs": [ "<1.6.1", ">=1.7.0,<1.7.15", ">=1.8.0,<1.8.1" ], "v": "<1.6.1,>=1.7.0,<1.7.15,>=1.8.0,<1.8.1" }, { "advisory": "When a user installs a package in dbt, they gain the capability to override macros, materializations, and other core components of dbt. This design feature enables packages to extend and customize dbt's functionality. However, it also allows a malicious package to replace these components with harmful code.", "cve": "CVE-2024-40637", "id": "pyup.io-72255", "more_info_path": "/vulnerabilities/CVE-2024-40637/72255", "specs": [ "<1.6.14", ">=1.7.0b1,<1.7.14" ], "v": "<1.6.14,>=1.7.0b1,<1.7.14" }, { "advisory": "Dbt-core version 1.8.0b3 has upgraded sqlparse to versions between \">=0.5.0\" and \"<0.6.0\" to mitigate vulnerabilities identified in GHSA-2m57-hf25-phgg.", "cve": "PVE-2024-67887", "id": "pyup.io-68018", "more_info_path": "/vulnerabilities/PVE-2024-67887/68018", "specs": [ "<1.8.0b3" ], "v": "<1.8.0b3" }, { "advisory": "Affected versions of the dbt package are potentially vulnerable to Improper Access Control (CWE-284). The documentation server (ServeTask) binds to all network interfaces, which allows remote attackers to connect and potentially exploit the server. The vulnerable function is the TCPServer configuration in serve.py. This flaw can be exploited remotely, depending on the network configuration, leading to unauthorized access. To mitigate this issue, the server bound to 127.0.0.1, limiting access to localhost.", "cve": "PVE-2024-73530", "id": "pyup.io-73530", "more_info_path": "/vulnerabilities/PVE-2024-73530/73530", "specs": [ "<1.9.0b1" ], "v": "<1.9.0b1" }, { "advisory": "Affected versions of dbt-core are vulnerable to the clear text storage of sensitive information. The vulnerability arises when the software is used to pull source code from a private repository with a Personal Access Token (PAT), resulting in the PAT being written in plain text to the package-lock.yml file. This issue threatens the security of selected versions of dbt-core, specifically when interacting with private repositories.\r\nhttps://github.com/dbt-labs/dbt-core/commit/09f5bb3dcffeda7a60ad2b22c2891f237628ecd1", "cve": "PVE-2024-99810", "id": "pyup.io-65981", "more_info_path": "/vulnerabilities/PVE-2024-99810/65981", "specs": [ ">=1.7.0,<1.7.3" ], "v": ">=1.7.0,<1.7.3" } ], "dbt-coverage": [ { "advisory": "Dbt-coverage version 0.3.7 has updated its certifi dependency from version 2023.7.22 to 2024.2.2 to address the security vulnerability identified in CVE-2023-37920.", "cve": "CVE-2023-37920", "id": "pyup.io-68469", "more_info_path": "/vulnerabilities/CVE-2023-37920/68469", "specs": [ "<0.3.7" ], "v": "<0.3.7" } ], "dbt-databricks": [ { "advisory": "Dbt-databricks 1.5.6 updates its dependency 'databricks-sdk' to v0.9.0 to include a secure version of 'requests'.\r\nhttps://github.com/databricks/dbt-databricks/pull/460", "cve": "CVE-2023-32681", "id": "pyup.io-64509", "more_info_path": "/vulnerabilities/CVE-2023-32681/64509", "specs": [ "<1.5.6" ], "v": "<1.5.6" }, { "advisory": "Dbt-databricks 1.6.5 updates the Databricks SDK dependency so as to prevent reliance on an insecure version of 'requests'.", "cve": "CVE-2023-32681", "id": "pyup.io-61444", "more_info_path": "/vulnerabilities/CVE-2023-32681/61444", "specs": [ "<1.6.5" ], "v": "<1.6.5" } ], "dbt-oracle": [ { "advisory": "Dbt-oracle 1.0.4includes an update to dbt-core version v1.0.8, which addresses a critical security issue. \r\nhttps://github.com/oracle/dbt-oracle/commit/d7462ccac1c6b9893f4de0510c8e6f243595cadd", "cve": "PVE-2024-63307", "id": "pyup.io-63307", "more_info_path": "/vulnerabilities/PVE-2024-63307/63307", "specs": [ "<1.0.4" ], "v": "<1.0.4" }, { "advisory": "Dbt-oracle 1.5.2 upgrades its core in response to a vulnerability identified in sqlparse, referred to as CVE-2023-30608.\r\nhttps://github.com/oracle/dbt-oracle/commit/41701a6fd8f25ffbeb92a983c499df43702fcb1a\r\nhttps://github.com/advisories/GHSA-rrm6-wvj7-cwh2", "cve": "CVE-2023-30608", "id": "pyup.io-63306", "more_info_path": "/vulnerabilities/CVE-2023-30608/63306", "specs": [ "<1.5.2" ], "v": "<1.5.2" } ], "dbt-redshift": [ { "advisory": "Dbt-redshift version 1.8.0b3 has updated its sqlparse dependency to versions between \">=0.5.0\" and \"<0.6.0\". This change is made to address vulnerabilities specified in GHSA-2m57-hf25-phgg and is aligned with updates in dbt-core.", "cve": "PVE-2024-68037", "id": "pyup.io-68037", "more_info_path": "/vulnerabilities/PVE-2024-68037/68037", "specs": [ "<1.8.0b3" ], "v": "<1.8.0b3" } ], "dbt-snowflake": [ { "advisory": "Dbt-snowflake version 1.8.0b1 has upgraded its cryptography dependency to approximately version 41.0.7. This update addresses a security issue present in version 41.0.5, detailed in CVE-2023-5363.\r\nhttps://github.com/dbt-labs/dbt-snowflake/pull/852/commits/43ac4ddfcffe5e596b12892cafa419c0f178f987", "cve": "PVE-2024-65754", "id": "pyup.io-65754", "more_info_path": "/vulnerabilities/PVE-2024-65754/65754", "specs": [ "<1.8.0b1" ], "v": "<1.8.0b1" }, { "advisory": "Dbt-snowflake 1.8.0b2 updates its cryptography requirement to version 42.0.4 or newer, addressing security concerns highlighted by CVE-2024-26130.", "cve": "CVE-2024-26130", "id": "pyup.io-67468", "more_info_path": "/vulnerabilities/CVE-2024-26130/67468", "specs": [ "<1.8.0b2" ], "v": "<1.8.0b2" } ], "dbt-sqlserver": [ { "advisory": "Dbt-sqlserver 1.2.0 uses connection encryption by default.\r\nhttps://github.com/dbt-msft/dbt-sqlserver/commit/a2c4bf0f68d71efde3f7406843c7909d9b8fa9a0", "cve": "PVE-2022-51023", "id": "pyup.io-51023", "more_info_path": "/vulnerabilities/PVE-2022-51023/51023", "specs": [ "<1.2.0" ], "v": "<1.2.0" } ], "dbt-trino": [ { "advisory": "Dbt-trino 1.2.1 requires 'pyyaml>=6.0' to include a security fix.", "cve": "CVE-2020-1747", "id": "pyup.io-50767", "more_info_path": "/vulnerabilities/CVE-2020-1747/50767", "specs": [ "<1.2.1" ], "v": "<1.2.1" } ], "dbterd": [ { "advisory": "Dbterd 1.2.5 updates its dependency 'certifi' to version '2023.7.22' to include a fix for a vulnerability.\r\nhttps://github.com/datnguye/dbterd/pull/44", "cve": "CVE-2023-37920", "id": "pyup.io-60558", "more_info_path": "/vulnerabilities/CVE-2023-37920/60558", "specs": [ "<1.2.5" ], "v": "<1.2.5" } ], "dbx": [ { "advisory": "Dbx 0.8.16 updates its dependency 'cookiecutter' to version '2.1.1' to include a security fix.\r\nhttps://github.com/databrickslabs/dbx/pull/798", "cve": "CVE-2022-24065", "id": "pyup.io-59103", "more_info_path": "/vulnerabilities/CVE-2022-24065/59103", "specs": [ "<0.8.16" ], "v": "<0.8.16" }, { "advisory": "Dbx 0.8.16 updates its dependency 'cryptography' to version '41.0.1' to include a security fix.\r\nhttps://github.com/databrickslabs/dbx/pull/798", "cve": "CVE-2023-2650", "id": "pyup.io-59093", "more_info_path": "/vulnerabilities/CVE-2023-2650/59093", "specs": [ "<0.8.16" ], "v": "<0.8.16" }, { "advisory": "Dbx 0.8.16 updates its dependency 'requests' to version '2.31.0' to include a security fix.\r\nhttps://github.com/databrickslabs/dbx/pull/798", "cve": "CVE-2023-32681", "id": "pyup.io-59102", "more_info_path": "/vulnerabilities/CVE-2023-32681/59102", "specs": [ "<0.8.16" ], "v": "<0.8.16" } ], "dcicutils": [ { "advisory": "Dcicutils 8.16.1 updates its dependency 'cryptography' to v43.0.1 to include a security fix.", "cve": "CVE-2023-50782", "id": "pyup.io-73682", "more_info_path": "/vulnerabilities/CVE-2023-50782/73682", "specs": [ "<8.16.1" ], "v": "<8.16.1" } ], "dcnnt": [ { "advisory": "A critical vulnerability has been identified in cyanomiko dcnnt-py affecting the Notification Handler component in the function main of the file dcnnt/plugins/notifications.py. This vulnerability allows for command injection, enabling remote attackers to execute arbitrary commands on the affected system.", "cve": "CVE-2023-1000", "id": "pyup.io-62062", "more_info_path": "/vulnerabilities/CVE-2023-1000/62062", "specs": [ "<0.9.1" ], "v": "<0.9.1" } ], "dcspy": [ { "advisory": "Dcspy 2.3.3 updates its dependency 'pillow' to include a security fix for CVE-2023-4863.", "cve": "CVE-2023-4863", "id": "pyup.io-62032", "more_info_path": "/vulnerabilities/CVE-2023-4863/62032", "specs": [ "<2.3.3" ], "v": "<2.3.3" } ], "ddataflow": [ { "advisory": "Ddataflow 1.1.8 updates its dependency 'urllib3' to v1.26.12 to include security fixes.", "cve": "CVE-2018-20060", "id": "pyup.io-53836", "more_info_path": "/vulnerabilities/CVE-2018-20060/53836", "specs": [ "<1.1.8" ], "v": "<1.1.8" }, { "advisory": "Ddataflow 1.1.8 updates its dependency 'urllib3' to v1.26.12 to include security fixes.", "cve": "CVE-2019-11236", "id": "pyup.io-53835", "more_info_path": "/vulnerabilities/CVE-2019-11236/53835", "specs": [ "<1.1.8" ], "v": "<1.1.8" }, { "advisory": "Ddataflow 1.1.8 updates its dependency 'urllib3' to v1.26.12 to include security fixes.", "cve": "CVE-2019-11324", "id": "pyup.io-53834", "more_info_path": "/vulnerabilities/CVE-2019-11324/53834", "specs": [ "<1.1.8" ], "v": "<1.1.8" }, { "advisory": "Ddataflow 1.1.8 updates its dependency 'urllib3' to v1.26.12 to include security fixes.", "cve": "CVE-2021-33503", "id": "pyup.io-53822", "more_info_path": "/vulnerabilities/CVE-2021-33503/53822", "specs": [ "<1.1.8" ], "v": "<1.1.8" }, { "advisory": "Ddataflow 1.1.8 updates its dependency 'urllib3' to v1.26.12 to include security fixes.", "cve": "CVE-2020-26137", "id": "pyup.io-53833", "more_info_path": "/vulnerabilities/CVE-2020-26137/53833", "specs": [ "<1.1.8" ], "v": "<1.1.8" } ], "dds-cli": [ { "advisory": "Dds-cli 2.1.0 pins its jwcrypto dependency to version 1.4 from the earlier 1.0, in response to security concerns highlighted by CVE-2022-3102.\r\nhttps://github.com/ScilifelabDataCentre/dds_cli/pull/537/commits/aae2610d78bf2c2daec94be1172739ad80819779", "cve": "CVE-2022-3102", "id": "pyup.io-65300", "more_info_path": "/vulnerabilities/CVE-2022-3102/65300", "specs": [ "<2.1.0" ], "v": "<2.1.0" }, { "advisory": "Dds-cli 2.2.2 updates its dependency 'cryptography to v38.0.3 to include security fixes.", "cve": "CVE-2022-3602", "id": "pyup.io-61417", "more_info_path": "/vulnerabilities/CVE-2022-3602/61417", "specs": [ "<2.2.2" ], "v": "<2.2.2" }, { "advisory": "Dds-cli 2.2.2 updates its dependency 'cryptography to v38.0.3 to include security fixes.", "cve": "CVE-2022-3786", "id": "pyup.io-61432", "more_info_path": "/vulnerabilities/CVE-2022-3786/61432", "specs": [ "<2.2.2" ], "v": "<2.2.2" }, { "advisory": "Dds-cli 2.6.1 upgrades its cryptography dependency to version 41.0.6 from the earlier 41.0.3, in response to security concerns highlighted by CVE-2023-49083.", "cve": "CVE-2023-49083", "id": "pyup.io-65299", "more_info_path": "/vulnerabilities/CVE-2023-49083/65299", "specs": [ "<2.6.1" ], "v": "<2.6.1" }, { "advisory": "Dds-cli version 2.6.2 upgrades its jwcrypto dependency to version 1.5.1 from the earlier 1.4.2, in response to security concerns highlighted by CVE-2023-6681.\r\nhttps://github.com/ScilifelabDataCentre/dds_cli/pull/674/commits/e1cb225c76e55ec88dfa6de594722664fd20826a", "cve": "CVE-2023-6681", "id": "pyup.io-65298", "more_info_path": "/vulnerabilities/CVE-2023-6681/65298", "specs": [ "<2.6.2" ], "v": "<2.6.2" } ], "ddtrace": [ { "advisory": "ddtrace 0.11.0 removes the `sql.query` tag from SQL spans, so that the content is properly obfuscated in the Agent. This security fix is required to prevent wrong data collection of reported SQL queries. This issue impacts only MySQL integrations and NOT `psycopg2` or `sqlalchemy` while using the PostgreSQL driver.", "cve": "PVE-2021-35790", "id": "pyup.io-35790", "more_info_path": "/vulnerabilities/PVE-2021-35790/35790", "specs": [ "<0.11.0" ], "v": "<0.11.0" }, { "advisory": "Ddtrace 0.39 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/DataDog/dd-trace-py/pull/1435", "cve": "PVE-2023-59562", "id": "pyup.io-59562", "more_info_path": "/vulnerabilities/PVE-2023-59562/59562", "specs": [ "<0.39" ], "v": "<0.39" }, { "advisory": "Ddtrace 0.41 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/DataDog/dd-trace-py/pull/1569", "cve": "PVE-2023-59561", "id": "pyup.io-59561", "more_info_path": "/vulnerabilities/PVE-2023-59561/59561", "specs": [ "<0.41" ], "v": "<0.41" } ], "debianized-jupyterhub": [ { "advisory": "Debianized-jupyterhub 0.9.5.1 updates its dependency 'notebook' to 5.7.7 to include a security fix.", "cve": "CVE-2019-10255", "id": "pyup.io-37002", "more_info_path": "/vulnerabilities/CVE-2019-10255/37002", "specs": [ "<0.9.5.1" ], "v": "<0.9.5.1" } ], "debops": [ { "advisory": "Debops 0.8.0 installs upstream NodeSource APT packages by default. This is due to `no security support in Debian Stable`__, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.", "cve": "PVE-2021-36371", "id": "pyup.io-36371", "more_info_path": "/vulnerabilities/PVE-2021-36371/36371", "specs": [ "<0.8.0" ], "v": "<0.8.0" }, { "advisory": "Debops 1.0.0:\r\n\r\n- The :command:`lxc-prepare-ssh` script will read the public SSH keys from specific files (``root`` key file, and the ``$SUDO_USER`` key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container's ``root`` account.\r\n\r\n- The :command:`lxc-new-unprivileged` script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via :command:`sudo`. The default LXC configuration file used by the script can be configured in :file:`/etc/lxc/lxc.conf` configuration file.\r\n\r\n- (:ref:`debops.php` role) New APT signing keys` have been created for his Debian APT repository with PHP packages, due to security concerns. The :ref:`debops.php` role will remove the old APT GPG key and add the new one automatically. See: .", "cve": "PVE-2021-37159", "id": "pyup.io-37159", "more_info_path": "/vulnerabilities/PVE-2021-37159/37159", "specs": [ "<1.0.0" ], "v": "<1.0.0" }, { "advisory": "The :command:\"lxc-prepare-ssh\" script in debops 1.1.0 will no longer install SSH keys from the LXC host \"root\" account on the LXC container \"root\" account. That could cause confusion and unintended security breaches when other services (for example backup scripts or remote command execution tools) install their own SSH keys on the LXC host and they are subsequently copied inside of the LXC containers created on that host.\r\nhttps://github.com/debops/debops/commit/6dd088e413ef4c5dac23d94bb338ae19398985e2", "cve": "PVE-2021-37404", "id": "pyup.io-37404", "more_info_path": "/vulnerabilities/PVE-2021-37404/37404", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Debops 1.2.0 includes a security patch for CVE-2019-11043: In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.", "cve": "CVE-2019-11043", "id": "pyup.io-37733", "more_info_path": "/vulnerabilities/CVE-2019-11043/37733", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { "advisory": "Debops 1.7.0 includes a change in its RoundCube configuration. RoundCube will use the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.", "cve": "PVE-2021-37732", "id": "pyup.io-37732", "more_info_path": "/vulnerabilities/PVE-2021-37732/37732", "specs": [ "<1.7.0" ], "v": "<1.7.0" }, { "advisory": "RoundCube in debops 2.0.0 uses the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.", "cve": "PVE-2021-26403", "id": "pyup.io-26403", "more_info_path": "/vulnerabilities/PVE-2021-26403/26403", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "Debops 3.0.0 fixes parameters in the password lookups. Specific DebOps roles (:ref:'debops.dovecot', ref:'debops.owncloud',\r\n :ref:'debops.postldap') used password generation lookups with invalid parameters which might have resulted in weak passwords generated during their deployment.\r\nhttps://github.com/debops/debops/pull/2012", "cve": "PVE-2022-45253", "id": "pyup.io-45253", "more_info_path": "/vulnerabilities/PVE-2022-45253/45253", "specs": [ "<3.0.0" ], "v": "<3.0.0" } ], "decancer-py": [ { "advisory": "Decancer-py 0.2.2 updates its dependency 'decancer' to version '1.6.4' to include fixes for two DoS vulnerabilities.\r\nhttps://github.com/Jonxslays/decancer_py/pull/4", "cve": "PVE-2023-59516", "id": "pyup.io-59516", "more_info_path": "/vulnerabilities/PVE-2023-59516/59516", "specs": [ "<0.2.2" ], "v": "<0.2.2" }, { "advisory": "Decancer-py 0.2.1 (python bindings) updates to Decancer 1.5.2, that includes a fix for a potential Denial of Service vulnerability.\r\nhttps://github.com/null8626/decancer/commit/4e5c4dea99eb99a048e45912dc1e144d9c015d1b", "cve": "PVE-2022-52559", "id": "pyup.io-52559", "more_info_path": "/vulnerabilities/PVE-2022-52559/52559", "specs": [ "<1.5.2" ], "v": "<1.5.2" } ], "decaptcha": [ { "advisory": "decaptcha 1.0.0 includes a patch for security vulnerability: pin pillow>=6.2.0", "cve": "PVE-2021-37892", "id": "pyup.io-37892", "more_info_path": "/vulnerabilities/PVE-2021-37892/37892", "specs": [ "<1.0.0" ], "v": "<1.0.0" }, { "advisory": "decaptcha 1.0.1 includes a patch for security vulnerability: tensorflow==1.15.0", "cve": "PVE-2021-37891", "id": "pyup.io-37891", "more_info_path": "/vulnerabilities/PVE-2021-37891/37891", "specs": [ "<1.0.1" ], "v": "<1.0.1" } ], "declarai": [ { "advisory": "Declarai 0.1.2 updates its dependency 'wandb' to version '0.15.8' to include a fix for a Race Condition vulnerability.\r\nhttps://github.com/vendi-ai/declarai/pull/53", "cve": "PVE-2022-47988", "id": "pyup.io-60212", "more_info_path": "/vulnerabilities/PVE-2022-47988/60212", "specs": [ "<0.1.2" ], "v": "<0.1.2" } ], "declarativex": [ { "advisory": "Declarativex 1.6.5 updates its dependency 'jinja2' to v3.1.3 to include a security fix.", "cve": "CVE-2024-22195", "id": "pyup.io-64359", "more_info_path": "/vulnerabilities/CVE-2024-22195/64359", "specs": [ "<1.6.5" ], "v": "<1.6.5" } ], "decord": [ { "advisory": "Decord 0.3.7 throughout 0.3.9 ship with a version of C library 'libwebp' which is affected by a high risk vulnerability. Only mac OS X wheels on PyPI were affected.\r\nhttps://inspector.pypi.io/project/decord/0.3.9/packages/d9/b8/f90a9d579e93dd1b9a271a59fa222740ae9d9851ea27c5c6bc6550eb9480/decord-0.3.9-cp37-cp37m-macosx_10_13_x86_64.whl", "cve": "CVE-2023-4863", "id": "pyup.io-62314", "more_info_path": "/vulnerabilities/CVE-2023-4863/62314", "specs": [ ">=0.3.7,<0.4.0" ], "v": ">=0.3.7,<0.4.0" } ], "deduce": [ { "advisory": "Deduce 2.0.2 updates its dependency 'markdown-it-py' to v2.2.0 to include security fixes.", "cve": "CVE-2023-26303", "id": "pyup.io-53911", "more_info_path": "/vulnerabilities/CVE-2023-26303/53911", "specs": [ "<2.0.2" ], "v": "<2.0.2" }, { "advisory": "Deduce 2.0.2 updates its dependency 'markdown-it-py' to v2.2.0 to include security fixes.", "cve": "CVE-2023-26302", "id": "pyup.io-53909", "more_info_path": "/vulnerabilities/CVE-2023-26302/53909", "specs": [ "<2.0.2" ], "v": "<2.0.2" } ], "deep-translator": [ { "advisory": "The deep-translator project on PyPI was taken over via user account compromise via a phishing attack and a new malicious release (1.8.5) made which contained code which some environment variables and downloaded and ran malware at install time.", "cve": "PVE-2023-55209", "id": "pyup.io-55209", "more_info_path": "/vulnerabilities/PVE-2023-55209/55209", "specs": [ "<=1.8.5" ], "v": "<=1.8.5" } ], "deepcell": [ { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37684", "id": "pyup.io-48892", "more_info_path": "/vulnerabilities/CVE-2021-37684/48892", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29573", "id": "pyup.io-48797", "more_info_path": "/vulnerabilities/CVE-2021-29573/48797", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29614", "id": "pyup.io-48838", "more_info_path": "/vulnerabilities/CVE-2021-29614/48838", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29590", "id": "pyup.io-48814", "more_info_path": "/vulnerabilities/CVE-2021-29590/48814", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29539", "id": "pyup.io-48763", "more_info_path": "/vulnerabilities/CVE-2021-29539/48763", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29593", "id": "pyup.io-48817", "more_info_path": "/vulnerabilities/CVE-2021-29593/48817", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29586", "id": "pyup.io-48810", "more_info_path": "/vulnerabilities/CVE-2021-29586/48810", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29541", "id": "pyup.io-48765", "more_info_path": "/vulnerabilities/CVE-2021-29541/48765", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29596", "id": "pyup.io-48820", "more_info_path": "/vulnerabilities/CVE-2021-29596/48820", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37638", "id": "pyup.io-48847", "more_info_path": "/vulnerabilities/CVE-2021-37638/48847", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29579", "id": "pyup.io-48803", "more_info_path": "/vulnerabilities/CVE-2021-29579/48803", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37669", "id": "pyup.io-48877", "more_info_path": "/vulnerabilities/CVE-2021-37669/48877", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29597", "id": "pyup.io-48821", "more_info_path": "/vulnerabilities/CVE-2021-29597/48821", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29567", "id": "pyup.io-48791", "more_info_path": "/vulnerabilities/CVE-2021-29567/48791", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37673", "id": "pyup.io-48881", "more_info_path": "/vulnerabilities/CVE-2021-37673/48881", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29604", "id": "pyup.io-48828", "more_info_path": "/vulnerabilities/CVE-2021-29604/48828", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37679", "id": "pyup.io-48887", "more_info_path": "/vulnerabilities/CVE-2021-37679/48887", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37658", "id": "pyup.io-48866", "more_info_path": "/vulnerabilities/CVE-2021-37658/48866", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29553", "id": "pyup.io-48777", "more_info_path": "/vulnerabilities/CVE-2021-29553/48777", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29558", "id": "pyup.io-48782", "more_info_path": "/vulnerabilities/CVE-2021-29558/48782", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37644", "id": "pyup.io-48852", "more_info_path": "/vulnerabilities/CVE-2021-37644/48852", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29603", "id": "pyup.io-48827", "more_info_path": "/vulnerabilities/CVE-2021-29603/48827", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37637", "id": "pyup.io-48846", "more_info_path": "/vulnerabilities/CVE-2021-37637/48846", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29551", "id": "pyup.io-48775", "more_info_path": "/vulnerabilities/CVE-2021-29551/48775", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29616", "id": "pyup.io-48840", "more_info_path": "/vulnerabilities/CVE-2021-29616/48840", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29568", "id": "pyup.io-48792", "more_info_path": "/vulnerabilities/CVE-2021-29568/48792", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29569", "id": "pyup.io-48793", "more_info_path": "/vulnerabilities/CVE-2021-29569/48793", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29529", "id": "pyup.io-48753", "more_info_path": "/vulnerabilities/CVE-2021-29529/48753", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29513", "id": "pyup.io-48737", "more_info_path": "/vulnerabilities/CVE-2021-29513/48737", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29515", "id": "pyup.io-48739", "more_info_path": "/vulnerabilities/CVE-2021-29515/48739", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29520", "id": "pyup.io-48744", "more_info_path": "/vulnerabilities/CVE-2021-29520/48744", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29538", "id": "pyup.io-48762", "more_info_path": "/vulnerabilities/CVE-2021-29538/48762", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29581", "id": "pyup.io-48805", "more_info_path": "/vulnerabilities/CVE-2021-29581/48805", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29577", "id": "pyup.io-48801", "more_info_path": "/vulnerabilities/CVE-2021-29577/48801", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29580", "id": "pyup.io-48804", "more_info_path": "/vulnerabilities/CVE-2021-29580/48804", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29583", "id": "pyup.io-48807", "more_info_path": "/vulnerabilities/CVE-2021-29583/48807", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29587", "id": "pyup.io-48811", "more_info_path": "/vulnerabilities/CVE-2021-29587/48811", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29592", "id": "pyup.io-48816", "more_info_path": "/vulnerabilities/CVE-2021-29592/48816", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37645", "id": "pyup.io-48853", "more_info_path": "/vulnerabilities/CVE-2021-37645/48853", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29606", "id": "pyup.io-48830", "more_info_path": "/vulnerabilities/CVE-2021-29606/48830", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29617", "id": "pyup.io-48841", "more_info_path": "/vulnerabilities/CVE-2021-29617/48841", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29618", "id": "pyup.io-48842", "more_info_path": "/vulnerabilities/CVE-2021-29618/48842", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37641", "id": "pyup.io-48849", "more_info_path": "/vulnerabilities/CVE-2021-37641/48849", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37649", "id": "pyup.io-48857", "more_info_path": "/vulnerabilities/CVE-2021-37649/48857", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37664", "id": "pyup.io-48872", "more_info_path": "/vulnerabilities/CVE-2021-37664/48872", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29560", "id": "pyup.io-48784", "more_info_path": "/vulnerabilities/CVE-2021-29560/48784", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29574", "id": "pyup.io-48798", "more_info_path": "/vulnerabilities/CVE-2021-29574/48798", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29571", "id": "pyup.io-48795", "more_info_path": "/vulnerabilities/CVE-2021-29571/48795", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29526", "id": "pyup.io-48750", "more_info_path": "/vulnerabilities/CVE-2021-29526/48750", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29517", "id": "pyup.io-48741", "more_info_path": "/vulnerabilities/CVE-2021-29517/48741", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29549", "id": "pyup.io-48773", "more_info_path": "/vulnerabilities/CVE-2021-29549/48773", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37651", "id": "pyup.io-48859", "more_info_path": "/vulnerabilities/CVE-2021-37651/48859", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29547", "id": "pyup.io-48771", "more_info_path": "/vulnerabilities/CVE-2021-29547/48771", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37672", "id": "pyup.io-48880", "more_info_path": "/vulnerabilities/CVE-2021-37672/48880", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37659", "id": "pyup.io-48867", "more_info_path": "/vulnerabilities/CVE-2021-37659/48867", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29559", "id": "pyup.io-48783", "more_info_path": "/vulnerabilities/CVE-2021-29559/48783", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2020-8285", "id": "pyup.io-48730", "more_info_path": "/vulnerabilities/CVE-2020-8285/48730", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29566", "id": "pyup.io-48790", "more_info_path": "/vulnerabilities/CVE-2021-29566/48790", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37661", "id": "pyup.io-48869", "more_info_path": "/vulnerabilities/CVE-2021-37661/48869", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29516", "id": "pyup.io-48740", "more_info_path": "/vulnerabilities/CVE-2021-29516/48740", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29533", "id": "pyup.io-48757", "more_info_path": "/vulnerabilities/CVE-2021-29533/48757", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37674", "id": "pyup.io-48882", "more_info_path": "/vulnerabilities/CVE-2021-37674/48882", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29550", "id": "pyup.io-48774", "more_info_path": "/vulnerabilities/CVE-2021-29550/48774", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29555", "id": "pyup.io-48779", "more_info_path": "/vulnerabilities/CVE-2021-29555/48779", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29605", "id": "pyup.io-48829", "more_info_path": "/vulnerabilities/CVE-2021-29605/48829", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37642", "id": "pyup.io-48850", "more_info_path": "/vulnerabilities/CVE-2021-37642/48850", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37650", "id": "pyup.io-48858", "more_info_path": "/vulnerabilities/CVE-2021-37650/48858", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37675", "id": "pyup.io-48883", "more_info_path": "/vulnerabilities/CVE-2021-37675/48883", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37678", "id": "pyup.io-48886", "more_info_path": "/vulnerabilities/CVE-2021-37678/48886", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37681", "id": "pyup.io-48889", "more_info_path": "/vulnerabilities/CVE-2021-37681/48889", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29531", "id": "pyup.io-48755", "more_info_path": "/vulnerabilities/CVE-2021-29531/48755", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29535", "id": "pyup.io-48759", "more_info_path": "/vulnerabilities/CVE-2021-29535/48759", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2020-8286", "id": "pyup.io-48731", "more_info_path": "/vulnerabilities/CVE-2020-8286/48731", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37663", "id": "pyup.io-48871", "more_info_path": "/vulnerabilities/CVE-2021-37663/48871", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37635", "id": "pyup.io-48844", "more_info_path": "/vulnerabilities/CVE-2021-37635/48844", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37643", "id": "pyup.io-48851", "more_info_path": "/vulnerabilities/CVE-2021-37643/48851", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29575", "id": "pyup.io-48799", "more_info_path": "/vulnerabilities/CVE-2021-29575/48799", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37655", "id": "pyup.io-48863", "more_info_path": "/vulnerabilities/CVE-2021-37655/48863", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29572", "id": "pyup.io-48796", "more_info_path": "/vulnerabilities/CVE-2021-29572/48796", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29612", "id": "pyup.io-48836", "more_info_path": "/vulnerabilities/CVE-2021-29612/48836", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37676", "id": "pyup.io-48884", "more_info_path": "/vulnerabilities/CVE-2021-37676/48884", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29585", "id": "pyup.io-48809", "more_info_path": "/vulnerabilities/CVE-2021-29585/48809", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29528", "id": "pyup.io-48752", "more_info_path": "/vulnerabilities/CVE-2021-29528/48752", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29600", "id": "pyup.io-48824", "more_info_path": "/vulnerabilities/CVE-2021-29600/48824", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29512", "id": "pyup.io-48736", "more_info_path": "/vulnerabilities/CVE-2021-29512/48736", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29609", "id": "pyup.io-48833", "more_info_path": "/vulnerabilities/CVE-2021-29609/48833", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29619", "id": "pyup.io-48843", "more_info_path": "/vulnerabilities/CVE-2021-29619/48843", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29542", "id": "pyup.io-48766", "more_info_path": "/vulnerabilities/CVE-2021-29542/48766", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29552", "id": "pyup.io-48776", "more_info_path": "/vulnerabilities/CVE-2021-29552/48776", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29565", "id": "pyup.io-48789", "more_info_path": "/vulnerabilities/CVE-2021-29565/48789", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29570", "id": "pyup.io-48794", "more_info_path": "/vulnerabilities/CVE-2021-29570/48794", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37646", "id": "pyup.io-48854", "more_info_path": "/vulnerabilities/CVE-2021-37646/48854", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37647", "id": "pyup.io-48855", "more_info_path": "/vulnerabilities/CVE-2021-37647/48855", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37668", "id": "pyup.io-48876", "more_info_path": "/vulnerabilities/CVE-2021-37668/48876", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37654", "id": "pyup.io-48862", "more_info_path": "/vulnerabilities/CVE-2021-37654/48862", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37656", "id": "pyup.io-48864", "more_info_path": "/vulnerabilities/CVE-2021-37656/48864", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37689", "id": "pyup.io-48897", "more_info_path": "/vulnerabilities/CVE-2021-37689/48897", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37667", "id": "pyup.io-48875", "more_info_path": "/vulnerabilities/CVE-2021-37667/48875", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37653", "id": "pyup.io-48861", "more_info_path": "/vulnerabilities/CVE-2021-37653/48861", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37648", "id": "pyup.io-48856", "more_info_path": "/vulnerabilities/CVE-2021-37648/48856", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29613", "id": "pyup.io-48837", "more_info_path": "/vulnerabilities/CVE-2021-29613/48837", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29537", "id": "pyup.io-48761", "more_info_path": "/vulnerabilities/CVE-2021-29537/48761", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29514", "id": "pyup.io-48738", "more_info_path": "/vulnerabilities/CVE-2021-29514/48738", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29540", "id": "pyup.io-48764", "more_info_path": "/vulnerabilities/CVE-2021-29540/48764", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37671", "id": "pyup.io-48879", "more_info_path": "/vulnerabilities/CVE-2021-37671/48879", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29518", "id": "pyup.io-48742", "more_info_path": "/vulnerabilities/CVE-2021-29518/48742", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37677", "id": "pyup.io-48885", "more_info_path": "/vulnerabilities/CVE-2021-37677/48885", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37657", "id": "pyup.io-48865", "more_info_path": "/vulnerabilities/CVE-2021-37657/48865", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29588", "id": "pyup.io-48812", "more_info_path": "/vulnerabilities/CVE-2021-29588/48812", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37680", "id": "pyup.io-48888", "more_info_path": "/vulnerabilities/CVE-2021-37680/48888", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37686", "id": "pyup.io-48894", "more_info_path": "/vulnerabilities/CVE-2021-37686/48894", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29563", "id": "pyup.io-48787", "more_info_path": "/vulnerabilities/CVE-2021-29563/48787", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29598", "id": "pyup.io-48822", "more_info_path": "/vulnerabilities/CVE-2021-29598/48822", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29557", "id": "pyup.io-48781", "more_info_path": "/vulnerabilities/CVE-2021-29557/48781", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29543", "id": "pyup.io-48767", "more_info_path": "/vulnerabilities/CVE-2021-29543/48767", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29610", "id": "pyup.io-48834", "more_info_path": "/vulnerabilities/CVE-2021-29610/48834", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37682", "id": "pyup.io-48890", "more_info_path": "/vulnerabilities/CVE-2021-37682/48890", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37690", "id": "pyup.io-48898", "more_info_path": "/vulnerabilities/CVE-2021-37690/48898", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37636", "id": "pyup.io-48845", "more_info_path": "/vulnerabilities/CVE-2021-37636/48845", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37691", "id": "pyup.io-48899", "more_info_path": "/vulnerabilities/CVE-2021-37691/48899", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29601", "id": "pyup.io-48825", "more_info_path": "/vulnerabilities/CVE-2021-29601/48825", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29536", "id": "pyup.io-48760", "more_info_path": "/vulnerabilities/CVE-2021-29536/48760", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37687", "id": "pyup.io-48895", "more_info_path": "/vulnerabilities/CVE-2021-37687/48895", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29554", "id": "pyup.io-48778", "more_info_path": "/vulnerabilities/CVE-2021-29554/48778", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29527", "id": "pyup.io-48751", "more_info_path": "/vulnerabilities/CVE-2021-29527/48751", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29611", "id": "pyup.io-48835", "more_info_path": "/vulnerabilities/CVE-2021-29611/48835", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37639", "id": "pyup.io-48848", "more_info_path": "/vulnerabilities/CVE-2021-37639/48848", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29525", "id": "pyup.io-48749", "more_info_path": "/vulnerabilities/CVE-2021-29525/48749", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-22898", "id": "pyup.io-48734", "more_info_path": "/vulnerabilities/CVE-2021-22898/48734", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37688", "id": "pyup.io-48896", "more_info_path": "/vulnerabilities/CVE-2021-37688/48896", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29595", "id": "pyup.io-48819", "more_info_path": "/vulnerabilities/CVE-2021-29595/48819", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29599", "id": "pyup.io-48823", "more_info_path": "/vulnerabilities/CVE-2021-29599/48823", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29532", "id": "pyup.io-48756", "more_info_path": "/vulnerabilities/CVE-2021-29532/48756", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29548", "id": "pyup.io-48772", "more_info_path": "/vulnerabilities/CVE-2021-29548/48772", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29524", "id": "pyup.io-48748", "more_info_path": "/vulnerabilities/CVE-2021-29524/48748", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29561", "id": "pyup.io-48785", "more_info_path": "/vulnerabilities/CVE-2021-29561/48785", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29608", "id": "pyup.io-48832", "more_info_path": "/vulnerabilities/CVE-2021-29608/48832", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29521", "id": "pyup.io-48745", "more_info_path": "/vulnerabilities/CVE-2021-29521/48745", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29578", "id": "pyup.io-48802", "more_info_path": "/vulnerabilities/CVE-2021-29578/48802", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37683", "id": "pyup.io-48891", "more_info_path": "/vulnerabilities/CVE-2021-37683/48891", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29594", "id": "pyup.io-48818", "more_info_path": "/vulnerabilities/CVE-2021-29594/48818", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29546", "id": "pyup.io-48770", "more_info_path": "/vulnerabilities/CVE-2021-29546/48770", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29564", "id": "pyup.io-48788", "more_info_path": "/vulnerabilities/CVE-2021-29564/48788", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29523", "id": "pyup.io-48747", "more_info_path": "/vulnerabilities/CVE-2021-29523/48747", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29562", "id": "pyup.io-48786", "more_info_path": "/vulnerabilities/CVE-2021-29562/48786", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29582", "id": "pyup.io-48806", "more_info_path": "/vulnerabilities/CVE-2021-29582/48806", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29584", "id": "pyup.io-48808", "more_info_path": "/vulnerabilities/CVE-2021-29584/48808", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29602", "id": "pyup.io-48826", "more_info_path": "/vulnerabilities/CVE-2021-29602/48826", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37666", "id": "pyup.io-48874", "more_info_path": "/vulnerabilities/CVE-2021-37666/48874", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29519", "id": "pyup.io-48743", "more_info_path": "/vulnerabilities/CVE-2021-29519/48743", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29576", "id": "pyup.io-48800", "more_info_path": "/vulnerabilities/CVE-2021-29576/48800", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37662", "id": "pyup.io-48870", "more_info_path": "/vulnerabilities/CVE-2021-37662/48870", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29522", "id": "pyup.io-48746", "more_info_path": "/vulnerabilities/CVE-2021-29522/48746", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2020-8177", "id": "pyup.io-48727", "more_info_path": "/vulnerabilities/CVE-2020-8177/48727", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-22901", "id": "pyup.io-48735", "more_info_path": "/vulnerabilities/CVE-2021-22901/48735", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-22897", "id": "pyup.io-48733", "more_info_path": "/vulnerabilities/CVE-2021-22897/48733", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37652", "id": "pyup.io-48860", "more_info_path": "/vulnerabilities/CVE-2021-37652/48860", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29530", "id": "pyup.io-48754", "more_info_path": "/vulnerabilities/CVE-2021-29530/48754", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29545", "id": "pyup.io-48769", "more_info_path": "/vulnerabilities/CVE-2021-29545/48769", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29607", "id": "pyup.io-48831", "more_info_path": "/vulnerabilities/CVE-2021-29607/48831", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37670", "id": "pyup.io-48878", "more_info_path": "/vulnerabilities/CVE-2021-37670/48878", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29615", "id": "pyup.io-48839", "more_info_path": "/vulnerabilities/CVE-2021-29615/48839", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29591", "id": "pyup.io-48815", "more_info_path": "/vulnerabilities/CVE-2021-29591/48815", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37665", "id": "pyup.io-48873", "more_info_path": "/vulnerabilities/CVE-2021-37665/48873", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29589", "id": "pyup.io-48813", "more_info_path": "/vulnerabilities/CVE-2021-29589/48813", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29556", "id": "pyup.io-48780", "more_info_path": "/vulnerabilities/CVE-2021-29556/48780", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29534", "id": "pyup.io-48758", "more_info_path": "/vulnerabilities/CVE-2021-29534/48758", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37685", "id": "pyup.io-48893", "more_info_path": "/vulnerabilities/CVE-2021-37685/48893", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-37660", "id": "pyup.io-48868", "more_info_path": "/vulnerabilities/CVE-2021-37660/48868", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2020-8169", "id": "pyup.io-48723", "more_info_path": "/vulnerabilities/CVE-2020-8169/48723", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-22876", "id": "pyup.io-48732", "more_info_path": "/vulnerabilities/CVE-2021-22876/48732", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2020-8231", "id": "pyup.io-48728", "more_info_path": "/vulnerabilities/CVE-2020-8231/48728", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2020-8284", "id": "pyup.io-48729", "more_info_path": "/vulnerabilities/CVE-2020-8284/48729", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.10.0rc1 updates its dependency 'TensorFlow' to v2.5.1 to include security fixes.", "cve": "CVE-2021-29544", "id": "pyup.io-48768", "more_info_path": "/vulnerabilities/CVE-2021-29544/48768", "specs": [ "<0.10.0rc1" ], "v": "<0.10.0rc1" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23560", "id": "pyup.io-48959", "more_info_path": "/vulnerabilities/CVE-2022-23560/48959", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41226", "id": "pyup.io-48936", "more_info_path": "/vulnerabilities/CVE-2021-41226/48936", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23563", "id": "pyup.io-48962", "more_info_path": "/vulnerabilities/CVE-2022-23563/48962", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41199", "id": "pyup.io-48910", "more_info_path": "/vulnerabilities/CVE-2021-41199/48910", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21739", "id": "pyup.io-48953", "more_info_path": "/vulnerabilities/CVE-2022-21739/48953", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21732", "id": "pyup.io-48946", "more_info_path": "/vulnerabilities/CVE-2022-21732/48946", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23584", "id": "pyup.io-48983", "more_info_path": "/vulnerabilities/CVE-2022-23584/48983", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21725", "id": "pyup.io-48939", "more_info_path": "/vulnerabilities/CVE-2022-21725/48939", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41200", "id": "pyup.io-48911", "more_info_path": "/vulnerabilities/CVE-2021-41200/48911", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21736", "id": "pyup.io-48950", "more_info_path": "/vulnerabilities/CVE-2022-21736/48950", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41210", "id": "pyup.io-48921", "more_info_path": "/vulnerabilities/CVE-2021-41210/48921", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23575", "id": "pyup.io-48974", "more_info_path": "/vulnerabilities/CVE-2022-23575/48974", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41212", "id": "pyup.io-48923", "more_info_path": "/vulnerabilities/CVE-2021-41212/48923", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23583", "id": "pyup.io-48982", "more_info_path": "/vulnerabilities/CVE-2022-23583/48982", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23589", "id": "pyup.io-48988", "more_info_path": "/vulnerabilities/CVE-2022-23589/48988", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41216", "id": "pyup.io-48927", "more_info_path": "/vulnerabilities/CVE-2021-41216/48927", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41208", "id": "pyup.io-48919", "more_info_path": "/vulnerabilities/CVE-2021-41208/48919", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41213", "id": "pyup.io-48924", "more_info_path": "/vulnerabilities/CVE-2021-41213/48924", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41209", "id": "pyup.io-48920", "more_info_path": "/vulnerabilities/CVE-2021-41209/48920", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23569", "id": "pyup.io-48968", "more_info_path": "/vulnerabilities/CVE-2022-23569/48968", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23568", "id": "pyup.io-48967", "more_info_path": "/vulnerabilities/CVE-2022-23568/48967", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23567", "id": "pyup.io-48966", "more_info_path": "/vulnerabilities/CVE-2022-23567/48966", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23574", "id": "pyup.io-48973", "more_info_path": "/vulnerabilities/CVE-2022-23574/48973", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23580", "id": "pyup.io-48979", "more_info_path": "/vulnerabilities/CVE-2022-23580/48979", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41227", "id": "pyup.io-48937", "more_info_path": "/vulnerabilities/CVE-2021-41227/48937", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21734", "id": "pyup.io-48948", "more_info_path": "/vulnerabilities/CVE-2022-21734/48948", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21728", "id": "pyup.io-48942", "more_info_path": "/vulnerabilities/CVE-2022-21728/48942", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23591", "id": "pyup.io-48989", "more_info_path": "/vulnerabilities/CVE-2022-23591/48989", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23588", "id": "pyup.io-48987", "more_info_path": "/vulnerabilities/CVE-2022-23588/48987", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41204", "id": "pyup.io-48915", "more_info_path": "/vulnerabilities/CVE-2021-41204/48915", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41225", "id": "pyup.io-48935", "more_info_path": "/vulnerabilities/CVE-2021-41225/48935", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23557", "id": "pyup.io-48956", "more_info_path": "/vulnerabilities/CVE-2022-23557/48956", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23579", "id": "pyup.io-48978", "more_info_path": "/vulnerabilities/CVE-2022-23579/48978", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23571", "id": "pyup.io-48970", "more_info_path": "/vulnerabilities/CVE-2022-23571/48970", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23566", "id": "pyup.io-48965", "more_info_path": "/vulnerabilities/CVE-2022-23566/48965", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23595", "id": "pyup.io-48990", "more_info_path": "/vulnerabilities/CVE-2022-23595/48990", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23578", "id": "pyup.io-48977", "more_info_path": "/vulnerabilities/CVE-2022-23578/48977", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21726", "id": "pyup.io-48940", "more_info_path": "/vulnerabilities/CVE-2022-21726/48940", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41224", "id": "pyup.io-48934", "more_info_path": "/vulnerabilities/CVE-2021-41224/48934", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23562", "id": "pyup.io-48961", "more_info_path": "/vulnerabilities/CVE-2022-23562/48961", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23581", "id": "pyup.io-48980", "more_info_path": "/vulnerabilities/CVE-2022-23581/48980", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41221", "id": "pyup.io-48931", "more_info_path": "/vulnerabilities/CVE-2021-41221/48931", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21735", "id": "pyup.io-48949", "more_info_path": "/vulnerabilities/CVE-2022-21735/48949", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41207", "id": "pyup.io-48918", "more_info_path": "/vulnerabilities/CVE-2021-41207/48918", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41195", "id": "pyup.io-48906", "more_info_path": "/vulnerabilities/CVE-2021-41195/48906", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23587", "id": "pyup.io-48986", "more_info_path": "/vulnerabilities/CVE-2022-23587/48986", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41222", "id": "pyup.io-48932", "more_info_path": "/vulnerabilities/CVE-2021-41222/48932", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23564", "id": "pyup.io-48963", "more_info_path": "/vulnerabilities/CVE-2022-23564/48963", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41205", "id": "pyup.io-48916", "more_info_path": "/vulnerabilities/CVE-2021-41205/48916", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23565", "id": "pyup.io-48964", "more_info_path": "/vulnerabilities/CVE-2022-23565/48964", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23558", "id": "pyup.io-48957", "more_info_path": "/vulnerabilities/CVE-2022-23558/48957", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23585", "id": "pyup.io-48984", "more_info_path": "/vulnerabilities/CVE-2022-23585/48984", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41202", "id": "pyup.io-48913", "more_info_path": "/vulnerabilities/CVE-2021-41202/48913", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41198", "id": "pyup.io-48909", "more_info_path": "/vulnerabilities/CVE-2021-41198/48909", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23559", "id": "pyup.io-48958", "more_info_path": "/vulnerabilities/CVE-2022-23559/48958", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23561", "id": "pyup.io-48960", "more_info_path": "/vulnerabilities/CVE-2022-23561/48960", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41228", "id": "pyup.io-48938", "more_info_path": "/vulnerabilities/CVE-2021-41228/48938", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41217", "id": "pyup.io-48928", "more_info_path": "/vulnerabilities/CVE-2021-41217/48928", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23577", "id": "pyup.io-48976", "more_info_path": "/vulnerabilities/CVE-2022-23577/48976", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21731", "id": "pyup.io-48945", "more_info_path": "/vulnerabilities/CVE-2022-21731/48945", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41223", "id": "pyup.io-48933", "more_info_path": "/vulnerabilities/CVE-2021-41223/48933", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41206", "id": "pyup.io-48917", "more_info_path": "/vulnerabilities/CVE-2021-41206/48917", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41201", "id": "pyup.io-48912", "more_info_path": "/vulnerabilities/CVE-2021-41201/48912", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23586", "id": "pyup.io-48985", "more_info_path": "/vulnerabilities/CVE-2022-23586/48985", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41219", "id": "pyup.io-48930", "more_info_path": "/vulnerabilities/CVE-2021-41219/48930", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23582", "id": "pyup.io-48981", "more_info_path": "/vulnerabilities/CVE-2022-23582/48981", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41218", "id": "pyup.io-48929", "more_info_path": "/vulnerabilities/CVE-2021-41218/48929", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21733", "id": "pyup.io-48947", "more_info_path": "/vulnerabilities/CVE-2022-21733/48947", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41197", "id": "pyup.io-48908", "more_info_path": "/vulnerabilities/CVE-2021-41197/48908", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21737", "id": "pyup.io-48951", "more_info_path": "/vulnerabilities/CVE-2022-21737/48951", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41196", "id": "pyup.io-48907", "more_info_path": "/vulnerabilities/CVE-2021-41196/48907", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41214", "id": "pyup.io-48925", "more_info_path": "/vulnerabilities/CVE-2021-41214/48925", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21729", "id": "pyup.io-48943", "more_info_path": "/vulnerabilities/CVE-2022-21729/48943", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21738", "id": "pyup.io-48952", "more_info_path": "/vulnerabilities/CVE-2022-21738/48952", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41215", "id": "pyup.io-48926", "more_info_path": "/vulnerabilities/CVE-2021-41215/48926", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21727", "id": "pyup.io-48941", "more_info_path": "/vulnerabilities/CVE-2022-21727/48941", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2020-10531", "id": "pyup.io-48900", "more_info_path": "/vulnerabilities/CVE-2020-10531/48900", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21730", "id": "pyup.io-48944", "more_info_path": "/vulnerabilities/CVE-2022-21730/48944", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23572", "id": "pyup.io-48971", "more_info_path": "/vulnerabilities/CVE-2022-23572/48971", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23576", "id": "pyup.io-48975", "more_info_path": "/vulnerabilities/CVE-2022-23576/48975", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-22924", "id": "pyup.io-48903", "more_info_path": "/vulnerabilities/CVE-2021-22924/48903", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21740", "id": "pyup.io-48954", "more_info_path": "/vulnerabilities/CVE-2022-21740/48954", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41211", "id": "pyup.io-48922", "more_info_path": "/vulnerabilities/CVE-2021-41211/48922", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23573", "id": "pyup.io-48972", "more_info_path": "/vulnerabilities/CVE-2022-23573/48972", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41203", "id": "pyup.io-48914", "more_info_path": "/vulnerabilities/CVE-2021-41203/48914", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-21741", "id": "pyup.io-48955", "more_info_path": "/vulnerabilities/CVE-2022-21741/48955", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23570", "id": "pyup.io-48969", "more_info_path": "/vulnerabilities/CVE-2022-23570/48969", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-22922", "id": "pyup.io-48901", "more_info_path": "/vulnerabilities/CVE-2021-22922/48901", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-22923", "id": "pyup.io-48902", "more_info_path": "/vulnerabilities/CVE-2021-22923/48902", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-22926", "id": "pyup.io-48905", "more_info_path": "/vulnerabilities/CVE-2021-22926/48905", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.12.0rc0 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-22925", "id": "pyup.io-48904", "more_info_path": "/vulnerabilities/CVE-2021-22925/48904", "specs": [ "<0.12.0rc0" ], "v": "<0.12.0rc0" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-13434", "id": "pyup.io-48684", "more_info_path": "/vulnerabilities/CVE-2020-13434/48684", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2018-20330", "id": "pyup.io-48669", "more_info_path": "/vulnerabilities/CVE-2018-20330/48669", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15195", "id": "pyup.io-48693", "more_info_path": "/vulnerabilities/CVE-2020-15195/48693", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15206", "id": "pyup.io-48698", "more_info_path": "/vulnerabilities/CVE-2020-15206/48698", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15209", "id": "pyup.io-48701", "more_info_path": "/vulnerabilities/CVE-2020-15209/48701", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-26266", "id": "pyup.io-48705", "more_info_path": "/vulnerabilities/CVE-2020-26266/48705", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15211", "id": "pyup.io-48703", "more_info_path": "/vulnerabilities/CVE-2020-15211/48703", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15194", "id": "pyup.io-48692", "more_info_path": "/vulnerabilities/CVE-2020-15194/48692", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-26267", "id": "pyup.io-48706", "more_info_path": "/vulnerabilities/CVE-2020-26267/48706", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-19244", "id": "pyup.io-48675", "more_info_path": "/vulnerabilities/CVE-2019-19244/48675", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-13435", "id": "pyup.io-48685", "more_info_path": "/vulnerabilities/CVE-2020-13435/48685", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-11655", "id": "pyup.io-48682", "more_info_path": "/vulnerabilities/CVE-2020-11655/48682", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-11656", "id": "pyup.io-48683", "more_info_path": "/vulnerabilities/CVE-2020-11656/48683", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15190", "id": "pyup.io-48691", "more_info_path": "/vulnerabilities/CVE-2020-15190/48691", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15202", "id": "pyup.io-48694", "more_info_path": "/vulnerabilities/CVE-2020-15202/48694", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15210", "id": "pyup.io-48702", "more_info_path": "/vulnerabilities/CVE-2020-15210/48702", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-26271", "id": "pyup.io-48709", "more_info_path": "/vulnerabilities/CVE-2020-26271/48709", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-13631", "id": "pyup.io-48687", "more_info_path": "/vulnerabilities/CVE-2020-13631/48687", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-13960", "id": "pyup.io-48671", "more_info_path": "/vulnerabilities/CVE-2019-13960/48671", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-5215", "id": "pyup.io-48710", "more_info_path": "/vulnerabilities/CVE-2020-5215/48710", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-5482", "id": "pyup.io-48681", "more_info_path": "/vulnerabilities/CVE-2019-5482/48681", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15207", "id": "pyup.io-48699", "more_info_path": "/vulnerabilities/CVE-2020-15207/48699", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15204", "id": "pyup.io-48696", "more_info_path": "/vulnerabilities/CVE-2020-15204/48696", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15208", "id": "pyup.io-48700", "more_info_path": "/vulnerabilities/CVE-2020-15208/48700", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2018-19664", "id": "pyup.io-48668", "more_info_path": "/vulnerabilities/CVE-2018-19664/48668", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-16778", "id": "pyup.io-48674", "more_info_path": "/vulnerabilities/CVE-2019-16778/48674", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15203", "id": "pyup.io-48695", "more_info_path": "/vulnerabilities/CVE-2020-15203/48695", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-19645", "id": "pyup.io-48676", "more_info_path": "/vulnerabilities/CVE-2019-19645/48676", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15205", "id": "pyup.io-48697", "more_info_path": "/vulnerabilities/CVE-2020-15205/48697", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-19880", "id": "pyup.io-48678", "more_info_path": "/vulnerabilities/CVE-2019-19880/48678", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-9327", "id": "pyup.io-48711", "more_info_path": "/vulnerabilities/CVE-2020-9327/48711", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-19646", "id": "pyup.io-48677", "more_info_path": "/vulnerabilities/CVE-2019-19646/48677", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-26270", "id": "pyup.io-48708", "more_info_path": "/vulnerabilities/CVE-2020-26270/48708", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-26268", "id": "pyup.io-48707", "more_info_path": "/vulnerabilities/CVE-2020-26268/48707", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-14155", "id": "pyup.io-48690", "more_info_path": "/vulnerabilities/CVE-2020-14155/48690", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-13871", "id": "pyup.io-48689", "more_info_path": "/vulnerabilities/CVE-2020-13871/48689", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-15250", "id": "pyup.io-48704", "more_info_path": "/vulnerabilities/CVE-2020-15250/48704", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-5481", "id": "pyup.io-48680", "more_info_path": "/vulnerabilities/CVE-2019-5481/48680", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-20838", "id": "pyup.io-48679", "more_info_path": "/vulnerabilities/CVE-2019-20838/48679", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2018-17190", "id": "pyup.io-48667", "more_info_path": "/vulnerabilities/CVE-2018-17190/48667", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-13630", "id": "pyup.io-48686", "more_info_path": "/vulnerabilities/CVE-2020-13630/48686", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-13790", "id": "pyup.io-48688", "more_info_path": "/vulnerabilities/CVE-2020-13790/48688", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-10099", "id": "pyup.io-48670", "more_info_path": "/vulnerabilities/CVE-2019-10099/48670", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2019-16168", "id": "pyup.io-48673", "more_info_path": "/vulnerabilities/CVE-2019-16168/48673", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2018-11770", "id": "pyup.io-48666", "more_info_path": "/vulnerabilities/CVE-2018-11770/48666", "specs": [ "<0.8" ], "v": "<0.8" }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-26266", "id": "pyup.io-48718", "more_info_path": "/vulnerabilities/CVE-2020-26266/48718", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-26267", "id": "pyup.io-48719", "more_info_path": "/vulnerabilities/CVE-2020-26267/48719", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-14155", "id": "pyup.io-48714", "more_info_path": "/vulnerabilities/CVE-2020-14155/48714", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-26270", "id": "pyup.io-48721", "more_info_path": "/vulnerabilities/CVE-2020-26270/48721", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-15266", "id": "pyup.io-48717", "more_info_path": "/vulnerabilities/CVE-2020-15266/48717", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-15265", "id": "pyup.io-48716", "more_info_path": "/vulnerabilities/CVE-2020-15265/48716", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-26268", "id": "pyup.io-48720", "more_info_path": "/vulnerabilities/CVE-2020-26268/48720", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-26271", "id": "pyup.io-48722", "more_info_path": "/vulnerabilities/CVE-2020-26271/48722", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-13790", "id": "pyup.io-48713", "more_info_path": "/vulnerabilities/CVE-2020-13790/48713", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2020-15250", "id": "pyup.io-48715", "more_info_path": "/vulnerabilities/CVE-2020-15250/48715", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Deepcell 0.9 updates its dependency 'TensorFlow' to v2.4.1 to include security fixes.", "cve": "CVE-2019-20838", "id": "pyup.io-48712", "more_info_path": "/vulnerabilities/CVE-2019-20838/48712", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Deepcell 0.12.0rc2 and prior include a version of TensorFlow (2.8.0) with known vulnerabilities.", "cve": "CVE-2022-35939", "id": "pyup.io-48591", "more_info_path": "/vulnerabilities/CVE-2022-35939/48591", "specs": [ "<=0.12.0rc2" ], "v": "<=0.12.0rc2" } ], "deepchecks": [ { "advisory": "Deepchecks version 0.18.0 updates its dependency on pillow to version 10.0.1 from 9.5.0 addressing security vulnerability CVE-2023-4863.\r\nhttps://github.com/deepchecks/deepchecks/pull/2683", "cve": "CVE-2023-4863", "id": "pyup.io-64767", "more_info_path": "/vulnerabilities/CVE-2023-4863/64767", "specs": [ "<0.18.0" ], "v": "<0.18.0" }, { "advisory": "Deepchecks version 0.18.0 updates its dependency on jupyter-server to version 2.7.2 from 1.24.0, addressing security vulnerability CVE-2023-40170.\r\nhttps://github.com/deepchecks/deepchecks/pull/2683", "cve": "CVE-2023-40170", "id": "pyup.io-64764", "more_info_path": "/vulnerabilities/CVE-2023-40170/64764", "specs": [ "<0.18.0" ], "v": "<0.18.0" }, { "advisory": "Deepchecks version 0.18.0 updates its dependency on jupyter-server to version 2.7.2 from 1.24.0, addressing security vulnerability CVE-2023-39968.\r\nhttps://github.com/deepchecks/deepchecks/pull/2683", "cve": "CVE-2023-39968", "id": "pyup.io-64765", "more_info_path": "/vulnerabilities/CVE-2023-39968/64765", "specs": [ "<0.18.0" ], "v": "<0.18.0" }, { "advisory": "Deepchecks version 0.18.0 updates its dependency on pillow to version 10.0.1 from 9.5.0 addressing security vulnerability CVE-2023-39968.\r\nhttps://github.com/deepchecks/deepchecks/pull/2683", "cve": "CVE-2023-4863", "id": "pyup.io-64766", "more_info_path": "/vulnerabilities/CVE-2023-4863/64766", "specs": [ "<0.18.0" ], "v": "<0.18.0" } ], "deepdataspace": [ { "advisory": "Deepdataspace version 0.11.0 upgrades its cryptography library from version 42.0.2 to 42.0.5 to address the security issue detailed in CVE-2024-26130.", "cve": "CVE-2024-26130", "id": "pyup.io-67007", "more_info_path": "/vulnerabilities/CVE-2024-26130/67007", "specs": [ "<0.11.0" ], "v": "<0.11.0" }, { "advisory": "Deepdataspace 0.5.0 updates its dependency 'cryptography' to version '41.0.2' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/IDEA-Research/deepdataspace/commit/4ddc986c8d12be1f2d805bc1085b336c40f4a5c1", "cve": "CVE-2023-2650", "id": "pyup.io-60650", "more_info_path": "/vulnerabilities/CVE-2023-2650/60650", "specs": [ "<0.5.0" ], "v": "<0.5.0" }, { "advisory": "Deepdataspace 0.5.0 updates its dependency 'cryptography' to version '41.0.2' to include a fix for an Improper Certificate Validation vulnerability.\r\nhttps://github.com/IDEA-Research/deepdataspace/commit/4ddc986c8d12be1f2d805bc1085b336c40f4a5c1", "cve": "CVE-2023-38325", "id": "pyup.io-60649", "more_info_path": "/vulnerabilities/CVE-2023-38325/60649", "specs": [ "<0.5.0" ], "v": "<0.5.0" }, { "advisory": "Deepdataspace 0.5.0 updates its dependency 'django' to version '4.1.10' to include a fix for a ReDoS vulnerability.", "cve": "CVE-2023-36053", "id": "pyup.io-60633", "more_info_path": "/vulnerabilities/CVE-2023-36053/60633", "specs": [ "<0.5.0" ], "v": "<0.5.0" } ], "deephaven-core": [ { "advisory": "Deephaven-core 0.11.0 fixes a race condition that could lead to session expiry discrepancies.\r\nhttps://github.com/deephaven/deephaven-core/pull/2064/commits/b86cee3c59ca3eafb397904b9ff644501f8914f7", "cve": "PVE-2024-64267", "id": "pyup.io-64267", "more_info_path": "/vulnerabilities/PVE-2024-64267/64267", "specs": [ "<0.11.0" ], "v": "<0.11.0" }, { "advisory": "Deephaven-core 0.20.0 fixes a race condition that could occur when using the 'Select Distinct' function. It could lead to potential issues with the data displayed in the application.\r\nhttps://github.com/deephaven/deephaven-core/pull/3252", "cve": "PVE-2024-64265", "id": "pyup.io-64265", "more_info_path": "/vulnerabilities/PVE-2024-64265/64265", "specs": [ "<0.20.0" ], "v": "<0.20.0" }, { "advisory": "Deephaven-core 0.29.0 addresses a race condition that caused a Null Pointer Exception when receiving an empty update on a Barrage subscription after the initial subscription had been completed.\r\nhttps://github.com/deephaven/deephaven-core/pull/4630", "cve": "PVE-2024-64264", "id": "pyup.io-64264", "more_info_path": "/vulnerabilities/PVE-2024-64264/64264", "specs": [ "<0.29.0" ], "v": "<0.29.0" }, { "advisory": "Deephaven-core 0.30.0 addresses a initialization race condition in LiveAttributeMap.immutableAttributes. It previously led to potential conflicts and inconsistencies in concurrent data processing or resource management. \r\nhttps://github.com/deephaven/deephaven-core/pull/4747/commits/425ba79ebb5cc83e830e9593d370501cd0611aca", "cve": "PVE-2024-64263", "id": "pyup.io-64263", "more_info_path": "/vulnerabilities/PVE-2024-64263/64263", "specs": [ "<0.30.0" ], "v": "<0.30.0" }, { "advisory": "Deephaven-core 0.7.0 fixes a race condition that could potentially cause inconsistent behavior depending on whether the awaitTermination() call times out or completes normally. This was due to checking the state of the ModelFarm object immediately after the awaitTermination() call, before all threads had finished executing. The fix ensures that the ModelFarm has fully terminated before its state is checked, thus preventing the race condition.\r\nhttps://github.com/deephaven/deephaven-core/pull/1642", "cve": "PVE-2024-64268", "id": "pyup.io-64268", "more_info_path": "/vulnerabilities/PVE-2024-64268/64268", "specs": [ "<0.7.0" ], "v": "<0.7.0" } ], "deepl": [ { "advisory": "Deepl 1.13.0 updates its certifi package from version 2022.9.24 to 2022.12.7 in response to the security issue CVE-2022-23491.\r\nhttps://github.com/DeepLcom/deepl-python/commit/0e5f71eb26510b2fe0baf17b3d450531918d701c", "cve": "CVE-2022-23491", "id": "pyup.io-65007", "more_info_path": "/vulnerabilities/CVE-2022-23491/65007", "specs": [ "<1.13.0" ], "v": "<1.13.0" }, { "advisory": "Deepl version 1.3.2 has updated its \"follow-redirects\" dependency to address the security vulnerability identified as CVE-2022-0536.", "cve": "CVE-2022-0536", "id": "pyup.io-65008", "more_info_path": "/vulnerabilities/CVE-2022-0536/65008", "specs": [ "<1.3.1" ], "v": "<1.3.1" }, { "advisory": "Deepl version 1.3.2 has updates its \"follow-redirects\" dependency to address the security vulnerability identified as CVE-2022-0536.", "cve": "CVE-2022-0536", "id": "pyup.io-65009", "more_info_path": "/vulnerabilities/CVE-2022-0536/65009", "specs": [ "<1.3.2" ], "v": "<1.3.2" } ], "deeposlandia": [ { "advisory": "Deeposlandia 0.6 updates its dependency 'Tensorflow' to v1.15 to include security fixes.", "cve": "PVE-2021-37524", "id": "pyup.io-43828", "more_info_path": "/vulnerabilities/PVE-2021-37524/43828", "specs": [ "<0.6" ], "v": "<0.6" }, { "advisory": "Deeposlandia 0.6 updates its dependency 'Tensorflow' to v1.15 to include security fixes.", "cve": "CVE-2019-16778", "id": "pyup.io-38133", "more_info_path": "/vulnerabilities/CVE-2019-16778/38133", "specs": [ "<0.6" ], "v": "<0.6" }, { "advisory": "Deeposlandia 0.6.2 updates pillow to 7.1.1 to include security fixes.", "cve": "CVE-2019-19911", "id": "pyup.io-54900", "more_info_path": "/vulnerabilities/CVE-2019-19911/54900", "specs": [ "<0.6.2" ], "v": "<0.6.2" }, { "advisory": "Deeposlandia 0.6.2 updates pillow to 7.1.1 to include security fixes.", "cve": "CVE-2020-5313", "id": "pyup.io-54899", "more_info_path": "/vulnerabilities/CVE-2020-5313/54899", "specs": [ "<0.6.2" ], "v": "<0.6.2" }, { "advisory": "Deeposlandia 0.6.2 updates pillow to 7.1.1 to include security fixes.", "cve": "CVE-2020-5312", "id": "pyup.io-54898", "more_info_path": "/vulnerabilities/CVE-2020-5312/54898", "specs": [ "<0.6.2" ], "v": "<0.6.2" }, { "advisory": "Deeposlandia 0.6.2 updates pillow to 7.1.1 to include security fixes.", "cve": "CVE-2020-5311", "id": "pyup.io-54897", "more_info_path": "/vulnerabilities/CVE-2020-5311/54897", "specs": [ "<0.6.2" ], "v": "<0.6.2" }, { "advisory": "Deeposlandia 0.6.2 updates pillow to 7.1.1 to include security fixes.", "cve": "CVE-2020-5310", "id": "pyup.io-38285", "more_info_path": "/vulnerabilities/CVE-2020-5310/38285", "specs": [ "<0.6.2" ], "v": "<0.6.2" } ], "deepspeed": [ { "advisory": "Affected versions of DeepSpeed are vulnerable to Command Injection \u2014 CWE-78. The attack can be performed by injecting malicious input into parameters that are passed to subprocess calls with shell=True. Vulnerable functions include multiple instances where subprocess.run() and subprocess.check_output() are called with unsanitized input and shell=True. To exploit this vulnerability, an attacker would need to supply specially crafted input to these functions, which could be possible in environments where user input is processed. To mitigate this issue, users should update to the version of DeepSpeed where these subprocess calls have been secured by removing shell=True and properly handling command arguments.", "cve": "PVE-2024-73647", "id": "pyup.io-73647", "more_info_path": "/vulnerabilities/PVE-2024-73647/73647", "specs": [ "<0.15.2" ], "v": "<0.15.2" } ], "definitions": [ { "advisory": "There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution.", "cve": "CVE-2018-20325", "id": "pyup.io-36752", "more_info_path": "/vulnerabilities/CVE-2018-20325/36752", "specs": [ "<=0.2.0" ], "v": "<=0.2.0" } ], "defusedexpat": [ { "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", "cve": "CVE-2013-1664", "id": "pyup.io-33054", "more_info_path": "/vulnerabilities/CVE-2013-1664/33054", "specs": [ "<0.3" ], "v": "<0.3" }, { "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", "cve": "CVE-2013-1665", "id": "pyup.io-33055", "more_info_path": "/vulnerabilities/CVE-2013-1665/33055", "specs": [ "<0.3" ], "v": "<0.3" } ], "defusedxml": [ { "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", "cve": "CVE-2013-1664", "id": "pyup.io-33056", "more_info_path": "/vulnerabilities/CVE-2013-1664/33056", "specs": [ "<0.4" ], "v": "<0.4" }, { "advisory": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", "cve": "CVE-2013-1665", "id": "pyup.io-33057", "more_info_path": "/vulnerabilities/CVE-2013-1665/33057", "specs": [ "<0.4" ], "v": "<0.4" } ], "deis": [ { "advisory": "Deis 1.4.0 disables SSLv3 protocol in router code to avoid known vulnerabilities.\r\nhttps://github.com/deis/deis/commit/93bb0fd9cb33e5b8bdcfdc277d15d61b938a88d4", "cve": "CVE-2014-3566", "id": "pyup.io-25691", "more_info_path": "/vulnerabilities/CVE-2014-3566/25691", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "delphi-epidata": [ { "advisory": "Delphi-epidata 0.3.12 updates its dependency 'nokogiri' to v1.13.3 to include security fixes.", "cve": "CVE-2021-30560", "id": "pyup.io-45503", "more_info_path": "/vulnerabilities/CVE-2021-30560/45503", "specs": [ "<0.3.12" ], "v": "<0.3.12" }, { "advisory": "Delphi-epidata 0.3.12 updates its dependency 'nokogiri' to v1.13.3 to include security fixes.", "cve": "CVE-2022-23308", "id": "pyup.io-45397", "more_info_path": "/vulnerabilities/CVE-2022-23308/45397", "specs": [ "<0.3.12" ], "v": "<0.3.12" } ], "deltachat": [ { "advisory": "Deltachat 1.0.0b17 uses a version of 'Deltachat-core' that fixes a potential SQL injection vulnerability in Chat-Group-Name breakage.\r\nhttps://github.com/deltachat/deltachat-core-rust/pull/1024/files", "cve": "PVE-2021-40086", "id": "pyup.io-40086", "more_info_path": "/vulnerabilities/PVE-2021-40086/40086", "specs": [ "<1.0.0b17" ], "v": "<1.0.0b17" }, { "advisory": "Deltachat 1.0.0beta.2 uses a version of 'Deltachat-core' that includes several security fixes.", "cve": "PVE-2021-37922", "id": "pyup.io-37922", "more_info_path": "/vulnerabilities/PVE-2021-37922/37922", "specs": [ "<1.0.0beta.2" ], "v": "<1.0.0beta.2" }, { "advisory": "Deltachat 1.102.0 uses a version of 'Deltachat-core' that includes a fix to prevent forgery attacks.\r\nhttps://github.com/deltachat/deltachat-core-rust/commit/4b17813b9fc35a07d341ff374df14ef436abdff3", "cve": "PVE-2023-52751", "id": "pyup.io-52751", "more_info_path": "/vulnerabilities/PVE-2023-52751/52751", "specs": [ "<1.102.0" ], "v": "<1.102.0" }, { "advisory": "Deltachat 1.51.0 uses a version of 'Deltachat-core' that improves and hardens secure join feature.", "cve": "PVE-2021-40084", "id": "pyup.io-40084", "more_info_path": "/vulnerabilities/PVE-2021-40084/40084", "specs": [ "<1.51.0" ], "v": "<1.51.0" } ], "deluge": [ { "advisory": "CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin.", "cve": "CVE-2017-7178", "id": "pyup.io-67432", "more_info_path": "/vulnerabilities/CVE-2017-7178/67432", "specs": [ "<1.3.14" ], "v": "<1.3.14" }, { "advisory": "Deluge 2.0.0 updates SSL/TLS Protocol parameters for better security.", "cve": "PVE-2021-37155", "id": "pyup.io-37155", "more_info_path": "/vulnerabilities/PVE-2021-37155/37155", "specs": [ "<2.0.0" ], "v": "<2.0.0" }, { "advisory": "The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file.", "cve": "CVE-2017-9031", "id": "pyup.io-67433", "more_info_path": "/vulnerabilities/CVE-2017-9031/67433", "specs": [ "<=1.3.14" ], "v": "<=1.3.14" }, { "advisory": "The Deluge Web-UI is vulnerable to XSS through a crafted torrent file. The the data from torrent files is not properly sanitised as it's interpreted directly as HTML. Someone who supplies the user with a malicious torrent file can execute arbitrary Javascript code in the context of the user's browser session.", "cve": "CVE-2021-3427", "id": "pyup.io-54472", "more_info_path": "/vulnerabilities/CVE-2021-3427/54472", "specs": [ ">=0,<2.1.0" ], "v": ">=0,<2.1.0" } ], "dendromatics": [ { "advisory": "Dendromatics 0.4.2 upgrades its csf_3dfin dependency from 1.1.5 to 1.3.0, bringing along numerous bug fixes and performance enhancements. A key improvement includes resolving a race condition that previously led to unpredictable execution outcomes.\r\nhttps://github.com/3DFin/dendromatics/commit/fe5144764264fec818344903e2f4c83f90c0978c", "cve": "PVE-2024-66664", "id": "pyup.io-66664", "more_info_path": "/vulnerabilities/PVE-2024-66664/66664", "specs": [ "<0.4.2" ], "v": "<0.4.2" } ], "denyhosts": [ { "advisory": "denyhosts 2.6 uses an incorrect regular expression when analyzing authentication logs, which allows remote attackers to cause a denial of service (incorrect block of IP addresses) via crafted login names.", "cve": "CVE-2013-6890", "id": "pyup.io-67959", "more_info_path": "/vulnerabilities/CVE-2013-6890/67959", "specs": [ "<2.7" ], "v": "<2.7" } ], "dequests": [ { "advisory": "Dequests is a malicious package, typosquatting the popular Python 'requests' library. It embeds source code that retrieves a Golang-based ransomware binary from a remote server.\r\nhttps://thehackernews.com/2022/12/malware-strains-targeting-python-and.html", "cve": "PVE-2023-52886", "id": "pyup.io-52886", "more_info_path": "/vulnerabilities/PVE-2023-52886/52886", "specs": [ ">0" ], "v": ">0" } ], "descarteslabs": [ { "advisory": "Descarteslabs 0.4.7 includes a fix for a potential race condition vulnerability.\r\nhttps://github.com/descarteslabs/descarteslabs-python/pull/181", "cve": "PVE-2023-61599", "id": "pyup.io-61599", "more_info_path": "/vulnerabilities/PVE-2023-61599/61599", "specs": [ "<0.4.7" ], "v": "<0.4.7" }, { "advisory": "Descarteslabs 1.8.1 upgrades the 'requests' dependency (>=2.25.1, <3) to fix a security issue.", "cve": "PVE-2021-40827", "id": "pyup.io-40827", "more_info_path": "/vulnerabilities/PVE-2021-40827/40827", "specs": [ "<1.8.1" ], "v": "<1.8.1" }, { "advisory": "Descarteslabs version 3.0.0 has upgraded its urllib3 dependency to a newer version range, now requiring >=1.26.12 and <2. This update corrects the earlier version range of >=1.26.18,<2, and addresses security concerns linked to CVE-2023-45803.\r\nhttps://github.com/descarteslabs/descarteslabs-python/commit/7ad8fd2aadc4c10799b19bd4637f56d867dbf374", "cve": "CVE-2023-45803", "id": "pyup.io-64830", "more_info_path": "/vulnerabilities/CVE-2023-45803/64830", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { "advisory": "Descarteslabs version 3.0.2 has upgraded its pyarrow dependency to require a minimum of version 14.0.1, moving from the earlier stipulation of version 13.0.0 or newer. This update is in response to addressing security concerns highlighted by CVE-2019-12410.\r\nhttps://github.com/descarteslabs/descarteslabs-python/commit/bc51d674b7245c708e49080f3819d66ecc88fab5", "cve": "CVE-2019-12410", "id": "pyup.io-65085", "more_info_path": "/vulnerabilities/CVE-2019-12410/65085", "specs": [ "<3.0.2" ], "v": "<3.0.2" }, { "advisory": "Descarteslabs version 3.0.2 has updated its minimum required version of the requests library to 2.31.0, previously set at 2.28.1 or higher. This upgrade addresses the security issue identified as CVE-2023-32681.\r\nhttps://github.com/descarteslabs/descarteslabs-python/commit/bc51d674b7245c708e49080f3819d66ecc88fab5", "cve": "CVE-2023-32681", "id": "pyup.io-65092", "more_info_path": "/vulnerabilities/CVE-2023-32681/65092", "specs": [ "<3.0.2" ], "v": "<3.0.2" } ], "descope": [ { "advisory": "Descope 0.3.0 updates its dependency 'cryptography' to v38.0.3 to include a security fix.", "cve": "CVE-2022-3602", "id": "pyup.io-52092", "more_info_path": "/vulnerabilities/CVE-2022-3602/52092", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "designate": [ { "advisory": "Designate does not enforce the DNS protocol limit concerning record set sizes", "cve": "CVE-2015-5694", "id": "pyup.io-70474", "more_info_path": "/vulnerabilities/CVE-2015-5694/70474", "specs": [ "<1.0.0" ], "v": "<1.0.0" }, { "advisory": "Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo does not enforce RecordSets per domain, and Records per RecordSet quotas when processing an internal zone file transfer, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted resource record set.", "cve": "CVE-2015-5695", "id": "pyup.io-70475", "more_info_path": "/vulnerabilities/CVE-2015-5695/70475", "specs": [ "<=1.0.0.0b1" ], "v": "<=1.0.0.0b1" }, { "advisory": "An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.", "cve": "CVE-2023-6725", "id": "pyup.io-71381", "more_info_path": "/vulnerabilities/CVE-2023-6725/71381", "specs": [ ">=0" ], "v": ">=0" } ], "destringcare": [ { "advisory": "Destringcare 0.0.4 removes its dependency 'pycrypto' to fix security vulnerabilities.", "cve": "CVE-2018-6594", "id": "pyup.io-42205", "more_info_path": "/vulnerabilities/CVE-2018-6594/42205", "specs": [ "<0.0.4" ], "v": "<0.0.4" }, { "advisory": "Destringcare 0.0.4 removes its dependency 'pycrypto' to fix security vulnerabilities.", "cve": "CVE-2013-7459", "id": "pyup.io-37228", "more_info_path": "/vulnerabilities/CVE-2013-7459/37228", "specs": [ "<0.0.4" ], "v": "<0.0.4" } ], "detect-secrets": [ { "advisory": "Detect-secrets version 1.2.0 introduces a fix to prevent catastrophic backtracking associated with the indirect reference heuristic. This update modifies the regex pattern to improve efficiency and prevent performance issues, especially under conditions that could previously lead to denial-of-service scenarios due to excessive resource consumption.", "cve": "PVE-2024-70854", "id": "pyup.io-70854", "more_info_path": "/vulnerabilities/PVE-2024-70854/70854", "specs": [ "<1.2.0" ], "v": "<1.2.0" } ], "determined": [ { "advisory": "Determined 0.12.12rc0 updates its NPM dependency 'lodash' to v4.17.19 to include a security fix.", "cve": "CVE-2020-8203", "id": "pyup.io-38656", "more_info_path": "/vulnerabilities/CVE-2020-8203/38656", "specs": [ "<0.12.12rc0" ], "v": "<0.12.12rc0" }, { "advisory": "Determined 0.12.7 resolves new node security vulnerabilities (fd34fec) and updates link to support secure blank targets (d1146d3).", "cve": "PVE-2021-38415", "id": "pyup.io-38415", "more_info_path": "/vulnerabilities/PVE-2021-38415/38415", "specs": [ "<0.12.7" ], "v": "<0.12.7" }, { "advisory": "Determined 0.14.0 updates its dependency 'highlight.js' to v10.5.0 to include a security fix.", "cve": "CVE-2020-26237", "id": "pyup.io-39625", "more_info_path": "/vulnerabilities/CVE-2020-26237/39625", "specs": [ "<0.14.0" ], "v": "<0.14.0" }, { "advisory": "Determined 0.16.0rc0 updates its dependency 'ws' to v7.4.6 to patch a security vulnerability.", "cve": "CVE-2021-32640", "id": "pyup.io-40670", "more_info_path": "/vulnerabilities/CVE-2021-32640/40670", "specs": [ "<0.16.0rc0" ], "v": "<0.16.0rc0" }, { "advisory": "Determined 0.16.4 includes a fix to prevent log html injection via unicode.\r\nhttps://github.com/determined-ai/determined/commit/673cf1dfb74247412ab932f57bfba5d8a8211477", "cve": "PVE-2021-41255", "id": "pyup.io-41255", "more_info_path": "/vulnerabilities/PVE-2021-41255/41255", "specs": [ "<0.16.4" ], "v": "<0.16.4" }, { "advisory": "Determined 0.17.0rc0 switches from debian:10.3-slim to ubuntu:20.04 and unattended-upgrades, to fix security issues.\r\nhttps://github.com/determined-ai/determined/pull/2914", "cve": "CVE-2018-12886", "id": "pyup.io-42148", "more_info_path": "/vulnerabilities/CVE-2018-12886/42148", "specs": [ "<0.17.0rc0" ], "v": "<0.17.0rc0" }, { "advisory": "Determined 0.17.0rc0 switches from debian:10.3-slim to ubuntu:20.04 and unattended-upgrades, to fix security issues.\r\nhttps://github.com/determined-ai/determined/pull/2914", "cve": "CVE-2019-17543", "id": "pyup.io-45577", "more_info_path": "/vulnerabilities/CVE-2019-17543/45577", "specs": [ "<0.17.0rc0" ], "v": "<0.17.0rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41201", "id": "pyup.io-43341", "more_info_path": "/vulnerabilities/CVE-2021-41201/43341", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41217", "id": "pyup.io-43318", "more_info_path": "/vulnerabilities/CVE-2021-41217/43318", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41207", "id": "pyup.io-43339", "more_info_path": "/vulnerabilities/CVE-2021-41207/43339", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41196", "id": "pyup.io-43315", "more_info_path": "/vulnerabilities/CVE-2021-41196/43315", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41197", "id": "pyup.io-43342", "more_info_path": "/vulnerabilities/CVE-2021-41197/43342", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41212", "id": "pyup.io-43337", "more_info_path": "/vulnerabilities/CVE-2021-41212/43337", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41214", "id": "pyup.io-43319", "more_info_path": "/vulnerabilities/CVE-2021-41214/43319", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41210", "id": "pyup.io-43338", "more_info_path": "/vulnerabilities/CVE-2021-41210/43338", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41213", "id": "pyup.io-43326", "more_info_path": "/vulnerabilities/CVE-2021-41213/43326", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41216", "id": "pyup.io-43332", "more_info_path": "/vulnerabilities/CVE-2021-41216/43332", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41226", "id": "pyup.io-43322", "more_info_path": "/vulnerabilities/CVE-2021-41226/43322", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41205", "id": "pyup.io-43336", "more_info_path": "/vulnerabilities/CVE-2021-41205/43336", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41202", "id": "pyup.io-43340", "more_info_path": "/vulnerabilities/CVE-2021-41202/43340", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41228", "id": "pyup.io-43328", "more_info_path": "/vulnerabilities/CVE-2021-41228/43328", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41222", "id": "pyup.io-43329", "more_info_path": "/vulnerabilities/CVE-2021-41222/43329", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41203", "id": "pyup.io-43316", "more_info_path": "/vulnerabilities/CVE-2021-41203/43316", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41209", "id": "pyup.io-43325", "more_info_path": "/vulnerabilities/CVE-2021-41209/43325", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41208", "id": "pyup.io-43334", "more_info_path": "/vulnerabilities/CVE-2021-41208/43334", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41199", "id": "pyup.io-42944", "more_info_path": "/vulnerabilities/CVE-2021-41199/42944", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41225", "id": "pyup.io-43321", "more_info_path": "/vulnerabilities/CVE-2021-41225/43321", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41215", "id": "pyup.io-43333", "more_info_path": "/vulnerabilities/CVE-2021-41215/43333", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41198", "id": "pyup.io-43344", "more_info_path": "/vulnerabilities/CVE-2021-41198/43344", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41204", "id": "pyup.io-43327", "more_info_path": "/vulnerabilities/CVE-2021-41204/43327", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41206", "id": "pyup.io-43335", "more_info_path": "/vulnerabilities/CVE-2021-41206/43335", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41218", "id": "pyup.io-43331", "more_info_path": "/vulnerabilities/CVE-2021-41218/43331", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41195", "id": "pyup.io-43343", "more_info_path": "/vulnerabilities/CVE-2021-41195/43343", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41221", "id": "pyup.io-43324", "more_info_path": "/vulnerabilities/CVE-2021-41221/43324", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41227", "id": "pyup.io-43323", "more_info_path": "/vulnerabilities/CVE-2021-41227/43323", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41224", "id": "pyup.io-43330", "more_info_path": "/vulnerabilities/CVE-2021-41224/43330", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41200", "id": "pyup.io-43317", "more_info_path": "/vulnerabilities/CVE-2021-41200/43317", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", "cve": "CVE-2021-41219", "id": "pyup.io-43320", "more_info_path": "/vulnerabilities/CVE-2021-41219/43320", "specs": [ "<0.17.4rc0" ], "v": "<0.17.4rc0" }, { "advisory": "Determined 0.17.5 updates its dependency 'swagger-ui' to v4.1.0 to include a fix for a XSS vulnerability.\r\nhttps://github.com/determined-ai/determined/pull/3234", "cve": "PVE-2021-43348", "id": "pyup.io-43348", "more_info_path": "/vulnerabilities/PVE-2021-43348/43348", "specs": [ "<0.17.5" ], "v": "<0.17.5" }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", "cve": "CVE-2020-10108", "id": "pyup.io-44642", "more_info_path": "/vulnerabilities/CVE-2020-10108/44642", "specs": [ "<0.17.6" ], "v": "<0.17.6" }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", "cve": "CVE-2020-10109", "id": "pyup.io-54967", "more_info_path": "/vulnerabilities/CVE-2020-10109/54967", "specs": [ "<0.17.6" ], "v": "<0.17.6" }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", "cve": "CVE-2019-14234", "id": "pyup.io-54970", "more_info_path": "/vulnerabilities/CVE-2019-14234/54970", "specs": [ "<0.17.6" ], "v": "<0.17.6" }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", "cve": "CVE-2020-7471", "id": "pyup.io-54968", "more_info_path": "/vulnerabilities/CVE-2020-7471/54968", "specs": [ "<0.17.6" ], "v": "<0.17.6" }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", "cve": "CVE-2019-9512", "id": "pyup.io-54969", "more_info_path": "/vulnerabilities/CVE-2019-9512/54969", "specs": [ "<0.17.6" ], "v": "<0.17.6" }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", "cve": "CVE-2019-19844", "id": "pyup.io-54966", "more_info_path": "/vulnerabilities/CVE-2019-19844/54966", "specs": [ "<0.17.6" ], "v": "<0.17.6" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-27777", "id": "pyup.io-49533", "more_info_path": "/vulnerabilities/CVE-2022-27777/49533", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29194", "id": "pyup.io-49541", "more_info_path": "/vulnerabilities/CVE-2022-29194/49541", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29196", "id": "pyup.io-49543", "more_info_path": "/vulnerabilities/CVE-2022-29196/49543", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29208", "id": "pyup.io-49555", "more_info_path": "/vulnerabilities/CVE-2022-29208/49555", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29212", "id": "pyup.io-49558", "more_info_path": "/vulnerabilities/CVE-2022-29212/49558", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-22576", "id": "pyup.io-49529", "more_info_path": "/vulnerabilities/CVE-2022-22576/49529", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29197", "id": "pyup.io-49544", "more_info_path": "/vulnerabilities/CVE-2022-29197/49544", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29216", "id": "pyup.io-49560", "more_info_path": "/vulnerabilities/CVE-2022-29216/49560", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29193", "id": "pyup.io-49540", "more_info_path": "/vulnerabilities/CVE-2022-29193/49540", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-27776", "id": "pyup.io-49532", "more_info_path": "/vulnerabilities/CVE-2022-27776/49532", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-30115", "id": "pyup.io-49561", "more_info_path": "/vulnerabilities/CVE-2022-30115/49561", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-27774", "id": "pyup.io-49530", "more_info_path": "/vulnerabilities/CVE-2022-27774/49530", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29202", "id": "pyup.io-49549", "more_info_path": "/vulnerabilities/CVE-2022-29202/49549", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29192", "id": "pyup.io-49539", "more_info_path": "/vulnerabilities/CVE-2022-29192/49539", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29191", "id": "pyup.io-49538", "more_info_path": "/vulnerabilities/CVE-2022-29191/49538", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-27779", "id": "pyup.io-49535", "more_info_path": "/vulnerabilities/CVE-2022-27779/49535", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29195", "id": "pyup.io-49542", "more_info_path": "/vulnerabilities/CVE-2022-29195/49542", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29203", "id": "pyup.io-49550", "more_info_path": "/vulnerabilities/CVE-2022-29203/49550", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29205", "id": "pyup.io-49552", "more_info_path": "/vulnerabilities/CVE-2022-29205/49552", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29209", "id": "pyup.io-49556", "more_info_path": "/vulnerabilities/CVE-2022-29209/49556", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29200", "id": "pyup.io-49547", "more_info_path": "/vulnerabilities/CVE-2022-29200/49547", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-27781", "id": "pyup.io-49537", "more_info_path": "/vulnerabilities/CVE-2022-27781/49537", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29199", "id": "pyup.io-49546", "more_info_path": "/vulnerabilities/CVE-2022-29199/49546", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-27780", "id": "pyup.io-49536", "more_info_path": "/vulnerabilities/CVE-2022-27780/49536", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-27775", "id": "pyup.io-49531", "more_info_path": "/vulnerabilities/CVE-2022-27775/49531", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2018-25032", "id": "pyup.io-49422", "more_info_path": "/vulnerabilities/CVE-2018-25032/49422", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29211", "id": "pyup.io-49557", "more_info_path": "/vulnerabilities/CVE-2022-29211/49557", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29206", "id": "pyup.io-49553", "more_info_path": "/vulnerabilities/CVE-2022-29206/49553", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29204", "id": "pyup.io-49551", "more_info_path": "/vulnerabilities/CVE-2022-29204/49551", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29198", "id": "pyup.io-49545", "more_info_path": "/vulnerabilities/CVE-2022-29198/49545", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29207", "id": "pyup.io-49554", "more_info_path": "/vulnerabilities/CVE-2022-29207/49554", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-27778", "id": "pyup.io-49534", "more_info_path": "/vulnerabilities/CVE-2022-27778/49534", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29201", "id": "pyup.io-49548", "more_info_path": "/vulnerabilities/CVE-2022-29201/49548", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", "cve": "CVE-2022-29213", "id": "pyup.io-49559", "more_info_path": "/vulnerabilities/CVE-2022-29213/49559", "specs": [ "<0.18.2" ], "v": "<0.18.2" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'moment' to v2.29.4 to include a security fix.", "cve": "CVE-2022-31129", "id": "pyup.io-50976", "more_info_path": "/vulnerabilities/CVE-2022-31129/50976", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'eventsource' to v1.1.2 to include a security fix.", "cve": "CVE-2022-1650", "id": "pyup.io-50973", "more_info_path": "/vulnerabilities/CVE-2022-1650/50973", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'ansi-regex' to v3.0.1 to include a security fix.", "cve": "CVE-2021-3807", "id": "pyup.io-50971", "more_info_path": "/vulnerabilities/CVE-2021-3807/50971", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'terser' to v4.8.1 to include a security fix.", "cve": "CVE-2022-25858", "id": "pyup.io-50977", "more_info_path": "/vulnerabilities/CVE-2022-25858/50977", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.19.3 stops using the NPM package 'trim-newlines', preventing a security issue.", "cve": "CVE-2021-33623", "id": "pyup.io-50978", "more_info_path": "/vulnerabilities/CVE-2021-33623/50978", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", "cve": "CVE-2022-0686", "id": "pyup.io-50980", "more_info_path": "/vulnerabilities/CVE-2022-0686/50980", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", "cve": "CVE-2022-0691", "id": "pyup.io-50981", "more_info_path": "/vulnerabilities/CVE-2022-0691/50981", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'follow-redirects' to v1.15.1 to include security fixes.", "cve": "CVE-2022-0536", "id": "pyup.io-50974", "more_info_path": "/vulnerabilities/CVE-2022-0536/50974", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'async' to v2.6.4 to include a security fix.", "cve": "CVE-2021-43138", "id": "pyup.io-50972", "more_info_path": "/vulnerabilities/CVE-2021-43138/50972", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", "cve": "CVE-2022-0512", "id": "pyup.io-50982", "more_info_path": "/vulnerabilities/CVE-2022-0512/50982", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'follow-redirects' to v1.15.1 to include security fixes.", "cve": "CVE-2022-0155", "id": "pyup.io-50975", "more_info_path": "/vulnerabilities/CVE-2022-0155/50975", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", "cve": "CVE-2022-0639", "id": "pyup.io-50979", "more_info_path": "/vulnerabilities/CVE-2022-0639/50979", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { "advisory": "Determined 0.23.0 includes a fix to prevent session hijacking by implementing secure cookies and eliminating JWT tokens over URLs.\r\nhttps://github.com/determined-ai/determined/pull/6862", "cve": "PVE-2023-58923", "id": "pyup.io-58923", "more_info_path": "/vulnerabilities/PVE-2023-58923/58923", "specs": [ "<0.23.0" ], "v": "<0.23.0" }, { "advisory": "Determined 0.26.7 resolves a race condition issue that was present in the workspace list. It could cause outdated workspace list results to appear when switching between different workspace list filter options.\r\nhttps://github.com/determined-ai/determined/pull/8524/commits/39c92fd8b3e52c604b65cde14842e04131fc8ae3", "cve": "PVE-2023-62988", "id": "pyup.io-62988", "more_info_path": "/vulnerabilities/PVE-2023-62988/62988", "specs": [ "<0.26.7" ], "v": "<0.26.7" } ], "devpi-ldap": [ { "advisory": "Devpi-Ldap 2.0.0 includes a security patch for the function 'init' in 'devpi_ldap/main.py'. It used the unsafe yaml.load(), that allows instantiation of arbitrary objects. Consider yaml.safe_load().\r\nhttps://github.com/devpi/devpi-ldap/commit/8da2b3c1ed44e8223ce006a3737dc6a8446e945d#diff-ecbfd22333fa5942c9fe7a999189222d1ca71d72a1a89d7a1f55d559671eb200", "cve": "CVE-2017-18342", "id": "pyup.io-41316", "more_info_path": "/vulnerabilities/CVE-2017-18342/41316", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "dfetch": [ { "advisory": "Dfetch 0.6.0 introduces security enhancements to prevent path traversal attacks for dst path. The tool now checks if the destination path is within the directory tree, ensures uniqueness of destinations, and verifies casing consistency with the system.\r\nhttps://github.com/dfetch-org/dfetch/commit/02a4f2500821e980a1605effed219cc7952a37a6", "cve": "PVE-2023-63112", "id": "pyup.io-63112", "more_info_path": "/vulnerabilities/PVE-2023-63112/63112", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "dgl": [ { "advisory": "DGL 0.8.2 introduces a fix for a race condition encountered in its distributed machine learning algorithms, specifically SparseAdam and SparseAdagrad. It was causing inconsistent parameter updates during concurrent operations, impacted the accuracy and reliability of the learning models. This fix is crucial for applications using DGL for complex graph data processing, as it guarantees more accurate and dependable outcomes in training and inference phases. \r\nhttps://github.com/dmlc/dgl/pull/3971/files", "cve": "PVE-2024-64038", "id": "pyup.io-64038", "more_info_path": "/vulnerabilities/PVE-2024-64038/64038", "specs": [ "<0.8.2" ], "v": "<0.8.2" } ], "diamondback": [ { "advisory": "Diamondback version 5.0.1 updates its dependency to include Pillow version 10.2.0, specifically to address vulnerabilities that could potentially lead to arbitrary code execution associated with earlier versions of Pillow.", "cve": "CVE-2023-50447", "id": "pyup.io-66788", "more_info_path": "/vulnerabilities/CVE-2023-50447/66788", "specs": [ "<5.0.1" ], "v": "<5.0.1" } ], "diango": [ { "advisory": "Diango is a typosquatting package. It shows a malicious behavior, for example, it may leak your sensitive data and/or gain unauthorized persistence in your system.\r\nhttps://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/", "cve": "PVE-2022-45420", "id": "pyup.io-45420", "more_info_path": "/vulnerabilities/PVE-2022-45420/45420", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "didjvu": [ { "advisory": "Didjvu 0.4 includes a security fix: Insecure use of /tmp when executing c44.\r\nhttps://github.com/jwilk/didjvu/issues/8", "cve": "PVE-2023-53578", "id": "pyup.io-53578", "more_info_path": "/vulnerabilities/PVE-2023-53578/53578", "specs": [ "<0.4" ], "v": "<0.4" } ], "diffoscope": [ { "advisory": "diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.", "cve": "CVE-2024-25711", "id": "pyup.io-66695", "more_info_path": "/vulnerabilities/CVE-2024-25711/66695", "specs": [ "<256" ], "v": "<256" }, { "advisory": "diffoscope before 76 writes to arbitrary locations on disk based on the contents of an untrusted archive.\n\nAffected functions:\ndiffoscope.comparators.utils.libarchive.LibarchiveContainer.ensure_unpacked\ndiffoscope.comparators.utils.libarchive.LibarchiveContainer.get_member_names\ndiffoscope.comparators.utils.libarchive.LibarchiveContainer.extract", "cve": "CVE-2017-0359", "id": "pyup.io-53922", "more_info_path": "/vulnerabilities/CVE-2017-0359/53922", "specs": [ ">=0,<76" ], "v": ">=0,<76" } ], "diffpriv": [ { "advisory": "Diffpriv 1.0.0rc1 includes a security fix: with the 'diff' and 'enc' modules, parameters were stored in Python memory, and never removed. This commit deletes these parameters and helps prevent attackers from gaining access to these parameters, which can help them gain access to the original text and/or data.", "cve": "PVE-2021-40539", "id": "pyup.io-40539", "more_info_path": "/vulnerabilities/PVE-2021-40539/40539", "specs": [ "<1.0.0rc1" ], "v": "<1.0.0rc1" } ], "diffsync": [ { "advisory": "Diffsync 1.4.0 updates its dependency 'pydantic' minimum version to v1.7.4 to include a security fix.", "cve": "CVE-2021-29510", "id": "pyup.io-44673", "more_info_path": "/vulnerabilities/CVE-2021-29510/44673", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "digger": [ { "advisory": "National Library of the Netherlands digger < 6697d1269d981e35e11f240725b16401b5ce3db5 is affected by a XML External Entity (XXE) vulnerability. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.", "cve": "CVE-2021-44556", "id": "pyup.io-70579", "more_info_path": "/vulnerabilities/CVE-2021-44556/70579", "specs": [ "<6697d1269d981e35e11f240725b16401b5ce3db5" ], "v": "<6697d1269d981e35e11f240725b16401b5ce3db5" } ], "digitalmarketplace-utils": [ { "advisory": "Digitalmarketplace-utils versions before v22.0.0 included vulnerabilities where untrusted input might result in susceptibility to a cross-site scripting (XSS) exploit.\r\nhttps://github.com/Crown-Commercial-Service/digitalmarketplace-utils/pull/286", "cve": "PVE-2021-39653", "id": "pyup.io-39653", "more_info_path": "/vulnerabilities/PVE-2021-39653/39653", "specs": [ "<22.0.0" ], "v": "<22.0.0" } ], "dipdup": [ { "advisory": "Dipdup 3.0.2 fixes a race condition caused by event emitter concurrency.\r\nhttps://github.com/dipdup-io/dipdup/commit/03ea5e666fc06d447a8ad29033405a082a66e9fd", "cve": "PVE-2024-64481", "id": "pyup.io-64481", "more_info_path": "/vulnerabilities/PVE-2024-64481/64481", "specs": [ "<3.0.2" ], "v": "<3.0.2" }, { "advisory": "Dipdup 6.3.1 implements restrictions on using Hasura instances susceptible to the security vulnerability referenced as GHSA-g7mj-g7f4-hgrg.\r\nhttps://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg", "cve": "PVE-2024-64480", "id": "pyup.io-64480", "more_info_path": "/vulnerabilities/PVE-2024-64480/64480", "specs": [ "<6.3.1" ], "v": "<6.3.1" }, { "advisory": "Dipdup version 6.5.3 restricts the use of Hasura instances that are vulnerable to the security issue identified in CVE-2023-27588.\r\nhttps://github.com/dipdup-io/dipdup/commit/631113ad410cbd577fa118e13f6012dc9d684e4e", "cve": "PVE-2024-64479", "id": "pyup.io-64479", "more_info_path": "/vulnerabilities/PVE-2024-64479/64479", "specs": [ "<6.5.3" ], "v": "<6.5.3" }, { "advisory": "Dipdup 7.2.0 upgrades its PyArrow dependency to address the vulnerability CVE-2023-47248. The version has been changed from approximately 12.0 (~=12.0) to a specified range of >=14.0.1,<15.\r\nhttps://github.com/dipdup-io/dipdup/commit/575b4366c2467a9af1cf02675bac7ddf686cf762", "cve": "CVE-2023-47248", "id": "pyup.io-64478", "more_info_path": "/vulnerabilities/CVE-2023-47248/64478", "specs": [ "<7.2.0" ], "v": "<7.2.0" } ], "dirac": [ { "advisory": "Dirac 8.0.0a13 fixes an arbitrary code execution vulnerability in JEncode.\r\nhttps://github.com/DIRACGrid/DIRAC/pull/5810", "cve": "PVE-2022-44691", "id": "pyup.io-44691", "more_info_path": "/vulnerabilities/PVE-2022-44691/44691", "specs": [ "<8.0.0a13" ], "v": "<8.0.0a13" }, { "advisory": "Dirac 8.0.0a19 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/DIRACGrid/DIRAC/pull/5984", "cve": "PVE-2023-59963", "id": "pyup.io-59963", "more_info_path": "/vulnerabilities/PVE-2023-59963/59963", "specs": [ "<8.0.0a19" ], "v": "<8.0.0a19" }, { "advisory": "Dirac 8.0.2 uses safer mode for grid-security directories.\r\nhttps://github.com/DIRACGrid/DIRAC/pull/6398", "cve": "PVE-2022-51428", "id": "pyup.io-51428", "more_info_path": "/vulnerabilities/PVE-2022-51428/51428", "specs": [ "<8.0.2" ], "v": "<8.0.2" }, { "advisory": "In dirac affected versions, during the proxy generation process (e.g., when using `dirac-proxy-init`), it is possible for unauthorized users on the same machine to gain read access to the proxy. This allows the user to then perform any action that is possible with the original proxy. This vulnerability only exists for a short period of time (sub-millsecond) during the generation process. Version 8.0.41 contains a patch for the issue. As a workaround, setting the `X509_USER_PROXY` environment variable to a path that is inside a directory that is only readable to the current user avoids the potential risk. After the file has been written, it can be safely copied to the standard location (`/tmp/x509up_uNNNN`).", "cve": "CVE-2024-29905", "id": "pyup.io-71713", "more_info_path": "/vulnerabilities/CVE-2024-29905/71713", "specs": [ "<8.0.40" ], "v": "<8.0.40" }, { "advisory": "DIRAC is a distributed resource framework. In affected versions any user could get a token that has been requested by another user/agent. This may expose resources to unintended parties. This issue has been addressed in release version 8.0.37. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve": "CVE-2024-24825", "id": "pyup.io-66705", "more_info_path": "/vulnerabilities/CVE-2024-24825/66705", "specs": [ ">=8.0.0,<8.0.37", ">=8.1.0a1,<9.0.0a22" ], "v": ">=8.0.0,<8.0.37,>=8.1.0a1,<9.0.0a22" } ], "directory-client-core": [ { "advisory": "Directory-client-core 5.1.1 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2019-12781", "id": "pyup.io-49480", "more_info_path": "/vulnerabilities/CVE-2019-12781/49480", "specs": [ "<5.1.1" ], "v": "<5.1.1" }, { "advisory": "Directory-client-core 5.1.1 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2019-12308", "id": "pyup.io-38689", "more_info_path": "/vulnerabilities/CVE-2019-12308/38689", "specs": [ "<5.1.1" ], "v": "<5.1.1" }, { "advisory": "Directory-client-core 7.1.1 updates its dependency 'django' minimum requirement to v3.2.18 to include a security fixes.", "cve": "CVE-2022-36359", "id": "pyup.io-58790", "more_info_path": "/vulnerabilities/CVE-2022-36359/58790", "specs": [ "<7.1.1" ], "v": "<7.1.1" }, { "advisory": "Directory-client-core 7.1.1 updates its dependency 'django' minimum requirement to v3.2.18 to include a security fixes.", "cve": "CVE-2022-28347", "id": "pyup.io-58789", "more_info_path": "/vulnerabilities/CVE-2022-28347/58789", "specs": [ "<7.1.1" ], "v": "<7.1.1" }, { "advisory": "Directory-client-core 7.1.1 updates its dependency 'django' minimum requirement to v3.2.18 to include a security fixes.", "cve": "CVE-2022-34265", "id": "pyup.io-58788", "more_info_path": "/vulnerabilities/CVE-2022-34265/58788", "specs": [ "<7.1.1" ], "v": "<7.1.1" }, { "advisory": "Directory-client-core 7.1.1 updates its dependency 'django' minimum requirement to v3.2.18 to include a security fixes.", "cve": "CVE-2021-33203", "id": "pyup.io-58791", "more_info_path": "/vulnerabilities/CVE-2021-33203/58791", "specs": [ "<7.1.1" ], "v": "<7.1.1" }, { "advisory": "Directory-client-core 7.1.1 updates its dependency 'django' minimum requirement to v3.2.18 to include a security fixes.", "cve": "CVE-2023-24580", "id": "pyup.io-58777", "more_info_path": "/vulnerabilities/CVE-2023-24580/58777", "specs": [ "<7.1.1" ], "v": "<7.1.1" } ], "directory-components": [ { "advisory": "Directory-components 25.0.1 updates its NPM dependency 'lodash.mergewith' to v4.6.2 to include security fixes.", "cve": "CVE-2018-3721", "id": "pyup.io-37298", "more_info_path": "/vulnerabilities/CVE-2018-3721/37298", "specs": [ "<25.0.1" ], "v": "<25.0.1" }, { "advisory": "Directory-components 25.0.1 updates its NPM dependency 'lodash.mergewith' to v4.6.2 to include security fixes.", "cve": "CVE-2018-16487", "id": "pyup.io-45126", "more_info_path": "/vulnerabilities/CVE-2018-16487/45126", "specs": [ "<25.0.1" ], "v": "<25.0.1" } ], "directory-constants": [ { "advisory": "Directory-constants 21.0.3 updates 'Django' to v3.2.5 to include a security fix.", "cve": "CVE-2021-35042", "id": "pyup.io-53746", "more_info_path": "/vulnerabilities/CVE-2021-35042/53746", "specs": [ "<21.0.3" ], "v": "<21.0.3" }, { "advisory": "Directory-constants 21.3.0 updates its 'Django' requirement to '>=2.2.28,<=3.2.13' to include security fixes.", "cve": "CVE-2022-28346", "id": "pyup.io-53716", "more_info_path": "/vulnerabilities/CVE-2022-28346/53716", "specs": [ "<21.3.0" ], "v": "<21.3.0" }, { "advisory": "Directory-constants 21.3.0 updates its 'Django' requirement to '>=2.2.28,<=3.2.13' to include security fixes.", "cve": "CVE-2022-28347", "id": "pyup.io-53724", "more_info_path": "/vulnerabilities/CVE-2022-28347/53724", "specs": [ "<21.3.0" ], "v": "<21.3.0" }, { "advisory": "Directory-constants 21.4.0 updates 'Django' to v3.2.14 to include a security fix.", "cve": "CVE-2022-34265", "id": "pyup.io-53747", "more_info_path": "/vulnerabilities/CVE-2022-34265/53747", "specs": [ "<21.4.0" ], "v": "<21.4.0" }, { "advisory": "Directory-constants 21.5.0 updates 'Django' to v3.2.15 to include a security fix.", "cve": "CVE-2022-36359", "id": "pyup.io-53748", "more_info_path": "/vulnerabilities/CVE-2022-36359/53748", "specs": [ "<21.5.0" ], "v": "<21.5.0" } ], "directory-healthcheck": [ { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2018-7536", "id": "pyup.io-50820", "more_info_path": "/vulnerabilities/CVE-2018-7536/50820", "specs": [ "<1.1.2" ], "v": "<1.1.2" }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2018-6188", "id": "pyup.io-50819", "more_info_path": "/vulnerabilities/CVE-2018-6188/50819", "specs": [ "<1.1.2" ], "v": "<1.1.2" }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2019-12308", "id": "pyup.io-50826", "more_info_path": "/vulnerabilities/CVE-2019-12308/50826", "specs": [ "<1.1.2" ], "v": "<1.1.2" }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2019-12781", "id": "pyup.io-50827", "more_info_path": "/vulnerabilities/CVE-2019-12781/50827", "specs": [ "<1.1.2" ], "v": "<1.1.2" }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2019-3498", "id": "pyup.io-50824", "more_info_path": "/vulnerabilities/CVE-2019-3498/50824", "specs": [ "<1.1.2" ], "v": "<1.1.2" }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2019-6975", "id": "pyup.io-50825", "more_info_path": "/vulnerabilities/CVE-2019-6975/50825", "specs": [ "<1.1.2" ], "v": "<1.1.2" }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2018-14574", "id": "pyup.io-50823", "more_info_path": "/vulnerabilities/CVE-2018-14574/50823", "specs": [ "<1.1.2" ], "v": "<1.1.2" }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2017-12794", "id": "pyup.io-50759", "more_info_path": "/vulnerabilities/CVE-2017-12794/50759", "specs": [ "<1.1.2" ], "v": "<1.1.2" }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2009-3695", "id": "pyup.io-50822", "more_info_path": "/vulnerabilities/CVE-2009-3695/50822", "specs": [ "<1.1.2" ], "v": "<1.1.2" }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", "cve": "CVE-2018-7537", "id": "pyup.io-50821", "more_info_path": "/vulnerabilities/CVE-2018-7537/50821", "specs": [ "<1.1.2" ], "v": "<1.1.2" } ], "dirsearch": [ { "advisory": "Dirsearch 0.4.2 fixes a CSV Injection vulnerability. See also: .", "cve": "PVE-2021-40799", "id": "pyup.io-40799", "more_info_path": "/vulnerabilities/PVE-2021-40799/40799", "specs": [ "<0.4.2" ], "v": "<0.4.2" } ], "discogs-client": [ { "advisory": "Discogs-client 2.2.2 updates dependency 'requests' to v2.20.0 to resolve security vulnerabilities.", "cve": "CVE-2018-18074", "id": "pyup.io-36787", "more_info_path": "/vulnerabilities/CVE-2018-18074/36787", "specs": [ "<2.2.2" ], "v": "<2.2.2" }, { "advisory": "Discogs-client 2.2.2 updates dependency 'PyYAML' to v4.2b1 to resolve security vulnerabilities.", "cve": "CVE-2017-18342", "id": "pyup.io-42495", "more_info_path": "/vulnerabilities/CVE-2017-18342/42495", "specs": [ "<2.2.2" ], "v": "<2.2.2" }, { "advisory": "Discogs-client 2.2.2 updates dependency 'requests' to v2.20.0 to resolve security vulnerabilities.", "cve": "CVE-2014-1829", "id": "pyup.io-42494", "more_info_path": "/vulnerabilities/CVE-2014-1829/42494", "specs": [ "<2.2.2" ], "v": "<2.2.2" } ], "discord-dev": [ { "advisory": "Discord-dev is a malicious package. It installs information-stealing and RAT (remote access trojan) Malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-pypi-packages-create-cloudflare-tunnels-to-bypass-firewalls", "cve": "PVE-2023-52937", "id": "pyup.io-52937", "more_info_path": "/vulnerabilities/PVE-2023-52937/52937", "specs": [ ">=0" ], "v": ">=0" } ], "discord-ext-slash": [ { "advisory": "For some extra security, Discord-ext-slash 0.2.3 looks up commands by both their name and guild ID if their command ID fails to return any results (it returns a warning with 'SlashWarning' both times, and returns an error if still no command is found.)", "cve": "PVE-2021-39641", "id": "pyup.io-39641", "more_info_path": "/vulnerabilities/PVE-2021-39641/39641", "specs": [ "<0.2.3" ], "v": "<0.2.3" } ], "discorder": [ { "advisory": "Discorder is a malicious package. It installs information-stealing and RAT (remote access trojan) Malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-pypi-packages-create-cloudflare-tunnels-to-bypass-firewalls", "cve": "PVE-2023-52936", "id": "pyup.io-52936", "more_info_path": "/vulnerabilities/PVE-2023-52936/52936", "specs": [ ">=0" ], "v": ">=0" } ], "discordpie": [ { "advisory": "Discordpie 0.5.1 includes a security patch. No details are given.", "cve": "PVE-2021-38343", "id": "pyup.io-38343", "more_info_path": "/vulnerabilities/PVE-2021-38343/38343", "specs": [ "<0.5.1" ], "v": "<0.5.1" } ], "discordsafety": [ { "advisory": "DiscordSafety is a malicious package, typosquatting. It steals Discord access tokens, passwords, and even stage dependency confusion attacks.\r\nhttps://thehackernews.com/2021/11/11-malicious-pypi-python-libraries.html", "cve": "PVE-2022-45459", "id": "pyup.io-45459", "more_info_path": "/vulnerabilities/PVE-2022-45459/45459", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "dispatch": [ { "advisory": "Dispatch 1.3.16 updates its dependency 'Django' to v3.1.8 to include security fixes.", "cve": "CVE-2021-28658", "id": "pyup.io-43729", "more_info_path": "/vulnerabilities/CVE-2021-28658/43729", "specs": [ "<1.3.16" ], "v": "<1.3.16" }, { "advisory": "Dispatch 1.3.16 updates its dependency 'Django' to v3.1.8 to include security fixes.", "cve": "CVE-2021-23336", "id": "pyup.io-40402", "more_info_path": "/vulnerabilities/CVE-2021-23336/40402", "specs": [ "<1.3.16" ], "v": "<1.3.16" } ], "distrib": [ { "advisory": "Distrib is a typosquatting package. It installs malware in your system that leaks your data.\r\nhttps://github.com/rsc-dev/pypi_malware", "cve": "PVE-2022-45425", "id": "pyup.io-45425", "more_info_path": "/vulnerabilities/PVE-2022-45425/45425", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "distributed": [ { "advisory": "Distributed 2021.10.0 includes a fix for CVE-2021-42343: Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhst. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.", "cve": "CVE-2021-42343", "id": "pyup.io-55199", "more_info_path": "/vulnerabilities/CVE-2021-42343/55199", "specs": [ ">=0,<2021.10.0" ], "v": ">=0,<2021.10.0" } ], "divina": [ { "advisory": "Divina 0.1 adds a security group with ssh access enabled on partitioning EC2.", "cve": "PVE-2021-41294", "id": "pyup.io-41294", "more_info_path": "/vulnerabilities/PVE-2021-41294/41294", "specs": [ "<0.1" ], "v": "<0.1" }, { "advisory": "Divina 2021.8.1 adds a security group with ssh access enabled for the EC2 partitioning.", "cve": "PVE-2021-41237", "id": "pyup.io-41237", "more_info_path": "/vulnerabilities/PVE-2021-41237/41237", "specs": [ "<2021.8.1" ], "v": "<2021.8.1" } ], "diycrate": [ { "advisory": "Diycrate version 0.2.11.0 includes a security patch for the function 'oauth_dance' in 'diycrate/oauth_utils.py'. It contained requests calls with verify=False, disabling SSL certificate checks.\r\nhttps://github.com/jheld/diycrate/commit/40e51a586f16da215a3ff8096cfa64e23b0fa5cb#diff-7772b99d74abcfaa2bf013c9a4647b2b42cec23f84a79a5d4de0ef6973720971", "cve": "PVE-2021-41317", "id": "pyup.io-41317", "more_info_path": "/vulnerabilities/PVE-2021-41317/41317", "specs": [ "<0.2.11.0" ], "v": "<0.2.11.0" } ], "djago": [ { "advisory": "Djago is a typosquatting package. It shows a malicious behavior, for example, it may leak your sensitive data and/or gain unauthorized persistence in your system.\r\nhttps://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/", "cve": "PVE-2022-45421", "id": "pyup.io-45421", "more_info_path": "/vulnerabilities/PVE-2022-45421/45421", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "djanga": [ { "advisory": "Djanga is a typosquatting package. It shows a malicious behavior, for example, it may leak your sensitive data and/or gain unauthorized persistence in your system.\r\nhttps://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/", "cve": "PVE-2022-45413", "id": "pyup.io-45413", "more_info_path": "/vulnerabilities/PVE-2022-45413/45413", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "djangae": [ { "advisory": "Djangae before 0.9.4 uses Django 1.7, which has known vulnerabilities.", "cve": "CVE-2016-2513", "id": "pyup.io-49020", "more_info_path": "/vulnerabilities/CVE-2016-2513/49020", "specs": [ "<0.9.4" ], "v": "<0.9.4" }, { "advisory": "Djangae before 0.9.4 uses Django 1.7, which has known vulnerabilities.", "cve": "CVE-2016-2512", "id": "pyup.io-49019", "more_info_path": "/vulnerabilities/CVE-2016-2512/49019", "specs": [ "<0.9.4" ], "v": "<0.9.4" }, { "advisory": "Djangae before 0.9.4 uses Django 1.7, which has known vulnerabilities.", "cve": "CVE-2016-7401", "id": "pyup.io-25693", "more_info_path": "/vulnerabilities/CVE-2016-7401/25693", "specs": [ "<0.9.4" ], "v": "<0.9.4" } ], "django": [ { "advisory": "The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.\r\nhttps://www.djangoproject.com/weblog/2007/oct/26/security-fix", "cve": "CVE-2007-5712", "id": "pyup.io-35277", "more_info_path": "/vulnerabilities/CVE-2007-5712/35277", "specs": [ "<0.91.1", ">=0.95a1,<0.95.2", ">=0.96a1,<0.96.1" ], "v": "<0.91.1,>=0.95a1,<0.95.2,>=0.96a1,<0.96.1" }, { "advisory": "Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request.\r\nhttps://www.djangoproject.com/weblog/2008/may/14/security", "cve": "CVE-2008-2302", "id": "pyup.io-35291", "more_info_path": "/vulnerabilities/CVE-2008-2302/35291", "specs": [ "<0.91.2", ">=0.95a1,<0.95.3", ">=0.96a1,<0.96.2" ], "v": "<0.91.2,>=0.95a1,<0.95.3,>=0.96a1,<0.96.2" }, { "advisory": "Django 0.91.3, 0.95.4 and 0.96.3 include a fix for CVE-2008-3909: The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.\r\nhttps://www.djangoproject.com/weblog/2008/sep/02/security", "cve": "CVE-2008-3909", "id": "pyup.io-35299", "more_info_path": "/vulnerabilities/CVE-2008-3909/35299", "specs": [ "<0.91.3", ">=0.95a1,<0.95.4", ">=0.96a1,<0.96.3" ], "v": "<0.91.3,>=0.95a1,<0.95.4,>=0.96a1,<0.96.3" }, { "advisory": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.", "cve": "CVE-2009-3695", "id": "pyup.io-25695", "more_info_path": "/vulnerabilities/CVE-2009-3695/25695", "specs": [ "<1.0.4", ">=1.1a1,<1.1.1" ], "v": "<1.0.4,>=1.1a1,<1.1.1" }, { "advisory": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.", "cve": "CVE-2010-4534", "id": "pyup.io-33058", "more_info_path": "/vulnerabilities/CVE-2010-4534/33058", "specs": [ "<1.1.3", ">=1.2a1,<1.2.4" ], "v": "<1.1.3,>=1.2a1,<1.2.4" }, { "advisory": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.", "cve": "CVE-2010-4535", "id": "pyup.io-33059", "more_info_path": "/vulnerabilities/CVE-2010-4535/33059", "specs": [ "<1.1.3", ">=1.2a1,<1.2.4" ], "v": "<1.1.3,>=1.2a1,<1.2.4" }, { "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.", "cve": "CVE-2011-0697", "id": "pyup.io-33061", "more_info_path": "/vulnerabilities/CVE-2011-0697/33061", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.", "cve": "CVE-2011-0698", "id": "pyup.io-33062", "more_info_path": "/vulnerabilities/CVE-2011-0698/33062", "specs": [ "<1.1.4", ">=1.2a1,<1.2.5" ], "v": "<1.1.4,>=1.2a1,<1.2.5" }, { "advisory": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447.", "cve": "CVE-2011-0696", "id": "pyup.io-33060", "more_info_path": "/vulnerabilities/CVE-2011-0696/33060", "specs": [ "<1.1.4", ">=1.2a1,<1.2.5" ], "v": "<1.1.4,>=1.2a1,<1.2.5" }, { "advisory": "Django 1.10.8 and 1.11.5 include a fix for CVE-2017-12794: In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.\r\nhttps://www.djangoproject.com/weblog/2017/sep/05/security-releases", "cve": "CVE-2017-12794", "id": "pyup.io-34918", "more_info_path": "/vulnerabilities/CVE-2017-12794/34918", "specs": [ "<1.10.8", ">=1.11a1,<1.11.5" ], "v": "<1.10.8,>=1.11a1,<1.11.5" }, { "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.", "cve": "CVE-2010-3082", "id": "pyup.io-25701", "more_info_path": "/vulnerabilities/CVE-2010-3082/25701", "specs": [ "<1.2.2" ], "v": "<1.2.2" }, { "advisory": "Django 1.2.7 and 1.3.1 include a fix for CVE-2011-4139: Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.\r\nhttps://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued", "cve": "CVE-2011-4139", "id": "pyup.io-35348", "more_info_path": "/vulnerabilities/CVE-2011-4139/35348", "specs": [ "<1.2.7", ">=1.3a1,<1.3.1" ], "v": "<1.2.7,>=1.3a1,<1.3.1" }, { "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.", "cve": "CVE-2011-4138", "id": "pyup.io-33065", "more_info_path": "/vulnerabilities/CVE-2011-4138/33065", "specs": [ "<1.2.7", ">=1.3a1,<1.3.1" ], "v": "<1.2.7,>=1.3a1,<1.3.1" }, { "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.", "cve": "CVE-2011-4137", "id": "pyup.io-33064", "more_info_path": "/vulnerabilities/CVE-2011-4137/33064", "specs": [ "<1.2.7", ">=1.3a1,<1.3.1" ], "v": "<1.2.7,>=1.3a1,<1.3.1" }, { "advisory": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.", "cve": "CVE-2011-4140", "id": "pyup.io-33066", "more_info_path": "/vulnerabilities/CVE-2011-4140/33066", "specs": [ "<1.2.7", ">=1.3a1,<1.3.1" ], "v": "<1.2.7,>=1.3a1,<1.3.1" }, { "advisory": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.", "cve": "CVE-2011-4136", "id": "pyup.io-33063", "more_info_path": "/vulnerabilities/CVE-2011-4136/33063", "specs": [ "<1.2.7", ">=1.3a1,<1.3.1" ], "v": "<1.2.7,>=1.3a1,<1.3.1" }, { "advisory": "The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.", "cve": "CVE-2012-3442", "id": "pyup.io-33067", "more_info_path": "/vulnerabilities/CVE-2012-3442/33067", "specs": [ "<1.3.2", ">=1.4a1,<1.4.1" ], "v": "<1.3.2,>=1.4a1,<1.4.1" }, { "advisory": "The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.", "cve": "CVE-2012-3443", "id": "pyup.io-33068", "more_info_path": "/vulnerabilities/CVE-2012-3443/33068", "specs": [ "<1.3.2", ">=1.4a1,<1.4.1" ], "v": "<1.3.2,>=1.4a1,<1.4.1" }, { "advisory": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.", "cve": "CVE-2012-3444", "id": "pyup.io-33069", "more_info_path": "/vulnerabilities/CVE-2012-3444/33069", "specs": [ "<1.3.2", ">=1.4a1,<1.4.1" ], "v": "<1.3.2,>=1.4a1,<1.4.1" }, { "advisory": "The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.", "cve": "CVE-2012-4520", "id": "pyup.io-25709", "more_info_path": "/vulnerabilities/CVE-2012-4520/25709", "specs": [ "<1.3.4", ">=1.4a1,<1.4.2" ], "v": "<1.3.4,>=1.4a1,<1.4.2" }, { "advisory": "Django 1.4.11, 1.5.6, 1.6.3 and 1.7b2 include a fix for CVE-2014-0472: The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\r\nhttps://www.djangoproject.com/weblog/2014/apr/21/security", "cve": "CVE-2014-0472", "id": "pyup.io-35510", "more_info_path": "/vulnerabilities/CVE-2014-0472/35510", "specs": [ "<1.4.11", ">=1.5a1,<1.5.6", ">=1.6a1,<1.6.3", ">=1.7a1,<1.7b2" ], "v": "<1.4.11,>=1.5a1,<1.5.6,>=1.6a1,<1.6.3,>=1.7a1,<1.7b2" }, { "advisory": "Django 1.4.11, 1.5.6, 1.6.3 and 1.7b2 include a fix for CVE-2014-0473: The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.\r\nhttps://www.djangoproject.com/weblog/2014/apr/21/security", "cve": "CVE-2014-0473", "id": "pyup.io-35511", "more_info_path": "/vulnerabilities/CVE-2014-0473/35511", "specs": [ "<1.4.11", ">=1.5a1,<1.5.6", ">=1.6a1,<1.6.3", ">=1.7a1,<1.7b2" ], "v": "<1.4.11,>=1.5a1,<1.5.6,>=1.6a1,<1.6.3,>=1.7a1,<1.7b2" }, { "advisory": "Django 1.4.13, 1.5.8, 1.6.5 and 1.7b4 include a fix for CVE-2014-1418: Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers.", "cve": "CVE-2014-1418", "id": "pyup.io-35519", "more_info_path": "/vulnerabilities/CVE-2014-1418/35519", "specs": [ "<1.4.13", ">=1.5a1,<1.5.8", ">=1.6a1,<1.6.5", ">=1.7a1,<1.7b4" ], "v": "<1.4.13,>=1.5a1,<1.5.8,>=1.6a1,<1.6.5,>=1.7a1,<1.7b4" }, { "advisory": "The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. See: CVE-2014-0483.", "cve": "CVE-2014-0483", "id": "pyup.io-35516", "more_info_path": "/vulnerabilities/CVE-2014-0483/35516", "specs": [ "<1.4.14", ">=1.5a1,<1.5.9", ">=1.6a1,<1.6.6", ">=1.7a1,<1.7rc3" ], "v": "<1.4.14,>=1.5a1,<1.5.9,>=1.6a1,<1.6.6,>=1.7a1,<1.7rc3" }, { "advisory": "Django 1.4.14, 1.5.9, 1.6.6 and 1.7rc3 include a fix for CVE-2014-0482: The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.", "cve": "CVE-2014-0482", "id": "pyup.io-35515", "more_info_path": "/vulnerabilities/CVE-2014-0482/35515", "specs": [ "<1.4.14", ">=1.5a1,<1.5.9", ">=1.6a1,<1.6.6", ">=1.7a1,<1.7rc3" ], "v": "<1.4.14,>=1.5a1,<1.5.9,>=1.6a1,<1.6.6,>=1.7a1,<1.7rc3" }, { "advisory": "Django 1.4.14, 1.5.9, 1.6.6 and 1.7rc3 include a fix for CVE-2014-0481: The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name.", "cve": "CVE-2014-0481", "id": "pyup.io-35514", "more_info_path": "/vulnerabilities/CVE-2014-0481/35514", "specs": [ "<1.4.14", ">=1.5a1,<1.5.9", ">=1.6a1,<1.6.6", ">=1.7a1,<1.7rc3" ], "v": "<1.4.14,>=1.5a1,<1.5.9,>=1.6a1,<1.6.6,>=1.7a1,<1.7rc3" }, { "advisory": "The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.", "cve": "CVE-2014-0480", "id": "pyup.io-35513", "more_info_path": "/vulnerabilities/CVE-2014-0480/35513", "specs": [ "<1.4.14", ">=1.5a1,<1.5.9", ">=1.6a1,<1.6.6", ">=1.7a1,<1.7rc3" ], "v": "<1.4.14,>=1.5a1,<1.5.9,>=1.6a1,<1.6.6,>=1.7a1,<1.7rc3" }, { "advisory": "The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.", "cve": "CVE-2015-0221", "id": "pyup.io-33072", "more_info_path": "/vulnerabilities/CVE-2015-0221/33072", "specs": [ "<1.4.18", ">=1.6a1,<1.6.10", ">=1.7a1,<1.7.3" ], "v": "<1.4.18,>=1.6a1,<1.6.10,>=1.7a1,<1.7.3" }, { "advisory": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.", "cve": "CVE-2015-0220", "id": "pyup.io-33071", "more_info_path": "/vulnerabilities/CVE-2015-0220/33071", "specs": [ "<1.4.18", ">=1.6a1,<1.6.10", ">=1.7a1,<1.7.3" ], "v": "<1.4.18,>=1.6a1,<1.6.10,>=1.7a1,<1.7.3" }, { "advisory": "Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.", "cve": "CVE-2015-0219", "id": "pyup.io-33070", "more_info_path": "/vulnerabilities/CVE-2015-0219/33070", "specs": [ "<1.4.18", ">=1.6a1,<1.6.10", ">=1.7a1,<1.7.3" ], "v": "<1.4.18,>=1.6a1,<1.6.10,>=1.7a1,<1.7.3" }, { "advisory": "The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \\x08javascript: URL.\r\nhttps://www.djangoproject.com/weblog/2015/mar/18/security-releases", "cve": "CVE-2015-2317", "id": "pyup.io-25713", "more_info_path": "/vulnerabilities/CVE-2015-2317/25713", "specs": [ "<1.4.20", ">=1.5a1,<1.6.11", ">=1.7a1,<1.7.7", ">=1.8a1,<1.8c1" ], "v": "<1.4.20,>=1.5a1,<1.6.11,>=1.7a1,<1.7.7,>=1.8a1,<1.8c1" }, { "advisory": "The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.", "cve": "CVE-2015-5143", "id": "pyup.io-25725", "more_info_path": "/vulnerabilities/CVE-2015-5143/25725", "specs": [ "<1.4.21", ">=1.5a1,<1.7.9", ">=1.8a1,<1.8.3" ], "v": "<1.4.21,>=1.5a1,<1.7.9,>=1.8a1,<1.8.3" }, { "advisory": "Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.", "cve": "CVE-2015-5144", "id": "pyup.io-25726", "more_info_path": "/vulnerabilities/CVE-2015-5144/25726", "specs": [ "<1.4.21", ">=1.8a1,<1.8.3", ">=1.5a1,<1.7.9" ], "v": "<1.4.21,>=1.8a1,<1.8.3,>=1.5a1,<1.7.9" }, { "advisory": "Django 1.4.7, 1.5.3 and 1.6.0b3 include a fix for CVE-2013-4315: Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag.\r\nhttps://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued", "cve": "CVE-2013-4315", "id": "pyup.io-35461", "more_info_path": "/vulnerabilities/CVE-2013-4315/35461", "specs": [ "<1.4.7", ">=1.5a1,<1.5.3", ">=1.6a1,<1.6b3" ], "v": "<1.4.7,>=1.5a1,<1.5.3,>=1.6a1,<1.6b3" }, { "advisory": "The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.", "cve": "CVE-2015-8213", "id": "pyup.io-25714", "more_info_path": "/vulnerabilities/CVE-2015-8213/25714", "specs": [ "<1.7.11", ">=1.8a1,<1.8.7", ">=1.9a1,<1.9rc2" ], "v": "<1.7.11,>=1.8a1,<1.8.7,>=1.9a1,<1.9rc2" }, { "advisory": "Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.", "cve": "CVE-2015-2241", "id": "pyup.io-25715", "more_info_path": "/vulnerabilities/CVE-2015-2241/25715", "specs": [ "<1.7.6", ">=1.8a1,<1.8b2" ], "v": "<1.7.6,>=1.8a1,<1.8b2" }, { "advisory": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.", "cve": "CVE-2016-2513", "id": "pyup.io-33074", "more_info_path": "/vulnerabilities/CVE-2016-2513/33074", "specs": [ "<1.8.10", ">=1.9a1,<1.9.3" ], "v": "<1.8.10,>=1.9a1,<1.9.3" }, { "advisory": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.", "cve": "CVE-2016-2512", "id": "pyup.io-33073", "more_info_path": "/vulnerabilities/CVE-2016-2512/33073", "specs": [ "<1.8.10", ">=1.9a1,<1.9.3" ], "v": "<1.8.10,>=1.9a1,<1.9.3" }, { "advisory": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.", "cve": "CVE-2016-6186", "id": "pyup.io-25721", "more_info_path": "/vulnerabilities/CVE-2016-6186/25721", "specs": [ "<1.8.14", ">=1.9a1,<1.9.18", ">=1.10a1,<1.10rc1" ], "v": "<1.8.14,>=1.9a1,<1.9.18,>=1.10a1,<1.10rc1" }, { "advisory": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.", "cve": "CVE-2016-7401", "id": "pyup.io-25718", "more_info_path": "/vulnerabilities/CVE-2016-7401/25718", "specs": [ "<1.8.15", ">=1.9a1,<1.9.10" ], "v": "<1.8.15,>=1.9a1,<1.9.10" }, { "advisory": "Django versions 2.1.9 and 2.2.2 include a patched bundled jQuery version to avoid a Prototype Pollution vulnerability.", "cve": "CVE-2019-11358", "id": "pyup.io-39594", "more_info_path": "/vulnerabilities/CVE-2019-11358/39594", "specs": [ "<2.1.9", ">=2.2a1,<2.2.2" ], "v": "<2.1.9,>=2.2a1,<2.2.2" }, { "advisory": "Django 2.2.16, 3.0.10 and 3.1.1 include a fix for CVE-2020-24583: An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.\r\n#NOTE: This vulnerability affects only users of Python versions above 3.7.\r\nhttps://www.djangoproject.com/weblog/2020/sep/01/security-releases", "cve": "CVE-2020-24583", "id": "pyup.io-38749", "more_info_path": "/vulnerabilities/CVE-2020-24583/38749", "specs": [ "<2.2.16", ">=3.0a1,<3.0.10", ">=3.1a1,<3.1.1" ], "v": "<2.2.16,>=3.0a1,<3.0.10,>=3.1a1,<3.1.1" }, { "advisory": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.", "cve": "CVE-2020-24584", "id": "pyup.io-38752", "more_info_path": "/vulnerabilities/CVE-2020-24584/38752", "specs": [ "<2.2.16", ">=3.0a1,<3.0.10", ">=3.1a1,<3.1.1" ], "v": "<2.2.16,>=3.0a1,<3.0.10,>=3.1a1,<3.1.1" }, { "advisory": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.\r\nhttps://www.djangoproject.com/weblog/2021/jun/02/security-releases", "cve": "CVE-2021-33203", "id": "pyup.io-40637", "more_info_path": "/vulnerabilities/CVE-2021-33203/40637", "specs": [ "<2.2.24", ">=3.0a1,<3.1.12", ">=3.2a1,<3.2.4" ], "v": "<2.2.24,>=3.0a1,<3.1.12,>=3.2a1,<3.2.4" }, { "advisory": "Django versions 2.2.25, 3.1.14 and 3.2.10 include a fix for CVE-2021-44420: In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.\r\nhttps://www.djangoproject.com/weblog/2021/dec/07/security-releases/", "cve": "CVE-2021-44420", "id": "pyup.io-43041", "more_info_path": "/vulnerabilities/CVE-2021-44420/43041", "specs": [ "<2.2.25", ">=3.2a1,<3.2.10", ">=3.1a1,<3.1.14" ], "v": "<2.2.25,>=3.2a1,<3.2.10,>=3.1a1,<3.1.14" }, { "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45116: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases", "cve": "CVE-2021-45116", "id": "pyup.io-44427", "more_info_path": "/vulnerabilities/CVE-2021-45116/44427", "specs": [ "<2.2.26", ">=3.0a1,<3.2.11", ">=4.0a1,<4.0.1" ], "v": "<2.2.26,>=3.0a1,<3.2.11,>=4.0a1,<4.0.1" }, { "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45452: Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/", "cve": "CVE-2021-45452", "id": "pyup.io-44426", "more_info_path": "/vulnerabilities/CVE-2021-45452/44426", "specs": [ "<2.2.26", ">=3.0a1,<3.2.11", ">=4.0a1,<4.0.1" ], "v": "<2.2.26,>=3.0a1,<3.2.11,>=4.0a1,<4.0.1" }, { "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45115: UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/", "cve": "CVE-2021-45115", "id": "pyup.io-44423", "more_info_path": "/vulnerabilities/CVE-2021-45115/44423", "specs": [ "<2.2.26", ">=3.0a1,<3.2.11", ">=4.0a1,<4.0.1" ], "v": "<2.2.26,>=3.0a1,<3.2.11,>=4.0a1,<4.0.1" }, { "advisory": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.", "cve": "CVE-2022-22818", "id": "pyup.io-44742", "more_info_path": "/vulnerabilities/CVE-2022-22818/44742", "specs": [ "<2.2.27", ">=3.0a1,<3.2.12", ">=4.0a1,<4.0.2" ], "v": "<2.2.27,>=3.0a1,<3.2.12,>=4.0a1,<4.0.2" }, { "advisory": "Django 2.2.27, 3.2.12 and 4.0.2 include a fix for CVE-2022-23833: Denial-of-service possibility in file uploads.\r\nhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases", "cve": "CVE-2022-23833", "id": "pyup.io-44741", "more_info_path": "/vulnerabilities/CVE-2022-23833/44741", "specs": [ "<2.2.27", ">=3.0a1,<3.2.12", ">=4.0a1,<4.0.2" ], "v": "<2.2.27,>=3.0a1,<3.2.12,>=4.0a1,<4.0.2" }, { "advisory": "Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.\r\nhttps://www.djangoproject.com/weblog/2022/apr/11/security-releases", "cve": "CVE-2022-28346", "id": "pyup.io-48041", "more_info_path": "/vulnerabilities/CVE-2022-28346/48041", "specs": [ "<2.2.28", ">=3.0a1,<3.2.13", ">=4.0a1,<4.0.4" ], "v": "<2.2.28,>=3.0a1,<3.2.13,>=4.0a1,<4.0.4" }, { "advisory": "Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28347: A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.\r\nhttps://www.djangoproject.com/weblog/2022/apr/11/security-releases", "cve": "CVE-2022-28347", "id": "pyup.io-48040", "more_info_path": "/vulnerabilities/CVE-2022-28347/48040", "specs": [ "<2.2.28", ">=3.0a1,<3.2.13", ">=4.0a1,<4.0.4" ], "v": "<2.2.28,>=3.0a1,<3.2.13,>=4.0a1,<4.0.4" }, { "advisory": "Django 3.2.14 and 4.0.6 include a fix for CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments.\r\nhttps://www.djangoproject.com/weblog/2022/jul/04/security-releases", "cve": "CVE-2022-34265", "id": "pyup.io-49733", "more_info_path": "/vulnerabilities/CVE-2022-34265/49733", "specs": [ "<3.2.14", ">=4.0a1,<4.0.6" ], "v": "<3.2.14,>=4.0a1,<4.0.6" }, { "advisory": "Django 3.2.15 and 4.0.7 include a fix for CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.\r\nhttps://www.djangoproject.com/weblog/2022/aug/03/security-releases", "cve": "CVE-2022-36359", "id": "pyup.io-50454", "more_info_path": "/vulnerabilities/CVE-2022-36359/50454", "specs": [ "<3.2.15", ">=4.0a1,<4.0.7" ], "v": "<3.2.15,>=4.0a1,<4.0.7" }, { "advisory": "In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.", "cve": "CVE-2022-41323", "id": "pyup.io-51340", "more_info_path": "/vulnerabilities/CVE-2022-41323/51340", "specs": [ "<3.2.16", ">=4.0a1,<4.0.8", ">=4.1a1,<4.1.2" ], "v": "<3.2.16,>=4.0a1,<4.0.8,>=4.1a1,<4.1.2" }, { "advisory": "Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.\r\nhttps://www.djangoproject.com/weblog/2023/feb/01/security-releases", "cve": "CVE-2023-23969", "id": "pyup.io-52945", "more_info_path": "/vulnerabilities/CVE-2023-23969/52945", "specs": [ "<3.2.17", ">=4.0a1,<4.0.9", ">=4.1a1,<4.1.6" ], "v": "<3.2.17,>=4.0a1,<4.0.9,>=4.1a1,<4.1.6" }, { "advisory": "Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads.\r\nhttps://www.djangoproject.com/weblog/2023/feb/14/security-releases", "cve": "CVE-2023-24580", "id": "pyup.io-53315", "more_info_path": "/vulnerabilities/CVE-2023-24580/53315", "specs": [ "<3.2.18", ">=4.0a1,<4.0.10", ">=4.1a1,<4.1.7" ], "v": "<3.2.18,>=4.0a1,<4.0.10,>=4.1a1,<4.1.7" }, { "advisory": "Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise.\r\nhttps://www.djangoproject.com/weblog/2023/may/03/security-releases", "cve": "CVE-2023-31047", "id": "pyup.io-55264", "more_info_path": "/vulnerabilities/CVE-2023-31047/55264", "specs": [ "<3.2.19", ">=4.0a1,<4.1.9", ">=4.2a1,<4.2.1" ], "v": "<3.2.19,>=4.0a1,<4.1.9,>=4.2a1,<4.2.1" }, { "advisory": "Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri().", "cve": "CVE-2023-41164", "id": "pyup.io-60956", "more_info_path": "/vulnerabilities/CVE-2023-41164/60956", "specs": [ "<3.2.21", ">=4.0a1,<4.1.11", ">=4.2a1,<4.2.5" ], "v": "<3.2.21,>=4.0a1,<4.1.11,>=4.2a1,<4.2.5" }, { "advisory": "Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.", "cve": "CVE-2023-43665", "id": "pyup.io-61586", "more_info_path": "/vulnerabilities/CVE-2023-43665/61586", "specs": [ "<3.2.22", ">=4.0a1,<4.1.12", ">=4.2a1,<4.2.6" ], "v": "<3.2.22,>=4.0a1,<4.1.12,>=4.2a1,<4.2.6" }, { "advisory": "Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows.\r\nhttps://www.djangoproject.com/weblog/2023/nov/01/security-releases", "cve": "CVE-2023-46695", "id": "pyup.io-62126", "more_info_path": "/vulnerabilities/CVE-2023-46695/62126", "specs": [ "<3.2.23", ">=4.0a1,<4.1.13", ">=4.2a1,<4.2.7" ], "v": "<3.2.23,>=4.0a1,<4.1.13,>=4.2a1,<4.2.7" }, { "advisory": "Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings.", "cve": "CVE-2024-24680", "id": "pyup.io-64976", "more_info_path": "/vulnerabilities/CVE-2024-24680/64976", "specs": [ "<3.2.24", ">=4.0a1,<4.2.10", ">=5.0a1,<5.0.2" ], "v": "<3.2.24,>=4.0a1,<4.2.10,>=5.0a1,<5.0.2" }, { "advisory": "Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665).", "cve": "CVE-2024-27351", "id": "pyup.io-65771", "more_info_path": "/vulnerabilities/CVE-2024-27351/65771", "specs": [ "<3.2.25", ">=4.0a1,<4.2.11", ">=5.0a1,<5.0.3" ], "v": "<3.2.25,>=4.0a1,<4.2.11,>=5.0a1,<5.0.3" }, { "advisory": "Affected versions of Django are potentially vulnerable to denial-of-service via the get_supported_language_variant() method. This method was susceptible to a denial-of-service attack when used with very long strings containing specific characters. Exploiting this vulnerability could cause significant delays or crashes in the affected application, potentially leading to service disruption.", "cve": "CVE-2024-39614", "id": "pyup.io-72111", "more_info_path": "/vulnerabilities/CVE-2024-39614/72111", "specs": [ "<4.2.14", ">=5.0a1,<5.0.7" ], "v": "<4.2.14,>=5.0a1,<5.0.7" }, { "advisory": "Affected versions of Django are affected by a directory-traversal vulnerability in the Storage.save() method. Derived classes of the django.core.files.storage.Storage base class that overrides the generate_filename() method without replicating the file path validations existing in the parent class could allow for directory traversal via certain inputs when calling save(). This could enable an attacker to manipulate file paths and access unintended directories.", "cve": "CVE-2024-39330", "id": "pyup.io-72110", "more_info_path": "/vulnerabilities/CVE-2024-39330/72110", "specs": [ "<4.2.14", ">=5.0a1,<5.0.7" ], "v": "<4.2.14,>=5.0a1,<5.0.7" }, { "advisory": "Affected versions of Django are affected by a username enumeration vulnerability caused by timing differences in the django.contrib.auth.backends.ModelBackend.authenticate() method. This method allowed remote attackers to enumerate users through a timing attack involving login requests for users with unusable passwords. The timing difference in the authentication process exposed whether a username was valid or not, potentially aiding attackers in gaining unauthorized access.", "cve": "CVE-2024-39329", "id": "pyup.io-72109", "more_info_path": "/vulnerabilities/CVE-2024-39329/72109", "specs": [ "<4.2.14", ">=5.0a1,<5.0.7" ], "v": "<4.2.14,>=5.0a1,<5.0.7" }, { "advisory": "Affected versions of Django are affected by a potential denial-of-service vulnerability in the django.utils.html.urlize() function. The urlize and urlizetrunc template filters were susceptible to a denial-of-service attack via certain inputs containing many brackets. An attacker could exploit this vulnerability to cause significant delays or crashes in the affected application.", "cve": "CVE-2024-38875", "id": "pyup.io-72095", "more_info_path": "/vulnerabilities/CVE-2024-38875/72095", "specs": [ "<4.2.14", ">=5.0a1,<5.0.7" ], "v": "<4.2.14,>=5.0a1,<5.0.7" }, { "advisory": "Django has a potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget. The urlize and urlizetrunc functions, along with AdminURLFieldWidget, are vulnerable to denial-of-service attacks when handling inputs with a very large number of Unicode characters.", "cve": "CVE-2024-41991", "id": "pyup.io-72520", "more_info_path": "/vulnerabilities/CVE-2024-41991/72520", "specs": [ "<4.2.15", ">=5.0a1,<5.0.8" ], "v": "<4.2.15,>=5.0a1,<5.0.8" }, { "advisory": "Django addresses a memory exhaustion issue in django.utils.numberformat.floatformat(). When floatformat receives a string representation of a number in scientific notation with a large exponent, it could lead to excessive memory consumption. To prevent this, decimals with more than 200 digits are now returned as-is.", "cve": "CVE-2024-41990", "id": "pyup.io-72515", "more_info_path": "/vulnerabilities/CVE-2024-41990/72515", "specs": [ "<4.2.15", ">=5.0a1,<5.0.8" ], "v": "<4.2.15,>=5.0a1,<5.0.8" }, { "advisory": "Affected versions of Django has a potential SQL injection vulnerability in the QuerySet.values() and QuerySet.values_list() methods. When used on models with a JSONField, these methods are susceptible to SQL injection through column aliases if a crafted JSON object key is passed as an argument.", "cve": "CVE-2024-42005", "id": "pyup.io-72521", "more_info_path": "/vulnerabilities/CVE-2024-42005/72521", "specs": [ "<4.2.15", ">=5.0a1,<5.0.8" ], "v": "<4.2.15,>=5.0a1,<5.0.8" }, { "advisory": "A potential denial-of-service vulnerability has been identified in Django's urlize() and urlizetrunc() functions in django.utils.html. This vulnerability can be triggered by inputting huge strings containing a specific sequence of characters.", "cve": "CVE-2024-45230", "id": "pyup.io-73023", "more_info_path": "/vulnerabilities/CVE-2024-45230/73023", "specs": [ "<4.2.16", ">=5.0a1,<5.0.9", ">=5.1a1,<5.1.1" ], "v": "<4.2.16,>=5.0a1,<5.0.9,>=5.1a1,<5.1.1" }, { "advisory": "A security vulnerability has been discovered in certain versions of Django, affecting the password reset functionality. The PasswordResetForm class in django.contrib.auth.forms inadvertently allowed attackers to enumerate user email addresses by exploiting unhandled exceptions during the email sending process. This could be done by issuing password reset requests and observing the responses. Django has implemented a fix where these exceptions are now caught and logged using the django.contrib.auth logger, preventing potential information leakage through error responses.", "cve": "CVE-2024-45231", "id": "pyup.io-73028", "more_info_path": "/vulnerabilities/CVE-2024-45231/73028", "specs": [ "<4.2.16", ">=5.0a1,<5.0.9", ">=5.1a1,<5.1.1" ], "v": "<4.2.16,>=5.0a1,<5.0.9,>=5.1a1,<5.1.1" }, { "advisory": "bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.", "cve": "CVE-2007-0404", "id": "pyup.io-61151", "more_info_path": "/vulnerabilities/CVE-2007-0404/61151", "specs": [ "<=0.95" ], "v": "<=0.95" }, { "advisory": "The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.", "cve": "CVE-2007-0405", "id": "pyup.io-61152", "more_info_path": "/vulnerabilities/CVE-2007-0405/61152", "specs": [ "<=0.95" ], "v": "<=0.95" }, { "advisory": "Django versions until 1.3.6 and from 1.4 to 1.4.4 are vulnerable to Denial of Service (DoS) attacks. These attacks exploit a weakness during the deserialization of XML objects, related to CVE-2013-1664. DoS vulnerabilities, including this one, can severely impair system accessibility for legitimate users without necessarily compromising the security of the system. They achieve this by overwhelming the service with an excessive load, either through high CPU/memory consumption or by causing the system to crash.", "cve": "PVE-2024-99804", "id": "pyup.io-66011", "more_info_path": "/vulnerabilities/PVE-2024-99804/66011", "specs": [ ">=0,<1.3.6", ">=1.4,<1.4.4" ], "v": ">=0,<1.3.6,>=1.4,<1.4.4" }, { "advisory": "Django versions until 1.3.6 and from 1.4 to 1.4.4 can be compromised through XML External Entity (XXE) attacks. These attacks allow an attacker to read arbitrary files by utilizing an XML external entity declaration along with an entity reference. The vulnerability stems from XML processing systems that, by default, accept external entity specifications. This can lead to unauthorized disclosure of sensitive information, such as passwords or private user data, by accessing local or remote files and possibly impact application availability by overloading the application with data\u2014raising the risk of a Denial of Service (DoS).", "cve": "PVE-2024-99805", "id": "pyup.io-66010", "more_info_path": "/vulnerabilities/PVE-2024-99805/66010", "specs": [ ">=0,<1.3.6", ">=1.4,<1.4.4" ], "v": ">=0,<1.3.6,>=1.4,<1.4.4" }, { "advisory": "The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected \"static media files,\" which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.\r\nhttps://www.djangoproject.com/weblog/2009/jul/28/security/", "cve": "CVE-2009-2659", "id": "pyup.io-25694", "more_info_path": "/vulnerabilities/CVE-2009-2659/25694", "specs": [ ">=1.0a0,<1.0.3", "<0.96.4" ], "v": ">=1.0a0,<1.0.3,<0.96.4" }, { "advisory": "Django version 1.10.7, 1.9.13 and 1.8.18 include a fix for CVE-2017-7233: Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely 'django.utils.http.is_safe_url()') considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on 'is_safe_url()' to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.\r\nhttps://www.djangoproject.com/weblog/2017/apr/04/security-releases/", "cve": "CVE-2017-7233", "id": "pyup.io-33300", "more_info_path": "/vulnerabilities/CVE-2017-7233/33300", "specs": [ ">=1.10a1,<1.10.7", ">=1.9a1,<1.9.13", ">=1.8a1,<1.8.18" ], "v": ">=1.10a1,<1.10.7,>=1.9a1,<1.9.13,>=1.8a1,<1.8.18" }, { "advisory": "Django 1.11.29, 2.2.11 and 3.0.4 includes a fix for CVE-2020-9402: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.\r\nhttps://www.djangoproject.com/weblog/2020/mar/04/security-releases", "cve": "CVE-2020-9402", "id": "pyup.io-38010", "more_info_path": "/vulnerabilities/CVE-2020-9402/38010", "specs": [ ">=1.11a1,<1.1.29", ">=2.2a1,<2.2.11", ">=3.0a1,<3.0.4" ], "v": ">=1.11a1,<1.1.29,>=2.2a1,<2.2.11,>=3.0a1,<3.0.4" }, { "advisory": "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. A remote user can redirect the target user's browser to an arbitrary site.", "cve": "CVE-2018-14574", "id": "pyup.io-36368", "more_info_path": "/vulnerabilities/CVE-2018-14574/36368", "specs": [ ">=1.11a1,<1.11.15", ">=2.0a1,<2.0.8" ], "v": ">=1.11a1,<1.11.15,>=2.0a1,<2.0.8" }, { "advisory": "Django 1.11.21, 2.1.9 and 2.2.2 include a fix for CVE-2019-12308: The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, a non validated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.", "cve": "CVE-2019-12308", "id": "pyup.io-37186", "more_info_path": "/vulnerabilities/CVE-2019-12308/37186", "specs": [ ">=1.11a1,<1.11.21", ">=2.0a1,<2.1.9", ">=2.2a1,<2.2.2" ], "v": ">=1.11a1,<1.11.21,>=2.0a1,<2.1.9,>=2.2a1,<2.2.2" }, { "advisory": "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.", "cve": "CVE-2019-12781", "id": "pyup.io-37261", "more_info_path": "/vulnerabilities/CVE-2019-12781/37261", "specs": [ ">=1.11a1,<1.11.22", ">=2.2a1,<2.2.3", ">=2.1a1,<2.1.10" ], "v": ">=1.11a1,<1.11.22,>=2.2a1,<2.2.3,>=2.1a1,<2.1.10" }, { "advisory": "Django 1.11.23, 2.1.11 and 2.2.4 include a fix for CVE-2019-14234: Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.", "cve": "CVE-2019-14234", "id": "pyup.io-39592", "more_info_path": "/vulnerabilities/CVE-2019-14234/39592", "specs": [ ">=1.11a1,<1.11.23", ">=2.0a1,<2.1.11", ">=2.2a1,<2.2.4" ], "v": ">=1.11a1,<1.11.23,>=2.0a1,<2.1.11,>=2.2a1,<2.2.4" }, { "advisory": "Django 1.11.23, 2.1.11, and 2.2.4 include a fix for CVE-2019-14233: Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.", "cve": "CVE-2019-14233", "id": "pyup.io-39593", "more_info_path": "/vulnerabilities/CVE-2019-14233/39593", "specs": [ ">=1.11a1,<1.11.23", ">=2.0a1,<2.1.11", ">=2.2a1,<2.2.4" ], "v": ">=1.11a1,<1.11.23,>=2.0a1,<2.1.11,>=2.2a1,<2.2.4" }, { "advisory": "Django 1.11.23, 2.1.11 and 2.2.4 includes a fix for CVE-2019-14235: If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.", "cve": "CVE-2019-14235", "id": "pyup.io-39591", "more_info_path": "/vulnerabilities/CVE-2019-14235/39591", "specs": [ ">=1.11a1,<1.11.23", ">=2.0a1,<2.1.11", ">=2.2a1,<2.2.4" ], "v": ">=1.11a1,<1.11.23,>=2.0a1,<2.1.11,>=2.2a1,<2.2.4" }, { "advisory": "Django 1.11.27, 2.2.9 and 3.0.1 include a fix for CVE-2019-19844: Account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. One mitigation in the new releases is to send password reset tokens only to the registered user email address.", "cve": "CVE-2019-19844", "id": "pyup.io-37661", "more_info_path": "/vulnerabilities/CVE-2019-19844/37661", "specs": [ ">=1.11a1,<1.11.27", ">=2.0a1,<2.2.9", ">=3.0a1,<3.0.1" ], "v": ">=1.11a1,<1.11.27,>=2.0a1,<2.2.9,>=3.0a1,<3.0.1" }, { "advisory": "Django 1.11.28, 2.2.10 and 3.0.3 include a fix for CVE-2020-7471: SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.", "cve": "CVE-2020-7471", "id": "pyup.io-37815", "more_info_path": "/vulnerabilities/CVE-2020-7471/37815", "specs": [ ">=1.11a1,<1.11.28", ">=2.0a1,<2.2.10", ">=3.0a1,<3.0.3" ], "v": ">=1.11a1,<1.11.28,>=2.0a1,<2.2.10,>=3.0a1,<3.0.3" }, { "advisory": "The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service (memory consumption) or trigger server errors via a modified max_num parameter.", "cve": "CVE-2013-0306", "id": "pyup.io-33112", "more_info_path": "/vulnerabilities/CVE-2013-0306/33112", "specs": [ ">=1.3a1,<1.3.6", ">=1.4a1,<1.4.4", ">=1.5a1,<1.5.1" ], "v": ">=1.3a1,<1.3.6,>=1.4a1,<1.4.4,>=1.5a1,<1.5.1" }, { "advisory": "The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.", "cve": "CVE-2015-5964", "id": "pyup.io-25728", "more_info_path": "/vulnerabilities/CVE-2015-5964/25728", "specs": [ ">=1.4a1,<1.4.22", ">=1.7a1,<1.7.10" ], "v": ">=1.4a1,<1.4.22,>=1.7a1,<1.7.10" }, { "advisory": "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.", "cve": "CVE-2015-5963", "id": "pyup.io-25727", "more_info_path": "/vulnerabilities/CVE-2015-5963/25727", "specs": [ ">=1.4a1,<1.4.22", ">=1.7a1,<1.7.10", ">=1.8a1,<1.8.4" ], "v": ">=1.4a1,<1.4.22,>=1.7a1,<1.7.10,>=1.8a1,<1.8.4" }, { "advisory": "The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by \"the login view in django.contrib.auth.views\" and the javascript: scheme.", "cve": "CVE-2013-6044", "id": "pyup.io-42237", "more_info_path": "/vulnerabilities/CVE-2013-6044/42237", "specs": [ ">=1.4a1,<1.4.6", ">=1.5a1,<1.5.2", ">=1.6a1,<1.6b2" ], "v": ">=1.4a1,<1.4.6,>=1.5a1,<1.5.2,>=1.6a1,<1.6b2" }, { "advisory": "The Django administrative tool, known as django.contrib.admin, presumes the value of a URLField to be secure. As a result, it doesn't utilize an escape function when presenting it, which could potentially permit a malefactor to conduct a cross-site scripting (XSS) attack within the administrative interface.", "cve": "PVE-2023-99933", "id": "pyup.io-61888", "more_info_path": "/vulnerabilities/PVE-2023-99933/61888", "specs": [ ">=1.5,<1.5.2" ], "v": ">=1.5,<1.5.2" }, { "advisory": "The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.", "cve": "CVE-2013-0305", "id": "pyup.io-33111", "more_info_path": "/vulnerabilities/CVE-2013-0305/33111", "specs": [ ">=1.5a1,<1.5.1", ">=1.4a1,<1.4.4", ">=1.3a1,<1.3.6" ], "v": ">=1.5a1,<1.5.1,>=1.4a1,<1.4.4,>=1.3a1,<1.3.6" }, { "advisory": "Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField. See: CVE-2013-4249.", "cve": "CVE-2013-4249", "id": "pyup.io-35456", "more_info_path": "/vulnerabilities/CVE-2013-4249/35456", "specs": [ ">=1.5a1,<1.5.2", ">=1.6a1,<1.6b2" ], "v": ">=1.5a1,<1.5.2,>=1.6a1,<1.6b2" }, { "advisory": "The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by \"http:\\\\\\djangoproject.com.\"", "cve": "CVE-2014-3730", "id": "pyup.io-35569", "more_info_path": "/vulnerabilities/CVE-2014-3730/35569", "specs": [ ">=1.5a1,<1.5.8", ">=1.6a1,<1.6.5", ">=1.7a1,<1.7b4", "<1.4.13" ], "v": ">=1.5a1,<1.5.8,>=1.6a1,<1.6.5,>=1.7a1,<1.7b4,<1.4.13" }, { "advisory": "ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.", "cve": "CVE-2015-0222", "id": "pyup.io-25730", "more_info_path": "/vulnerabilities/CVE-2015-0222/25730", "specs": [ ">=1.6a1,<1.6.10", ">=1.7a1,<1.7.3" ], "v": ">=1.6a1,<1.6.10,>=1.7a1,<1.7.3" }, { "advisory": "The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.", "cve": "CVE-2013-1443", "id": "pyup.io-25729", "more_info_path": "/vulnerabilities/CVE-2013-1443/25729", "specs": [ ">=1.6a1,<1.6b4", ">=1.4a1,<1.4.8", ">=1.5a1,<1.5.4" ], "v": ">=1.6a1,<1.6b4,>=1.4a1,<1.4.8,>=1.5a1,<1.5.4" }, { "advisory": "The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to \"MySQL typecasting.\"", "cve": "CVE-2014-0474", "id": "pyup.io-35512", "more_info_path": "/vulnerabilities/CVE-2014-0474/35512", "specs": [ ">=1.7a1,<1.7b2", ">=1.6a1,<1.6.3", ">=1.5a1,<1.5.6", "<1.4.11" ], "v": ">=1.7a1,<1.7b2,>=1.6a1,<1.6.3,>=1.5a1,<1.5.6,<1.4.11" }, { "advisory": "Django versions 1.10.7, 1.9.13 and 1.8.18 include a fix for CVE-2017-7234: A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the 'django.views.static.serve()' view could redirect to any other domain, aka an open redirect vulnerability.\r\nhttps://www.djangoproject.com/weblog/2017/apr/04/security-releases/\r\nhttp://www.debian.org/security/2017/dsa-3835\r\nhttp://www.securityfocus.com/bid/97401\r\nhttp://www.securitytracker.com/id/1038177", "cve": "CVE-2017-7234", "id": "pyup.io-35740", "more_info_path": "/vulnerabilities/CVE-2017-7234/35740", "specs": [ ">=1.8.0a1,<1.8.18", ">=1.9.0a1,<1.9.13", ">=1.10.0a1,<1.10.7" ], "v": ">=1.8.0a1,<1.8.18,>=1.9.0a1,<1.9.13,>=1.10.0a1,<1.10.7" }, { "advisory": "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.", "cve": "CVE-2016-9013", "id": "pyup.io-33076", "more_info_path": "/vulnerabilities/CVE-2016-9013/33076", "specs": [ ">=1.8a1,<1.8.16", ">=1.9a1,<1.9.11", ">=1.10a1,<1.10.3" ], "v": ">=1.8a1,<1.8.16,>=1.9a1,<1.9.11,>=1.10a1,<1.10.3" }, { "advisory": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.", "cve": "CVE-2016-9014", "id": "pyup.io-33075", "more_info_path": "/vulnerabilities/CVE-2016-9014/33075", "specs": [ ">=1.8a1,<1.8.16", ">=1.9a1,<1.9.11", ">=1.10a1,<1.10.3" ], "v": ">=1.8a1,<1.8.16,>=1.9a1,<1.9.11,>=1.10a1,<1.10.3" }, { "advisory": "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.", "cve": "CVE-2015-3982", "id": "pyup.io-25732", "more_info_path": "/vulnerabilities/CVE-2015-3982/25732", "specs": [ ">=1.8a1,<1.8.2" ], "v": ">=1.8a1,<1.8.2" }, { "advisory": "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.", "cve": "CVE-2015-5145", "id": "pyup.io-25733", "more_info_path": "/vulnerabilities/CVE-2015-5145/25733", "specs": [ ">=1.8a1,<1.8.3" ], "v": ">=1.8a1,<1.8.3" }, { "advisory": "The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.", "cve": "CVE-2015-2316", "id": "pyup.io-25731", "more_info_path": "/vulnerabilities/CVE-2015-2316/25731", "specs": [ ">=1.8a1,<1.8c1", ">=1.7a1,<1.7.7", ">=1.6a1,<1.6.11" ], "v": ">=1.8a1,<1.8c1,>=1.7a1,<1.7.7,>=1.6a1,<1.6.11" }, { "advisory": "Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the \"Save as New\" option when editing objects and leveraging the \"change\" permission.", "cve": "CVE-2016-2048", "id": "pyup.io-25735", "more_info_path": "/vulnerabilities/CVE-2016-2048/25735", "specs": [ ">=1.9a1,<1.9.2" ], "v": ">=1.9a1,<1.9.2" }, { "advisory": "Django 1.11.19, 2.0.11 and 2.1.6 include a fix for CVE-2019-6975: Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", "cve": "CVE-2019-6975", "id": "pyup.io-36884", "more_info_path": "/vulnerabilities/CVE-2019-6975/36884", "specs": [ ">=2.0a1,<2.0.11", "<1.11.19", ">=2.1a1,<2.1.6" ], "v": ">=2.0a1,<2.0.11,<1.11.19,>=2.1a1,<2.1.6" }, { "advisory": "Django 2.0.2 and 1.11.10 include a fix for CVE-2018-6188: django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.\r\nhttps://www.djangoproject.com/weblog/2018/feb/01/security-releases", "cve": "CVE-2018-6188", "id": "pyup.io-35173", "more_info_path": "/vulnerabilities/CVE-2018-6188/35173", "specs": [ ">=2.0a1,<2.0.2", "==1.11.8", "==1.11.9" ], "v": ">=2.0a1,<2.0.2,==1.11.8,==1.11.9" }, { "advisory": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. See: CVE-2018-7536.", "cve": "CVE-2018-7536", "id": "pyup.io-35797", "more_info_path": "/vulnerabilities/CVE-2018-7536/35797", "specs": [ ">=2.0a1,<2.0.3", ">=1.8a1,<1.8.19", ">=1.11a1,<1.11.11" ], "v": ">=2.0a1,<2.0.3,>=1.8a1,<1.8.19,>=1.11a1,<1.11.11" }, { "advisory": "Django 2.0.3, 1.8.19 and 1.11.11 include a fix for CVE-2018-7537: An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", "cve": "CVE-2018-7537", "id": "pyup.io-35796", "more_info_path": "/vulnerabilities/CVE-2018-7537/35796", "specs": [ ">=2.0a1,<2.0.3", ">=1.8a1,<1.8.19", ">=1.11a1,<1.11.11" ], "v": ">=2.0a1,<2.0.3,>=1.8a1,<1.8.19,>=1.11a1,<1.11.11" }, { "advisory": "Django 1.11.23, 2.1.11 and 2.2.4 include a fix for CVE-2019-14232: If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", "cve": "CVE-2019-14232", "id": "pyup.io-37326", "more_info_path": "/vulnerabilities/CVE-2019-14232/37326", "specs": [ ">=2.0a1,<2.1.11", ">=2.2a1,<2.2.4", "<1.11.23" ], "v": ">=2.0a1,<2.1.11,>=2.2a1,<2.2.4,<1.11.23" }, { "advisory": "Django 2.2.18, 3.0.12 and 3.1.6 include a fix for CVE-2021-3281: The django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments.", "cve": "CVE-2021-3281", "id": "pyup.io-39521", "more_info_path": "/vulnerabilities/CVE-2021-3281/39521", "specs": [ ">=2.0a1,<2.2.18", ">=3.0a1,<3.0.12", ">=3.1a1,<3.1.6" ], "v": ">=2.0a1,<2.2.18,>=3.0a1,<3.0.12,>=3.1a1,<3.1.6" }, { "advisory": "Django 1.11.16, 2.0.9 and 2.1.1 include a fix for a Race Condition vulnerability that could lead to data loss.\r\nhttps://github.com/django/django/commit/221ef69a9b89262456bb7abe0e5a4b2fda4a0695", "cve": "PVE-2023-60132", "id": "pyup.io-60132", "more_info_path": "/vulnerabilities/PVE-2023-60132/60132", "specs": [ ">=2.1a1,<2.1.1", ">=2.0a1,<2.0.9", "<1.11.16" ], "v": ">=2.1a1,<2.1.1,>=2.0a1,<2.0.9,<1.11.16" }, { "advisory": "Django 2.1.15 and 2.2.8 includes a fix for CVE-2019-19118: A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.", "cve": "CVE-2019-19118", "id": "pyup.io-37656", "more_info_path": "/vulnerabilities/CVE-2019-19118/37656", "specs": [ ">=2.1a1,<2.1.15", ">=2.2a1,<2.2.8" ], "v": ">=2.1a1,<2.1.15,>=2.2a1,<2.2.8" }, { "advisory": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.", "cve": "CVE-2018-16984", "id": "pyup.io-36522", "more_info_path": "/vulnerabilities/CVE-2018-16984/36522", "specs": [ ">=2.1a1,<2.1.2" ], "v": ">=2.1a1,<2.1.2" }, { "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.", "cve": "CVE-2019-3498", "id": "pyup.io-36769", "more_info_path": "/vulnerabilities/CVE-2019-3498/36769", "specs": [ ">=2.1a1,<2.1.5" ], "v": ">=2.1a1,<2.1.5" }, { "advisory": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.", "cve": "CVE-2021-28658", "id": "pyup.io-40163", "more_info_path": "/vulnerabilities/CVE-2021-28658/40163", "specs": [ ">=2.2a1,<2.2.20", ">=3.0a1,<3.0.14", ">=3.1a1,<3.1.8" ], "v": ">=2.2a1,<2.2.20,>=3.0a1,<3.0.14,>=3.1a1,<3.1.8" }, { "advisory": "Django 2.2.24, 3.1.12, and 3.2.4 include a fix for CVE-2021-33571: In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+).\r\nhttps://www.djangoproject.com/weblog/2021/jun/02/security-releases", "cve": "CVE-2021-33571", "id": "pyup.io-40638", "more_info_path": "/vulnerabilities/CVE-2021-33571/40638", "specs": [ ">=3.0.0a1,<3.1.12", ">=3.2.0a1,<3.2.4", "<2.2.24" ], "v": ">=3.0.0a1,<3.1.12,>=3.2.0a1,<3.2.4,<2.2.24" }, { "advisory": "Django versions 2.2.19, 3.0.13 and 3.1.7 include a fix for CVE-2021-23336: Web cache poisoning via 'django.utils.http.limited_parse_qsl()'. Django contains a copy of 'urllib.parse.parse_qsl' which was added to backport some security fixes. A further security fix has been issued recently such that 'parse_qsl(' no longer allows using ';' as a query parameter separator by default.", "cve": "CVE-2021-23336", "id": "pyup.io-39646", "more_info_path": "/vulnerabilities/CVE-2021-23336/39646", "specs": [ ">=3.0a1,<3.0.13", ">=3.1a1,<3.1.7", "<2.2.19" ], "v": ">=3.0a1,<3.0.13,>=3.1a1,<3.1.7,<2.2.19" }, { "advisory": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.", "cve": "CVE-2020-13596", "id": "pyup.io-38372", "more_info_path": "/vulnerabilities/CVE-2020-13596/38372", "specs": [ ">=3.0a1,<3.0.7", ">=2.2a1,<2.2.13" ], "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13" }, { "advisory": "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.", "cve": "CVE-2020-13254", "id": "pyup.io-38373", "more_info_path": "/vulnerabilities/CVE-2020-13254/38373", "specs": [ ">=3.0a1,<3.0.7", ">=2.2a1,<2.2.13" ], "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13" }, { "advisory": "Django versions 3.2.2, 3.1.10 and 2.2.22 include a fix for CVE-2021-32052: In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.\r\nhttps://www.djangoproject.com/weblog/2021/may/06/security-releases", "cve": "CVE-2021-32052", "id": "pyup.io-40414", "more_info_path": "/vulnerabilities/CVE-2021-32052/40414", "specs": [ ">=3.1a1,<3.1.10", ">=2.2a1,<2.2.22", ">=3.2a1,<3.2.2" ], "v": ">=3.1a1,<3.1.10,>=2.2a1,<2.2.22,>=3.2a1,<3.2.2" }, { "advisory": "Django versions 3.1.13 and 3.2.5 include a fix for CVE-2021-35042: Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.\r\nhttps://www.djangoproject.com/weblog/2021/jul/01/security-releases/\r\nhttps://www.openwall.com/lists/oss-security/2021/07/02/2\r\nhttps://docs.djangoproject.com/en/3.2/releases/security/\r\nhttps://groups.google.com/forum/#%21forum/django-announce", "cve": "CVE-2021-35042", "id": "pyup.io-40899", "more_info_path": "/vulnerabilities/CVE-2021-35042/40899", "specs": [ ">=3.1a1,<3.1.13", ">=3.2a1,<3.2.5" ], "v": ">=3.1a1,<3.1.13,>=3.2a1,<3.2.5" }, { "advisory": "Django 2.2.21, 3.1.9 and 3.2.1 include a fix for CVE-2021-31542: MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.\r\nhttps://www.djangoproject.com/weblog/2021/may/04/security-releases", "cve": "CVE-2021-31542", "id": "pyup.io-40404", "more_info_path": "/vulnerabilities/CVE-2021-31542/40404", "specs": [ ">=3.2a1,<3.2.1", "<2.2.21", ">=3.0a1,<3.1.9" ], "v": ">=3.2a1,<3.2.1,<2.2.21,>=3.0a1,<3.1.9" }, { "advisory": "Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs.", "cve": "CVE-2023-36053", "id": "pyup.io-59293", "more_info_path": "/vulnerabilities/CVE-2023-36053/59293", "specs": [ ">=4.0a1,<4.1.10", ">=4.2a1,<4.2.3", "<3.2.20" ], "v": ">=4.0a1,<4.1.10,>=4.2a1,<4.2.3,<3.2.20" } ], "django-access-tokens": [ { "advisory": "Django-access-tokens 0.9.2 fixes scoping of permissions where the token provided a smaller subset of the required permissions. As an extreme case, an access token granting no permissions could be used to access any permissions on the site.\r\nhttps://github.com/mohawkhq/django-access-tokens/compare/0.9.1...0.9.2", "cve": "PVE-2021-25736", "id": "pyup.io-25736", "more_info_path": "/vulnerabilities/PVE-2021-25736/25736", "specs": [ "<0.9.2" ], "v": "<0.9.2" } ], "django-access-tokens-py3": [ { "advisory": "Django-access-tokens-py3 0.9.2 fixes scoping of permissions where the token provided a smaller subset of the required permissions. As an extreme case, an access token granting no permissions could be used to access any permissions on the site.\r\nhttps://github.com/ducminhgd/django-access-tokens-py3/compare/0.9.1...0.9.2", "cve": "PVE-2021-34892", "id": "pyup.io-34892", "more_info_path": "/vulnerabilities/PVE-2021-34892/34892", "specs": [ "<0.9.2" ], "v": "<0.9.2" } ], "django-addon": [ { "advisory": "Django-addon 1.11.5.1 updates its dependency 'django' to v1.11.5 to include a security fix.", "cve": "CVE-2017-12794", "id": "pyup.io-36156", "more_info_path": "/vulnerabilities/CVE-2017-12794/36156", "specs": [ "<1.11.5.1" ], "v": "<1.11.5.1" } ], "django-afip": [ { "advisory": "Django-afip 7.1.1 reduces TLS security for AFIP's servers. Sadly, AFIP only has insecure endpoints, so maintainers were forced to reduce security to talk to them.\r\nhttps://github.com/WhyNotHugo/django-afip/commit/51abdd1d83d81e979dcfba9eee23d9a33ae318c3", "cve": "PVE-2021-38705", "id": "pyup.io-38705", "more_info_path": "/vulnerabilities/PVE-2021-38705/38705", "specs": [ ">=7.1.1" ], "v": ">=7.1.1" } ], "django-airplane": [ { "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", "cve": "CVE-2020-13254", "id": "pyup.io-43722", "more_info_path": "/vulnerabilities/CVE-2020-13254/43722", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", "cve": "CVE-2021-28658", "id": "pyup.io-43717", "more_info_path": "/vulnerabilities/CVE-2021-28658/43717", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", "cve": "CVE-2020-24584", "id": "pyup.io-43720", "more_info_path": "/vulnerabilities/CVE-2020-24584/43720", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", "cve": "CVE-2021-33203", "id": "pyup.io-43713", "more_info_path": "/vulnerabilities/CVE-2021-33203/43713", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior versions depend on an insecure Django version (2.2.10).", "cve": "CVE-2021-33571", "id": "pyup.io-43714", "more_info_path": "/vulnerabilities/CVE-2021-33571/43714", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior includes a vulnerable version of 'Django' (3.1.7).", "cve": "CVE-2021-32052", "id": "pyup.io-43715", "more_info_path": "/vulnerabilities/CVE-2021-32052/43715", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", "cve": "CVE-2021-3281", "id": "pyup.io-43719", "more_info_path": "/vulnerabilities/CVE-2021-3281/43719", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", "cve": "CVE-2021-23336", "id": "pyup.io-43718", "more_info_path": "/vulnerabilities/CVE-2021-23336/43718", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", "cve": "CVE-2020-9402", "id": "pyup.io-43724", "more_info_path": "/vulnerabilities/CVE-2020-9402/43724", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", "cve": "CVE-2020-13596", "id": "pyup.io-43723", "more_info_path": "/vulnerabilities/CVE-2020-13596/43723", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", "cve": "CVE-2021-44420", "id": "pyup.io-43712", "more_info_path": "/vulnerabilities/CVE-2021-44420/43712", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior depends on an insecure Django version (2.2.10).", "cve": "CVE-2020-24583", "id": "pyup.io-43721", "more_info_path": "/vulnerabilities/CVE-2020-24583/43721", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" }, { "advisory": "Django-airplane 1.1.0 and prior versions include a vulnerable version of 'Django' (3.1.7).", "cve": "CVE-2021-31542", "id": "pyup.io-43716", "more_info_path": "/vulnerabilities/CVE-2021-31542/43716", "specs": [ "<=1.1.0" ], "v": "<=1.1.0" } ], "django-ajax-datatable": [ { "advisory": "Django-ajax-datatable version 4.1.4 adds missing CSRF token header in the first POST call (initialize_table()).", "cve": "PVE-2021-41834", "id": "pyup.io-41834", "more_info_path": "/vulnerabilities/PVE-2021-41834/41834", "specs": [ "<4.1.4" ], "v": "<4.1.4" }, { "advisory": "Django-ajax-datatable 4.4.0 strips HTML tags by default in the rendered table for security reasons.\r\nhttps://github.com/morlandi/django-ajax-datatable/commit/702d2acfc953c2e9a2deb098e10c124cefb2bfc3", "cve": "PVE-2021-43640", "id": "pyup.io-43640", "more_info_path": "/vulnerabilities/PVE-2021-43640/43640", "specs": [ "<4.4.0" ], "v": "<4.4.0" } ], "django-ajax-utilities": [ { "advisory": "Django-ajax-utilities 1.2.9 includes a fix for CVE-2017-20182: This issue affects the function Pagination of the file django_ajax/static/ajax-utilities/js/pagination.js of the component Backslash Handler. The manipulation of the argument URL leads to cross-site scripting. The attack may be initiated remotely. \r\n#NOTE: The data we include in this advisory differs from the publicly available on nvd.nist.gov. The patch commit was issued for version 1.2.9.", "cve": "CVE-2017-20182", "id": "pyup.io-53607", "more_info_path": "/vulnerabilities/CVE-2017-20182/53607", "specs": [ "<1.2.9" ], "v": "<1.2.9" } ], "django-allauth": [ { "advisory": "Django-allauth before 0.28.0 contained a vulnerability allowing an attacker to alter the provider specific settings for 'SCOPE' and/or 'AUTH_PARAMS' (part of the larger 'SOCIALACCOUNT_PROVIDERS' setting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings.\r\nhttps://github.com/pennersr/django-allauth/commit/492ba9739b323cb66ef4020259c1db2d49cb6526", "cve": "PVE-2021-25737", "id": "pyup.io-25737", "more_info_path": "/vulnerabilities/PVE-2021-25737/25737", "specs": [ "<0.28.0" ], "v": "<0.28.0" }, { "advisory": "Django-allauth 0.30.0 includes a fix for a Denial of Service vulnerability.\r\nhttps://github.com/pennersr/django-allauth/commit/8dc2f2d5cc3ce0e5e1b999129ceaa57ed4e75390", "cve": "PVE-2023-60621", "id": "pyup.io-60621", "more_info_path": "/vulnerabilities/PVE-2023-60621/60621", "specs": [ "<0.30.0" ], "v": "<0.30.0" }, { "advisory": "Django-allauth 0.33 includes a security fix: Leakage of password reset token on a third-party website through the Referer header.", "cve": "PVE-2023-99963", "id": "pyup.io-60878", "more_info_path": "/vulnerabilities/PVE-2023-99963/60878", "specs": [ "<0.33.0" ], "v": "<0.33.0" }, { "advisory": "On django-allauth before 0.34.0 the \"Set Password\" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.", "cve": "PVE-2021-35034", "id": "pyup.io-35034", "more_info_path": "/vulnerabilities/PVE-2021-35034/35034", "specs": [ "<0.34.0" ], "v": "<0.34.0" }, { "advisory": "Django-allauth 0.41.0 conforms to the general Django 3.0.1, 2.2.9, and 1.11.27 security release. See CVE-2019-19844 and .", "cve": "CVE-2019-19844", "id": "pyup.io-37664", "more_info_path": "/vulnerabilities/CVE-2019-19844/37664", "specs": [ "<0.41.0" ], "v": "<0.41.0" }, { "advisory": "Django-allauth 0.47.0 adds a new setting 'SOCIALACCOUNT_LOGIN_ON_GET' that controls whether or not the endpoints for initiating a social login (for example, \"/accounts/google/login/\") require a POST request to initiate the handshake. As requiring a POST is more secure, the default of this new setting is 'False'. This is useful to prevent redirect attacks.", "cve": "PVE-2021-43274", "id": "pyup.io-43274", "more_info_path": "/vulnerabilities/PVE-2021-43274/43274", "specs": [ "<0.47.0" ], "v": "<0.47.0" }, { "advisory": "Django-allauth 0.54.0 includes a security fix: Even when account enumeration prevention was turned on, it was possible for an attacker to infer whether or not a given account exists based upon the response time of an authentication attempt.", "cve": "PVE-2023-54809", "id": "pyup.io-54809", "more_info_path": "/vulnerabilities/PVE-2023-54809/54809", "specs": [ "<0.54.0" ], "v": "<0.54.0" }, { "advisory": "Affected versions of Django-allauth are vulnerable to CSRF and replay attacks in the SAML login flow. RelayStatewas used to keep track of whether or not the login flow was IdP or SP initiated. As RelayState is a separate field, not part of the SAMLResponse payload, it was not signed, causing the vulnerability.", "cve": "PVE-2024-71301", "id": "pyup.io-71301", "more_info_path": "/vulnerabilities/PVE-2024-71301/71301", "specs": [ "<0.63.3" ], "v": "<0.63.3" }, { "advisory": "In Django-allauth, a vulnerability allows attackers to inject arbitrary JavaScript into the login page when configuring the Facebook provider to use the `js_sdk` method, potentially compromising user sessions or stealing sensitive information.", "cve": "PVE-2024-72155", "id": "pyup.io-72155", "more_info_path": "/vulnerabilities/PVE-2024-72155/72155", "specs": [ "<0.63.6" ], "v": "<0.63.6" } ], "django-allauth-underground": [ { "advisory": "Django-allauth-underground before 0.28.0 contained a vulnerability allowing an attacker to alter the provider specific settings for 'SCOPE' and/or 'AUTH_PARAMS' (part of the larger 'SOCIALACCOUNT_PROVIDERS' setting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings.\r\nhttps://github.com/biwin/django-allauth-underground/commit/492ba9739b323cb66ef4020259c1db2d49cb6526", "cve": "PVE-2021-36394", "id": "pyup.io-36394", "more_info_path": "/vulnerabilities/PVE-2021-36394/36394", "specs": [ "<0.28.0" ], "v": "<0.28.0" } ], "django-allianceutils": [ { "advisory": "Django-allianceutils 2.1.0 uses a new URL pattern adopted by Django core to include a security fix.\r\nhttps://github.com/AllianceSoftware/django-allianceutils/commit/eb4b60c463d6da860591b0335506e88b69b366af", "cve": "CVE-2021-44420", "id": "pyup.io-43422", "more_info_path": "/vulnerabilities/CVE-2021-44420/43422", "specs": [ "<2.1.0" ], "v": "<2.1.0" } ], "django-anonymizer": [ { "advisory": "Django-anonymizer 0.4 changes 'Anonymizer.attributes' to require every field to be listed. This deals with the common security problem when a model is updated, but the Anonymizer is not updated.", "cve": "PVE-2021-25738", "id": "pyup.io-25738", "more_info_path": "/vulnerabilities/PVE-2021-25738/25738", "specs": [ "<0.4" ], "v": "<0.4" } ], "django-anymail": [ { "advisory": "In django-anymail before 1.4 the webhook validation was vulnerable to a timing attack. An attacker could have used this to obtain the WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to the app.", "cve": "CVE-2018-6596", "id": "pyup.io-35178", "more_info_path": "/vulnerabilities/CVE-2018-6596/35178", "specs": [ "<1.4" ], "v": "<1.4" }, { "advisory": "Django-anymail version 1.4 includes a fix for CVE-2018-1000089: Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in an attacker with access to error logs could fabricate email tracking events. If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app.\r\nhttps://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef", "cve": "CVE-2018-1000089", "id": "pyup.io-35198", "more_info_path": "/vulnerabilities/CVE-2018-1000089/35198", "specs": [ ">=0.2,<1.4" ], "v": ">=0.2,<1.4" } ], "django-appointment": [ { "advisory": "Django-appointment version 3.5.2 includes a security fix. The update changes the requests dependency requirement from version ~=2.31.0 to ~=2.32.1 across one directory in the pip group.", "cve": "CVE-2024-35195", "id": "pyup.io-71086", "more_info_path": "/vulnerabilities/CVE-2024-35195/71086", "specs": [ "<3.5.2" ], "v": "<3.5.2" } ], "django-appwrite": [ { "advisory": "Django-appwrite 1.3.0 replaces the user ID with JSON Web Tokens (JWT) in communication with the Appwrite server. This change prevents potential risk of attempting to login by generating random IDs.", "cve": "PVE-2023-53266", "id": "pyup.io-53266", "more_info_path": "/vulnerabilities/PVE-2023-53266/53266", "specs": [ "<1.3.0" ], "v": "<1.3.0" } ], "django-autocomplete-light": [ { "advisory": "Django-autocomplete-light before 2.3.0 when updating the queryset from outside the autocomplete class may lead to a security problem, ie. if you don't replicate filters you apply manually on the autocomplete object choices into choices_for_request() then a malicious user could see choices which they shouldn't by querying the autocomplete directly.\r\nhttps://github.com/yourlabs/django-autocomplete-light/pull/494", "cve": "PVE-2021-25740", "id": "pyup.io-25740", "more_info_path": "/vulnerabilities/PVE-2021-25740/25740", "specs": [ "<2.3.0" ], "v": "<2.3.0" } ], "django-autocomplete-light-bsc": [ { "advisory": "Django-autocomplete-light-bsc 2.3.0 watches changes to 'queryset'. Before, updating the queryset from outside the autocomplete class could lead to a security problem, ie. if you don't replicate filters you apply manually on the autocomplete object choices into choices_for_request() then a malicious user could see choices which they shouldn't by querying the autocomplete directly.\r\nhttps://github.com/yourlabs/django-autocomplete-light/commit/3cbc4dc92d3bc902d11e3b29a7f9ea9cc3f8dcb7", "cve": "PVE-2021-34497", "id": "pyup.io-34497", "more_info_path": "/vulnerabilities/PVE-2021-34497/34497", "specs": [ "<2.3.0" ], "v": "<2.3.0" } ], "django-awl": [ { "advisory": "Django-awl 0.23.1 updates minimum requirements for Django to v2.1.2 to include a security fix.", "cve": "CVE-2018-16984", "id": "pyup.io-36588", "more_info_path": "/vulnerabilities/CVE-2018-16984/36588", "specs": [ "<0.23.1" ], "v": "<0.23.1" }, { "advisory": "Django-awl 1.0 updates the minimum requirements for Django to versions 2.2.10 and 3.0 to include security fixes.", "cve": "CVE-2019-3498", "id": "pyup.io-38139", "more_info_path": "/vulnerabilities/CVE-2019-3498/38139", "specs": [ "<1.0" ], "v": "<1.0" }, { "advisory": "Django-awl 1.0 updates the minimum requirements for Django to versions 2.2.10 and 3.0 to include security fixes.", "cve": "CVE-2019-6975", "id": "pyup.io-43689", "more_info_path": "/vulnerabilities/CVE-2019-6975/43689", "specs": [ "<1.0" ], "v": "<1.0" } ], "django-aws-api-gateway-websockets": [ { "advisory": "Django-aws-api-gateway-websockets 1.0.17 updates its sqlparse dependency to version 0.5.0 to address a security vulnerability, CVE-2024-4340.", "cve": "CVE-2024-4340", "id": "pyup.io-71961", "more_info_path": "/vulnerabilities/CVE-2024-4340/71961", "specs": [ "<1.0.17" ], "v": "<1.0.17" }, { "advisory": "Django-aws-api-gateway-websockets 1.0.19 updates its dependency 'urllib3' to versions >=2.2.2 to include a security fix.", "cve": "CVE-2024-37891", "id": "pyup.io-72187", "more_info_path": "/vulnerabilities/CVE-2024-37891/72187", "specs": [ "<1.0.19" ], "v": "<1.0.19" } ], "django-axes": [ { "advisory": "Django-axes 5.20.0 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/jazzband/django-axes/commit/93341a4d04dbb1772e5f9508789f2816e08db789", "cve": "PVE-2023-60088", "id": "pyup.io-60088", "more_info_path": "/vulnerabilities/PVE-2023-60088/60088", "specs": [ "<5.20.0" ], "v": "<5.20.0" } ], "django-background-tasks": [ { "advisory": "Django-background-tasks resolves database race conditions during multi-threading in affected versions by assigning individual database connections to each thread. Unused database connections are now properly closed when a thread starts and when it terminates.", "cve": "PVE-2024-72679", "id": "pyup.io-72679", "more_info_path": "/vulnerabilities/PVE-2024-72679/72679", "specs": [ "<1.1.6" ], "v": "<1.1.6" } ], "django-basic-auth-ip-whitelist": [ { "advisory": "Django-basic-auth-ip-whitelist 0.3.4 fixes a potential timing attack if basic authentication is enabled.", "cve": "CVE-2020-4071", "id": "pyup.io-38438", "more_info_path": "/vulnerabilities/CVE-2020-4071/38438", "specs": [ "<0.3.4" ], "v": "<0.3.4" } ], "django-basicauth": [ { "advisory": "Django-basicauth before 0.4.2 is vulnerable to timing attacks.\r\nhttps://github.com/hirokiky/django-basicauth/commit/94ba948c5f6b8b2543570bda4c8f73737f249971", "cve": "PVE-2021-35076", "id": "pyup.io-35076", "more_info_path": "/vulnerabilities/PVE-2021-35076/35076", "specs": [ "<0.4.2" ], "v": "<0.4.2" } ], "django-bootstrap-icons": [ { "advisory": "Django-bootstrap-icons 0.8.6 includes a fix for a XXE vulnerability.\r\nhttps://github.com/christianwgd/django-bootstrap-icons/commit/82c613ddc5b86c09265941198a04c17fab2aa82f\r\nhttps://github.com/christianwgd/django-bootstrap-icons/commit/fe697fee238271cf2bbae0da3842235ca8fb9271#diff-876bde05b2ccdc8dfd807690f323652f60ac2f737bf19babdc00f78ea7d9c0e4R4", "cve": "PVE-2023-62660", "id": "pyup.io-62660", "more_info_path": "/vulnerabilities/PVE-2023-62660/62660", "specs": [ "<0.8.6,>=0.6.0" ], "v": "<0.8.6,>=0.6.0" } ], "django-bootstrap4": [ { "advisory": "Django-bootstrap4 2.3.0 updates its dependency 'Django' to v3.1.2 to include security fixes.", "cve": "CVE-2020-24583", "id": "pyup.io-38870", "more_info_path": "/vulnerabilities/CVE-2020-24583/38870", "specs": [ "<2.3.0" ], "v": "<2.3.0" }, { "advisory": "Django-bootstrap4 2.3.0 updates its dependency 'Django' to v3.1.2 to include security fixes.", "cve": "CVE-2020-24584", "id": "pyup.io-43711", "more_info_path": "/vulnerabilities/CVE-2020-24584/43711", "specs": [ "<2.3.0" ], "v": "<2.3.0" } ], "django-buckets": [ { "advisory": "Django-buckets 0.1.20 updates its dependency 'Django' to v1.10.7 to include security fixes.", "cve": "CVE-2017-7234", "id": "pyup.io-47182", "more_info_path": "/vulnerabilities/CVE-2017-7234/47182", "specs": [ "<0.1.20" ], "v": "<0.1.20" }, { "advisory": "Django-buckets 0.1.20 updates its dependency 'Django' to v1.10.7 to include security fixes.", "cve": "CVE-2017-7233", "id": "pyup.io-48154", "more_info_path": "/vulnerabilities/CVE-2017-7233/48154", "specs": [ "<0.1.20" ], "v": "<0.1.20" } ], "django-ca": [ { "advisory": "django-ca 1.10.0 stores CA private keys in the more secure PKCS8 format.", "cve": "PVE-2021-37015", "id": "pyup.io-37015", "more_info_path": "/vulnerabilities/PVE-2021-37015/37015", "specs": [ "<1.10.0" ], "v": "<1.10.0" }, { "advisory": "Django-ca 1.17.0 secures CSRF and session cookies using Django 'SESSION_COOKIE_SECURE', 'CSRF_COOKIE_HTTPONLY' and 'CSRF_COOKIE_SECURE' settings. Before, it used unsafe defaults.", "cve": "PVE-2021-39375", "id": "pyup.io-39375", "more_info_path": "/vulnerabilities/PVE-2021-39375/39375", "specs": [ "<1.17.0" ], "v": "<1.17.0" }, { "advisory": "Django-ca version 1.19.0 fetches only the expected number of bytes when validating ACME challenges via HTTP to prevent DOS attacks.", "cve": "PVE-2021-42088", "id": "pyup.io-42088", "more_info_path": "/vulnerabilities/PVE-2021-42088/42088", "specs": [ "<1.19.0" ], "v": "<1.19.0" }, { "advisory": "django-ca before 1.9.0 did not properly escape x509 extensions, allowing for potential injection attacks.", "cve": "PVE-2021-36405", "id": "pyup.io-36405", "more_info_path": "/vulnerabilities/PVE-2021-36405/36405", "specs": [ "<1.9.0" ], "v": "<1.9.0" } ], "django-cacheops": [ { "advisory": "Django-cacheops 4.0.6 includes a security fix: Catastrophic backtracking in template extensions.\r\nhttps://github.com/Suor/django-cacheops/commit/adba2dc9908c50157d417fd7564669c11ed23b2a", "cve": "PVE-2023-61998", "id": "pyup.io-61998", "more_info_path": "/vulnerabilities/PVE-2023-61998/61998", "specs": [ "<4.0.6" ], "v": "<4.0.6" } ], "django-cas-server": [ { "advisory": "Django-cas-server 0.9.0 fixes a XSS vulnerability.\r\nhttps://github.com/nitmir/django-cas-server/commit/971cde093ce5af5aac9ced93c85b92c40e6e5665", "cve": "PVE-2022-51465", "id": "pyup.io-51465", "more_info_path": "/vulnerabilities/PVE-2022-51465/51465", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "django-celery-results": [ { "advisory": "Django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. See CVE-2020-17495.", "cve": "CVE-2020-17495", "id": "pyup.io-38678", "more_info_path": "/vulnerabilities/CVE-2020-17495/38678", "specs": [ "<=1.2.1" ], "v": "<=1.2.1" } ], "django-cms": [ { "advisory": "Django-cms 2.1.3 fixes a serious security issue in PlaceholderAdmin that allowed any active staff user to add, edit and delete any plugin.", "cve": "PVE-2021-25741", "id": "pyup.io-25741", "more_info_path": "/vulnerabilities/PVE-2021-25741/25741", "specs": [ "<2.1.3" ], "v": "<2.1.3" }, { "advisory": "Django-cms before 2.1.4 fixes a XSS issue in Text Plugins.\r\nhttps://github.com/django-cms/django-cms/commit/9ca7738bc1cef827765589c5b254810370a0fc0b", "cve": "PVE-2021-25742", "id": "pyup.io-25742", "more_info_path": "/vulnerabilities/PVE-2021-25742/25742", "specs": [ "<2.1.4" ], "v": "<2.1.4" }, { "advisory": "Django-cms 3.0.14 fixes an issue where privileged users could be tricked into performing actions without their knowledge via a CSRF vulnerability.\r\nhttps://github.com/django-cms/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a", "cve": "PVE-2021-25743", "id": "pyup.io-25743", "more_info_path": "/vulnerabilities/PVE-2021-25743/25743", "specs": [ "<3.0.14" ], "v": "<3.0.14" }, { "advisory": "Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors.", "cve": "CVE-2015-5081", "id": "pyup.io-35628", "more_info_path": "/vulnerabilities/CVE-2015-5081/35628", "specs": [ "<3.0.14", ">3.1,<3.1.1" ], "v": "<3.0.14,>3.1,<3.1.1" }, { "advisory": "Django-cms 3.2.4 and 3.1.6 address security concerns in render_model* tags.\r\nhttps://github.com/django-cms/django-cms/commit/370d322e320cada60affedb98721b550a8517e5f", "cve": "PVE-2021-25746", "id": "pyup.io-25746", "more_info_path": "/vulnerabilities/PVE-2021-25746/25746", "specs": [ "<3.1.6", ">=3.2.0,<3.2.4" ], "v": "<3.1.6,>=3.2.0,<3.2.4" }, { "advisory": "Django-cms 3.3.4 and 3.4.3 fix a vulnerability where the 'next' parameter for the toolbar login was not sanitized and could point to another domain.\r\nhttps://github.com/django-cms/django-cms/commit/9497bfe341ca1314b2ef51cbd1e7404aa12de19a", "cve": "PVE-2022-49495", "id": "pyup.io-49495", "more_info_path": "/vulnerabilities/PVE-2022-49495/49495", "specs": [ "<3.3.4", ">=3.4.0,<3.4.3" ], "v": "<3.3.4,>=3.4.0,<3.4.3" }, { "advisory": "Django-cms 3.3.4 and 3.4.3 fix a security vulnerability in the page redirect field which allowed users to insert JavaScript code.\r\nhttps://github.com/django-cms/django-cms/commit/c77e6df6fe9454b70bcfe5dea522c1bf145e14e5", "cve": "PVE-2021-34226", "id": "pyup.io-34226", "more_info_path": "/vulnerabilities/PVE-2021-34226/34226", "specs": [ "<3.3.4", ">=3.4.0,<3.4.3" ], "v": "<3.3.4,>=3.4.0,<3.4.3" }, { "advisory": "Django-cms versions 3.7.4, 3.6.1, 3.5.4 and 3.4.7 include a fix for CVE-2021-44649: Django CMS 3.7.3 and prior does not validate the plugin_type parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting (XSS) vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user.\r\nhttps://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability\r\nhttps://www.django-cms.org/en/blog/2020/07/22/django-cms-security-updates-1", "cve": "CVE-2021-44649", "id": "pyup.io-44516", "more_info_path": "/vulnerabilities/CVE-2021-44649/44516", "specs": [ "<3.4.7", ">=3.5.0a0,<3.5.4", ">=3.6.0a0,<3.6.1", ">=3.7.0a0,<3.7.4" ], "v": "<3.4.7,>=3.5.0a0,<3.5.4,>=3.6.0a0,<3.6.1,>=3.7.0a0,<3.7.4" }, { "advisory": "Django-cms 3.5.3 fixes an incorrect handling of permissions.\r\nhttps://github.com/django-cms/django-cms/issues/6335", "cve": "PVE-2022-44745", "id": "pyup.io-44745", "more_info_path": "/vulnerabilities/PVE-2022-44745/44745", "specs": [ "<3.5.3" ], "v": "<3.5.3" }, { "advisory": "Django-cms 4.0 includes a security enhancement to prevent JavaScript injection in the admin add plugin URL,", "cve": "PVE-2024-70718", "id": "pyup.io-70718", "more_info_path": "/vulnerabilities/PVE-2024-70718/70718", "specs": [ "<4.0" ], "v": "<4.0" } ], "django-cms-patched": [ { "advisory": "Django-cms-patched 2.3.5 is vulnerable to CVE-2021-44649.", "cve": "CVE-2021-44649", "id": "pyup.io-34123", "more_info_path": "/vulnerabilities/CVE-2021-44649/34123", "specs": [ "<3.0.17" ], "v": "<3.0.17" }, { "advisory": "Django-cms-patched 2.3.5 is vulnerable to CVE-2015-5081.", "cve": "CVE-2015-5081", "id": "pyup.io-34121", "more_info_path": "/vulnerabilities/CVE-2015-5081/34121", "specs": [ "<3.4.3" ], "v": "<3.4.3" } ], "django-codenerix": [ { "advisory": "Django-codenerix 4.0.10 updates its 'Django' requirement to '>=4.0.6' to include a security fix.", "cve": "CVE-2022-34265", "id": "pyup.io-50137", "more_info_path": "/vulnerabilities/CVE-2022-34265/50137", "specs": [ "<4.0.10" ], "v": "<4.0.10" } ], "django-cors-headers": [ { "advisory": "Django-cors-headers version 3.0.0 fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure 'http://' origins to a secure 'https://' site. Now you will need to update your whitelist to include schemes, for example from this:\r\nCORS_ORIGIN_WHITELIST = ['example.com']\r\nto this:\r\nCORS_ORIGIN_WHITELIST = ['https://example.com']\r\nhttps://github.com/adamchainz/django-cors-headers/issues/259", "cve": "PVE-2021-37132", "id": "pyup.io-37132", "more_info_path": "/vulnerabilities/PVE-2021-37132/37132", "specs": [ "<3.0.0" ], "v": "<3.0.0" } ], "django-councilmatic": [ { "advisory": "Django-councilmatic 2.5.9 patches a XSS vulnerability when using filter options. \r\nhttps://github.com/datamade/django-councilmatic/issues/270\r\nhttps://github.com/datamade/django-councilmatic/pull/271", "cve": "PVE-2021-38708", "id": "pyup.io-38708", "more_info_path": "/vulnerabilities/PVE-2021-38708/38708", "specs": [ "<2.5.9" ], "v": "<2.5.9" } ], "django-countries": [ { "advisory": "Django-countries 3.4 fixes a escaping issue in CountrySelectWidget that could lead to XSS.\r\nhttps://github.com/SmileyChris/django-countries/commit/1ed7c6763d890d00f32242202b424709e8668d5a", "cve": "PVE-2021-25747", "id": "pyup.io-25747", "more_info_path": "/vulnerabilities/PVE-2021-25747/25747", "specs": [ "<3.4" ], "v": "<3.4" } ], "django-crispy-forms": [ { "advisory": "This package has a vulnerability that can lead to the unintentional disclosure of information in multithreaded WSGI servers. This vulnerability can occur between requests.", "cve": "PVE-2023-99935", "id": "pyup.io-61880", "more_info_path": "/vulnerabilities/PVE-2023-99935/61880", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Django-crispy-forms 1.1.4 fixes a thread safety issue with 'CrispyFieldNode'. This avoids leaking information between requests in multithreaded WSGI servers.", "cve": "PVE-2021-25751", "id": "pyup.io-25751", "more_info_path": "/vulnerabilities/PVE-2021-25751/25751", "specs": [ "<1.1.4" ], "v": "<1.1.4" }, { "advisory": "Versions of django-crispy-forms are susceptible to cross-site scripting (XSS) attacks, which involve attackers injecting malicious scripts into web applications to bypass the browser's Same Origin Policy, potentially leading to session hijacking, sensitive information exposure, or malware delivery. XSS attacks can be categorized into stored, reflected, DOM-based, and mutated types, each representing different methods of executing attack vectors. To mitigate XSS vulnerabilities, it is essential to sanitize input data, encode special characters, disable client-side scripts when possible, redirect invalid requests, monitor for simultaneous logins, implement a strict Content Security Policy, and thoroughly review the security documentation of used libraries. These practices help secure web applications against XSS by validating or escaping user input before it is processed or displayed by the web application.", "cve": "PVE-2024-99813", "id": "pyup.io-65971", "more_info_path": "/vulnerabilities/PVE-2024-99813/65971", "specs": [ ">=0,<0.9.0" ], "v": ">=0,<0.9.0" } ], "django-crm": [ { "advisory": "MicroPyramid Django-CRM 0.2 does not use CSRF token for /users/create/, /users/##/edit/, and /accounts/##/delete/ URIs.", "cve": "CVE-2018-16552", "id": "pyup.io-36440", "more_info_path": "/vulnerabilities/CVE-2018-16552/36440", "specs": [ "<=0.2" ], "v": "<=0.2" }, { "advisory": "Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and /login/. See: CVE-2019-11457.", "cve": "CVE-2019-11457", "id": "pyup.io-37416", "more_info_path": "/vulnerabilities/CVE-2019-11457/37416", "specs": [ "==0.2.1" ], "v": "==0.2.1" } ], "django-dajaxice-ng": [ { "advisory": "Django-dajaxice-ng 0.1.7 fixes the dajaxice callback model to improve security against XSS attacks.\r\nhttps://github.com/ifanrx/django-dajaxice/commit/cd56cde9d9f4f0bea56e97fe86513553669ad187", "cve": "PVE-2021-25753", "id": "pyup.io-25753", "more_info_path": "/vulnerabilities/PVE-2021-25753/25753", "specs": [ "<0.1.7" ], "v": "<0.1.7" } ], "django-debug-toolbar": [ { "advisory": "A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing the raw_sql input field of the SQL explain, analyze, or select form. See CVE-2021-30459.", "cve": "CVE-2021-30459", "id": "pyup.io-40207", "more_info_path": "/vulnerabilities/CVE-2021-30459/40207", "specs": [ "<1.11.1", ">2,<2.2.1", ">3,<3.2.1" ], "v": "<1.11.1,>2,<2.2.1,>3,<3.2.1" } ], "django-descope": [ { "advisory": "Django-descope 1.3.0 updates its dependency 'django' to v4.2.3 to include a security fix.", "cve": "CVE-2023-36053", "id": "pyup.io-61641", "more_info_path": "/vulnerabilities/CVE-2023-36053/61641", "specs": [ "<1.3.0" ], "v": "<1.3.0" }, { "advisory": "Django-descope 1.4.0 updates its dependency 'black' to include a security fix.", "cve": "CVE-2024-21503", "id": "pyup.io-72706", "more_info_path": "/vulnerabilities/CVE-2024-21503/72706", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "django-discord-bind": [ { "advisory": "django-discord-bind 0.2.0 added state validation to prevent CSRF attacks.", "cve": "PVE-2021-25754", "id": "pyup.io-25754", "more_info_path": "/vulnerabilities/PVE-2021-25754/25754", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "django-djet2": [ { "advisory": "Django-djet2 1.0.4 fixes security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.\r\nhttps://github.com/djungle-io/django-djet2/commit/734f3521d8290f6162847ad0b5c33d8ab5e119a9", "cve": "PVE-2022-51366", "id": "pyup.io-51366", "more_info_path": "/vulnerabilities/PVE-2022-51366/51366", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], "django-dsfr": [ { "advisory": "Django-dsfr 0.6.2 updates its dependency 'Django' to v3.2.12 to include security fixes.", "cve": "CVE-2022-23833", "id": "pyup.io-45309", "more_info_path": "/vulnerabilities/CVE-2022-23833/45309", "specs": [ "<0.6.2" ], "v": "<0.6.2" }, { "advisory": "Django-dsfr 0.6.2 updates its dependency 'Django' to v3.2.12 to include security fixes.", "cve": "CVE-2021-45452", "id": "pyup.io-45310", "more_info_path": "/vulnerabilities/CVE-2021-45452/45310", "specs": [ "<0.6.2" ], "v": "<0.6.2" }, { "advisory": "Django-dsfr 0.6.2 updates its dependency 'Django' to v3.2.12 to include security fixes.", "cve": "CVE-2021-45116", "id": "pyup.io-45311", "more_info_path": "/vulnerabilities/CVE-2021-45116/45311", "specs": [ "<0.6.2" ], "v": "<0.6.2" }, { "advisory": "Django-dsfr 0.6.2 updates its dependency 'Django' to v3.2.12 to include security fixes.", "cve": "CVE-2022-22818", "id": "pyup.io-45292", "more_info_path": "/vulnerabilities/CVE-2022-22818/45292", "specs": [ "<0.6.2" ], "v": "<0.6.2" }, { "advisory": "Django-dsfr 0.6.2 updates its dependency 'Django' to v3.2.12 to include security fixes.", "cve": "CVE-2021-45115", "id": "pyup.io-45312", "more_info_path": "/vulnerabilities/CVE-2021-45115/45312", "specs": [ "<0.6.2" ], "v": "<0.6.2" } ], "django-dynamic-breadcrumbs": [ { "advisory": "Django-dynamic-breadcrumbs 0.4.3 includes a fix for a potential XSS vulnerability.\r\nhttps://github.com/marcanuy/django-dynamic-breadcrumbs/pull/6", "cve": "PVE-2023-61314", "id": "pyup.io-61314", "more_info_path": "/vulnerabilities/PVE-2023-61314/61314", "specs": [ "<0.4.3" ], "v": "<0.4.3" } ], "django-embed-video": [ { "advisory": "Django-embed-video 0.3 treats faked urls as invalid.\r\nhttps://github.com/jazzband/django-embed-video/commit/d0d357b767e324a7cc21b5035357fdfbc7c8ce8e", "cve": "PVE-2021-25755", "id": "pyup.io-25755", "more_info_path": "/vulnerabilities/PVE-2021-25755/25755", "specs": [ "<0.3" ], "v": "<0.3" }, { "advisory": "This package is susceptible to Open Redirect attacks as it lacks the mechanism for detecting counterfeit URLs.", "cve": "PVE-2023-99934", "id": "pyup.io-61885", "more_info_path": "/vulnerabilities/PVE-2023-99934/61885", "specs": [ "<0.3" ], "v": "<0.3" } ], "django-envelope": [ { "advisory": "Django-envelope 0.4.1 fixes an information disclosure vulnerability. If django-envelope prefilled forms, all non-logged in users could see pre-filled data.\r\nhttps://github.com/zsiciarz/django-envelope/pull/7", "cve": "PVE-2021-25756", "id": "pyup.io-25756", "more_info_path": "/vulnerabilities/PVE-2021-25756/25756", "specs": [ "<0.4.1" ], "v": "<0.4.1" } ], "django-epiced": [ { "advisory": "django-epiced before 0.3.0 does not escape HTML output by default.", "cve": "PVE-2021-34269", "id": "pyup.io-34269", "more_info_path": "/vulnerabilities/PVE-2021-34269/34269", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "django-epiceditor": [ { "advisory": "There is a cross-site scripting vulnerability in django-epiceditor 0.2.3 via crafted content in a form field.", "cve": "CVE-2017-6591", "id": "pyup.io-35735", "more_info_path": "/vulnerabilities/CVE-2017-6591/35735", "specs": [ "<=0.2.3" ], "v": "<=0.2.3" } ], "django-error-report-2": [ { "advisory": "Django-error-report-2 0.4.2 includes a fix for a CSRF vulnerability.\r\nhttps://github.com/matmair/django-error-report-2/pull/6", "cve": "PVE-2023-60231", "id": "pyup.io-60231", "more_info_path": "/vulnerabilities/PVE-2023-60231/60231", "specs": [ "<0.4.2" ], "v": "<0.4.2" } ], "django-fernet-fields": [ { "advisory": "Django-fernet-fields 0.3 removes DualField and HashField. The only cases where they are useful, they aren't secure.\r\nhttps://github.com/orcasgit/django-fernet-fields/commit/b2c5fbf3eff53b2f19f116d626bc2496922882c2", "cve": "PVE-2021-25757", "id": "pyup.io-25757", "more_info_path": "/vulnerabilities/PVE-2021-25757/25757", "specs": [ "<0.3" ], "v": "<0.3" } ], "django-fiber": [ { "advisory": "Django-fiber 0.9.9.1 changes permission check in API from IsAuthenticated to IsAdminUser.\r\nhttps://github.com/django-fiber/django-fiber/commit/3c362920e5624fc457b5c74fd51d459340a74dd0", "cve": "PVE-2021-25758", "id": "pyup.io-25758", "more_info_path": "/vulnerabilities/PVE-2021-25758/25758", "specs": [ "<0.9.9.1" ], "v": "<0.9.9.1" } ], "django-file-form": [ { "advisory": "Django-file-form 3.1.1 adds cross-site request forgery protection to tus uploads using the standard Django CSRF token.\r\nhttps://github.com/mbraak/django-file-form/commit/de5180dbc12daec70e24a70054ed6334656b3ea6", "cve": "PVE-2022-49240", "id": "pyup.io-49240", "more_info_path": "/vulnerabilities/PVE-2022-49240/49240", "specs": [ "<3.1.1" ], "v": "<3.1.1" }, { "advisory": "Django-file-form 3.2.3 fixes a security issue: uncontrolled data used in path expression.\r\nhttps://github.com/mbraak/django-file-form/commit/4f5e5d724963de8a5282bfe936822108b2df4c29", "cve": "PVE-2022-49239", "id": "pyup.io-49239", "more_info_path": "/vulnerabilities/PVE-2022-49239/49239", "specs": [ "<3.2.3" ], "v": "<3.2.3" } ], "django-filer": [ { "advisory": "Django-filer 3.0.0rc1 includes a fix for a XSS vulnerability.\r\nhttps://github.com/django-cms/django-filer/pull/1364", "cve": "PVE-2023-59208", "id": "pyup.io-59208", "more_info_path": "/vulnerabilities/PVE-2023-59208/59208", "specs": [ "<3.0.0rc1" ], "v": "<3.0.0rc1" }, { "advisory": "Django-filer 3.0.0rc1 includes a fix for a Broken Access Control vulnerability. The staff user without proper permissions cannot browse the filer's folder structure, list files in a folder, add files, and move files and folders by this fix. Also, non-root users only see their own files in unsorted uploads and it shows uncategorized files to the owner or superuser if permissions are active.\r\nhttps://github.com/django-cms/django-filer/pull/1352\r\nhttps://github.com/django-cms/django-filer/commit/43434f7c60320dcfa719742ab84fbe2cfcffb6f1", "cve": "PVE-2023-59514", "id": "pyup.io-59514", "more_info_path": "/vulnerabilities/PVE-2023-59514/59514", "specs": [ "<3.0.0rc1" ], "v": "<3.0.0rc1" } ], "django-filter": [ { "advisory": "Django-filter 2.4.0 includes a fix for CVE-2020-15225: In django-filter before version 2.4.0, automatically generated 'NumberFilter' instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a 'MaxValueValidator' with a a default 'limit_value' of 1e50 to the form field used by 'NumberFilter' instances. In addition, 'NumberFilter' implements the new 'get_max_validator()' which should return a configured validator instance to customise the limit, or else 'None' to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.\r\nhttps://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973", "cve": "CVE-2020-15225", "id": "pyup.io-40317", "more_info_path": "/vulnerabilities/CVE-2020-15225/40317", "specs": [ "<2.4.0" ], "v": "<2.4.0" } ], "django-formidable": [ { "advisory": "Django-formidable 4.0.0 adds an XSS prevention mechanism.\r\nhttps://github.com/peopledoc/django-formidable/pull/378/commits/e6e5392823e78bb17259b1d4ed45182e34c13dd7", "cve": "PVE-2021-37875", "id": "pyup.io-37875", "more_info_path": "/vulnerabilities/PVE-2021-37875/37875", "specs": [ "<4.0.0" ], "v": "<4.0.0" } ], "django-friendship": [ { "advisory": "django-friendship 1.2.0 fixes a security issue where the library was not checking the owner of a FriendRequest during accept and cancelation.\r\nhttps://github.com/revsys/django-friendship/commit/b522463cb5a04240b1aeb1b7c06559fa1450ab4a", "cve": "PVE-2021-25762", "id": "pyup.io-25762", "more_info_path": "/vulnerabilities/PVE-2021-25762/25762", "specs": [ "<1.2.0" ], "v": "<1.2.0" } ], "django-froala-editor": [ { "advisory": "Django-froala-editor 4.0.11 fixes XSS vulnerability in [insert video].", "cve": "PVE-2022-48522", "id": "pyup.io-48522", "more_info_path": "/vulnerabilities/PVE-2022-48522/48522", "specs": [ "<4.0.11" ], "v": "<4.0.11" }, { "advisory": "Django-froala-editor 4.0.8 fixed high level security vulnerability in dependent packages for Node.", "cve": "PVE-2021-43580", "id": "pyup.io-43580", "more_info_path": "/vulnerabilities/PVE-2021-43580/43580", "specs": [ "<4.0.8" ], "v": "<4.0.8" }, { "advisory": "A Cross-site scripting (XSS) vulnerability in Froala Editor v.4.1.1 allows attackers to execute arbitrary code via the Markdown component.\r\nhttps://github.com/b0marek/CVE-2023-43263", "cve": "CVE-2023-43263", "id": "pyup.io-62989", "more_info_path": "/vulnerabilities/CVE-2023-43263/62989", "specs": [ "<4.1.1" ], "v": "<4.1.1" }, { "advisory": "Django Froala Editor v4.0.1 to v4.1.1 was discovered to contain a cross-site scripting (XSS) vulnerability.\r\nhttps://hacker.soarescorp.com/cve/2023-41592/", "cve": "CVE-2023-41592", "id": "pyup.io-62734", "more_info_path": "/vulnerabilities/CVE-2023-41592/62734", "specs": [ "<4.1.1" ], "v": "<4.1.1" }, { "advisory": "Django-froala-editor 4.1.3 fixes a vulnerability in the link textrea.", "cve": "PVE-2023-61962", "id": "pyup.io-61962", "more_info_path": "/vulnerabilities/PVE-2023-61962/61962", "specs": [ "<4.1.3" ], "v": "<4.1.3" }, { "advisory": "Affected versions of django-froala-editor are vulnerable to Cross-Site Scripting (XSS) due to CVE-2023-41592 in the underlying Froala WYSIWYG editor.", "cve": "CVE-2023-41592", "id": "pyup.io-73017", "more_info_path": "/vulnerabilities/CVE-2023-41592/73017", "specs": [ "<4.2.2" ], "v": "<4.2.2" } ], "django-gar": [ { "advisory": "Affected versions of django_gar are vulnerable to Cross-site Scripting (XSS): CWE-79 and XML External Entity (XXE) Injection: CWE-611. The attack vectors involve the unsafe rendering of HTML content using mark_safe and insecure XML parsing with xml.etree.ElementTree. Vulnerable methods include those in admin.py that render HTML without proper escaping and functions in middleware.py and signals/handlers.py that parse XML without disabling external entities. Attackers can exploit these vulnerabilities by injecting malicious content into fields that are rendered or parsed by the application. To mitigate these issues, users should update to the latest version of django_gar where format_html and defusedxml are used to securely handle HTML and XML content.", "cve": "PVE-2024-73658", "id": "pyup.io-73658", "more_info_path": "/vulnerabilities/PVE-2024-73658/73658", "specs": [ "<2.12.0" ], "v": "<2.12.0" } ], "django-grappelli": [ { "advisory": "Django-grappelli 2.15.2 includes a fix for CVE-2021-46898: views/switch.py in django-grappelli before 2.15.2 attempts to prevent external redirection with startswith(\"/\") but this does not consider a protocol-relative URL (e.g., //example.com) attack.\r\nhttps://github.com/sehmaschine/django-grappelli/issues/975", "cve": "CVE-2021-46898", "id": "pyup.io-61968", "more_info_path": "/vulnerabilities/CVE-2021-46898/61968", "specs": [ "<2.15.2" ], "v": "<2.15.2" }, { "advisory": "Django-grappelli version 3.0.4 updates its grunt dependency to version 1.5.3 to address a path traversal vulnerability identified in CVE-2022-0436, which affects versions prior to 1.5.2.", "cve": "CVE-2022-0436", "id": "pyup.io-70378", "more_info_path": "/vulnerabilities/CVE-2022-0436/70378", "specs": [ "<3.0.4" ], "v": "<3.0.4" }, { "advisory": "Django-grappelli version 3.0.4 has updated its grunt dependency to version 1.5.3. This update addresses a race condition vulnerability identified in CVE-2022-1537, which impacts versions prior to 1.5.2.", "cve": "CVE-2022-1537", "id": "pyup.io-70380", "more_info_path": "/vulnerabilities/CVE-2022-1537/70380", "specs": [ "<3.0.4" ], "v": "<3.0.4" } ], "django-guts": [ { "advisory": "Django-guts 0.1.1 fixes a security issue that allowed anyone to read any file.\r\nhttps://github.com/svetlyak40wt/django-guts/commit/2ee837eda79aaa7f957482f6cfd485863179fd8b", "cve": "PVE-2021-25763", "id": "pyup.io-25763", "more_info_path": "/vulnerabilities/PVE-2021-25763/25763", "specs": [ "<0.1.1" ], "v": "<0.1.1" } ], "django-hashedfilenamestorage": [ { "advisory": "Django-hashedfilenamestorage 2.4 updates Django dependency requirement to >=2.0.8 to include security fixes.", "cve": "CVE-2018-14574", "id": "pyup.io-36802", "more_info_path": "/vulnerabilities/CVE-2018-14574/36802", "specs": [ "<2.4" ], "v": "<2.4" }, { "advisory": "Django-hashedfilenamestorage 2.4 updates Django dependency requirement to >=2.0.8 to include security fixes.", "cve": "CVE-2018-7537", "id": "pyup.io-43734", "more_info_path": "/vulnerabilities/CVE-2018-7537/43734", "specs": [ "<2.4" ], "v": "<2.4" } ], "django-hashid-field": [ { "advisory": "Django-hashid-field 1.0.0 fixes a security issue. It has been pointed out that it's possible to discover the salt used when encoding Hashids. Thereby, it is very dangerous to use settings.SECRET_KEY, as an attacker may be able to get SECRET_KEY from HashidFields.\r\nhttps://github.com/nshafer/django-hashid-field/commit/3e3017367d569c08de49f7b0c9fe1e06e9cb7114", "cve": "PVE-2021-38508", "id": "pyup.io-38508", "more_info_path": "/vulnerabilities/PVE-2021-38508/38508", "specs": [ "<1.0.0" ], "v": "<1.0.0" }, { "advisory": "Django-hashid-field 3.1.1 fixes a security bug where comparison operators (gt, gte, lt, lte) would allow integer lookups regardless of ALLOW_INT_LOOKUP setting.\r\nhttps://github.com/nshafer/django-hashid-field/commit/2a0be45333c5a700bbba0e15533ff8dce589e956", "cve": "PVE-2021-37680", "id": "pyup.io-37680", "more_info_path": "/vulnerabilities/PVE-2021-37680/37680", "specs": [ "<3.1.1" ], "v": "<3.1.1" } ], "django-haystack": [ { "advisory": "Django-haystack 1.1 removes insecure use of 'eval' from the Whoosh backend.\r\nhttps://github.com/django-haystack/django-haystack/commit/e0dc369cc12621df51bc8f807ff5ef728131e6ea", "cve": "PVE-2021-25764", "id": "pyup.io-25764", "more_info_path": "/vulnerabilities/PVE-2021-25764/25764", "specs": [ "<1.1" ], "v": "<1.1" }, { "advisory": "Django-Haystack before 1.1 is vulnerable to a potential timing attack due to a race condition. This vulnerability arises because Django does not provide a method to verify if the site is fully loaded, necessitating an explicit call to the SearchQuerySet's initialization function to ensure site loading.\r\nhttps://github.com/django-haystack/django-haystack/commit/1b1b986890b5cb330b0b8a963b090e9b831c198c", "cve": "PVE-2024-99791", "id": "pyup.io-66024", "more_info_path": "/vulnerabilities/PVE-2024-99791/66024", "specs": [ ">=0,<1.1" ], "v": ">=0,<1.1" } ], "django-heartbeat": [ { "advisory": "Django-heartbeat 2.0.3 updates its dependency 'psutil' to v5.7.0 to include a security fix.", "cve": "CVE-2019-18874", "id": "pyup.io-38604", "more_info_path": "/vulnerabilities/CVE-2019-18874/38604", "specs": [ "<2.0.3" ], "v": "<2.0.3" } ], "django-helpdesk": [ { "advisory": "Django-helpdesk 0.3.1 includes a fix for CVE-2021-3950: Django-helpdesk is vulnerable to improper neutralization of input during web page generation ('Cross-site Scripting').\r\nhttps://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e\r\nhttps://github.com/django-helpdesk/django-helpdesk/commit/04483bdac3b5196737516398b5ce0383875a5c60", "cve": "CVE-2021-3950", "id": "pyup.io-42743", "more_info_path": "/vulnerabilities/CVE-2021-3950/42743", "specs": [ "<0.3.1" ], "v": "<0.3.1" }, { "advisory": "Django-helpdesk 0.3.1 includes a fix for CVE-2021-3945: Django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').\r\nhttps://github.com/django-helpdesk/django-helpdesk/commit/2c7065e0c4296e0c692fb4a7ee19c7357583af30\r\nhttps://huntr.dev/bounties/745f483c-70ed-441f-ab2e-7ac1305439a4", "cve": "CVE-2021-3945", "id": "pyup.io-42683", "more_info_path": "/vulnerabilities/CVE-2021-3945/42683", "specs": [ "<0.3.1" ], "v": "<0.3.1" }, { "advisory": "Django-helpdesk 0.3.2 includes a fix for CVE-2021-3994: Django-helpdesk is vulnerable to improper neutralization of input during web page generation ('Cross-site Scripting').\r\nhttps://huntr.dev/bounties/be7f211d-4bfd-44fd-91e8-682329906fbd", "cve": "CVE-2021-3994", "id": "pyup.io-42766", "more_info_path": "/vulnerabilities/CVE-2021-3994/42766", "specs": [ "<0.3.2" ], "v": "<0.3.2" } ], "django-hijack": [ { "advisory": "Django-hijack before 1.0.7 fixes a HTML injection vulnerability in admin.\r\nhttps://github.com/django-hijack/django-hijack/commit/4ad17c88629fed8bfad93e3c0a59ee3792c61ca4", "cve": "PVE-2021-25765", "id": "pyup.io-25765", "more_info_path": "/vulnerabilities/PVE-2021-25765/25765", "specs": [ "<1.0.7" ], "v": "<1.0.7" } ], "django-howl": [ { "advisory": "Django-howl 1.0.4 updates Django to v2.2.2 to include a security fix.", "cve": "CVE-2019-12308", "id": "pyup.io-37240", "more_info_path": "/vulnerabilities/CVE-2019-12308/37240", "specs": [ "<1.0.4" ], "v": "<1.0.4" }, { "advisory": "Django-howl 1.0.5 updates its dependency 'urllib3' to v1.25.8 to include a security fix.", "cve": "CVE-2020-7212", "id": "pyup.io-43659", "more_info_path": "/vulnerabilities/CVE-2020-7212/43659", "specs": [ "<1.0.5" ], "v": "<1.0.5" }, { "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", "cve": "CVE-2020-9402", "id": "pyup.io-38069", "more_info_path": "/vulnerabilities/CVE-2020-9402/38069", "specs": [ "<1.0.5" ], "v": "<1.0.5" }, { "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", "cve": "CVE-2020-7471", "id": "pyup.io-43651", "more_info_path": "/vulnerabilities/CVE-2020-7471/43651", "specs": [ "<1.0.5" ], "v": "<1.0.5" }, { "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", "cve": "CVE-2019-19844", "id": "pyup.io-43652", "more_info_path": "/vulnerabilities/CVE-2019-19844/43652", "specs": [ "<1.0.5" ], "v": "<1.0.5" }, { "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", "cve": "CVE-2019-14234", "id": "pyup.io-43654", "more_info_path": "/vulnerabilities/CVE-2019-14234/43654", "specs": [ "<1.0.5" ], "v": "<1.0.5" }, { "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", "cve": "CVE-2019-14235", "id": "pyup.io-43657", "more_info_path": "/vulnerabilities/CVE-2019-14235/43657", "specs": [ "<1.0.5" ], "v": "<1.0.5" }, { "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", "cve": "CVE-2019-14233", "id": "pyup.io-43655", "more_info_path": "/vulnerabilities/CVE-2019-14233/43655", "specs": [ "<1.0.5" ], "v": "<1.0.5" }, { "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", "cve": "CVE-2019-12781", "id": "pyup.io-43658", "more_info_path": "/vulnerabilities/CVE-2019-12781/43658", "specs": [ "<1.0.5" ], "v": "<1.0.5" }, { "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", "cve": "CVE-2019-19118", "id": "pyup.io-43653", "more_info_path": "/vulnerabilities/CVE-2019-19118/43653", "specs": [ "<1.0.5" ], "v": "<1.0.5" }, { "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", "cve": "CVE-2019-14232", "id": "pyup.io-43656", "more_info_path": "/vulnerabilities/CVE-2019-14232/43656", "specs": [ "<1.0.5" ], "v": "<1.0.5" } ], "django-html5-appcache": [ { "advisory": "django-html5-appcache 0.3.0 added a security check for sensitive views.", "cve": "PVE-2021-25766", "id": "pyup.io-25766", "more_info_path": "/vulnerabilities/PVE-2021-25766/25766", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "django-idempotency-key": [ { "advisory": "Django-idempotency-key 1.1.0 updates the minimum version of its dependency 'bleach' to v3.1.4 to include a security fix.", "cve": "CVE-2020-6817", "id": "pyup.io-42975", "more_info_path": "/vulnerabilities/CVE-2020-6817/42975", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", "cve": "CVE-2021-33203", "id": "pyup.io-38162", "more_info_path": "/vulnerabilities/CVE-2021-33203/38162", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", "cve": "CVE-2020-9402", "id": "pyup.io-42985", "more_info_path": "/vulnerabilities/CVE-2020-9402/42985", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", "cve": "CVE-2020-7471", "id": "pyup.io-42977", "more_info_path": "/vulnerabilities/CVE-2020-7471/42977", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", "cve": "CVE-2019-19844", "id": "pyup.io-42984", "more_info_path": "/vulnerabilities/CVE-2019-19844/42984", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", "cve": "CVE-2019-14234", "id": "pyup.io-42979", "more_info_path": "/vulnerabilities/CVE-2019-14234/42979", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", "cve": "CVE-2019-14235", "id": "pyup.io-42981", "more_info_path": "/vulnerabilities/CVE-2019-14235/42981", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", "cve": "CVE-2019-14233", "id": "pyup.io-42980", "more_info_path": "/vulnerabilities/CVE-2019-14233/42980", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", "cve": "CVE-2019-12781", "id": "pyup.io-42983", "more_info_path": "/vulnerabilities/CVE-2019-12781/42983", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", "cve": "CVE-2019-12308", "id": "pyup.io-42982", "more_info_path": "/vulnerabilities/CVE-2019-12308/42982", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-idempotency-key 1.1.0 updates the minimum version of its dependency 'urllib3' to v1.24.2 to include a security fix.", "cve": "CVE-2019-11324", "id": "pyup.io-42976", "more_info_path": "/vulnerabilities/CVE-2019-11324/42976", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-idempotency-key 1.1.0 drops support for Django 1.x as it arrived to end of life.", "cve": "CVE-2019-14232", "id": "pyup.io-42978", "more_info_path": "/vulnerabilities/CVE-2019-14232/42978", "specs": [ "<1.1.0" ], "v": "<1.1.0" } ], "django-idom": [ { "advisory": "Django-idom 0.0.2 includes a fix for a potential directory traversal vulnerability.\r\nhttps://github.com/reactive-python/reactpy-django/pull/45", "cve": "PVE-2023-54819", "id": "pyup.io-54819", "more_info_path": "/vulnerabilities/PVE-2023-54819/54819", "specs": [ "<0.0.2" ], "v": "<0.0.2" } ], "django-initial-avatars": [ { "advisory": "Django-initial-avatars 0.5.0 uses user_id instead of user_username for the url to prevent information exposure.\r\nhttps://github.com/axiome-oss/django-initial-avatars/commit/c8741d902ed8596e07966ad358d20f1339a2e35d", "cve": "PVE-2021-25768", "id": "pyup.io-25768", "more_info_path": "/vulnerabilities/PVE-2021-25768/25768", "specs": [ "<0.5.0" ], "v": "<0.5.0" } ], "django-jet": [ { "advisory": "Django-jet 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.\r\nhttps://github.com/geex-arts/django-jet/commit/734f3521d8290f6162847ad0b5c33d8ab5e119a9", "cve": "PVE-2021-25769", "id": "pyup.io-25769", "more_info_path": "/vulnerabilities/PVE-2021-25769/25769", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], "django-jet-reboot": [ { "advisory": "Django-jet-reboot 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.\r\nhttps://github.com/assem-ch/django-jet-reboot/commit/734f3521d8290f6162847ad0b5c33d8ab5e119a9", "cve": "PVE-2021-39370", "id": "pyup.io-39370", "more_info_path": "/vulnerabilities/PVE-2021-39370/39370", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], "django-jinja-knockout": [ { "advisory": "Django-jinja-knockout 0.4.1 adds more sanity checks in queries and views modules.\r\nhttps://github.com/Dmitri-Sintsov/django-jinja-knockout/commit/0c427d13b3de32a2b69c24927b95fc2e46c9a16c\r\nhttps://github.com/Dmitri-Sintsov/django-jinja-knockout/commit/30c41225e366e0010da47aeeb1ac2e1f2c46f54d", "cve": "PVE-2022-49483", "id": "pyup.io-49483", "more_info_path": "/vulnerabilities/PVE-2022-49483/49483", "specs": [ "<0.4.1" ], "v": "<0.4.1" } ], "django-js-error-hook": [ { "advisory": "Django-js-error-hook 0.2 adds CSRF protection by default.\r\nhttps://github.com/jojax/django-js-error-hook/commit/1d524883b6bcc1e4a6a4bc580c87dfd326828dc9", "cve": "PVE-2022-51463", "id": "pyup.io-51463", "more_info_path": "/vulnerabilities/PVE-2022-51463/51463", "specs": [ "<0.2" ], "v": "<0.2" } ], "django-js-reverse": [ { "advisory": "django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_reverse_inline. See: CVE-2019-15486.", "cve": "CVE-2019-15486", "id": "pyup.io-37399", "more_info_path": "/vulnerabilities/CVE-2019-15486/37399", "specs": [ "<0.9.1" ], "v": "<0.9.1" } ], "django-json-widget": [ { "advisory": "Django-json-widget version 2.0.0 introduces measures to prevent HTML injection by ensuring JSON inputs are safely handled, thus enhancing the security against unsafe content injection vulnerabilities.\r\nhttps://github.com/jmrivas86/django-json-widget/pull/64/commits/bbe84655c3df2b32aade1997953dd06bffcb489e", "cve": "PVE-2024-66924", "id": "pyup.io-66924", "more_info_path": "/vulnerabilities/PVE-2024-66924/66924", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "django-jsonform": [ { "advisory": "Django-jsonform 2.10.1 includes a fix for a high severity vulnerability (XSS) in the admin form.\r\nhttps://github.com/bhch/django-jsonform/security/advisories/GHSA-x9jp-4w8m-4f3c", "cve": "PVE-2022-49361", "id": "pyup.io-49361", "more_info_path": "/vulnerabilities/PVE-2022-49361/49361", "specs": [ "<2.10.1" ], "v": "<2.10.1" } ], "django-kaio": [ { "advisory": "Django-kaio 0.15.0 updates its dependency 'pygments' to v2.7.4 to include security fixes.", "cve": "CVE-2021-20270", "id": "pyup.io-48415", "more_info_path": "/vulnerabilities/CVE-2021-20270/48415", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Django-kaio 0.15.0 updates its dependency 'pyyaml' to v5.4 to include security fixes.", "cve": "CVE-2019-20477", "id": "pyup.io-48414", "more_info_path": "/vulnerabilities/CVE-2019-20477/48414", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Django-kaio 0.15.0 updates its dependency 'urllib3' to v1.26.5 to include security fixes.", "cve": "CVE-2021-33503", "id": "pyup.io-48419", "more_info_path": "/vulnerabilities/CVE-2021-33503/48419", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Django-kaio 0.15.0 updates its dependency 'urllib3' to v1.26.5 to include security fixes.", "cve": "CVE-2019-11236", "id": "pyup.io-48417", "more_info_path": "/vulnerabilities/CVE-2019-11236/48417", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Django-kaio 0.15.0 updates its dependency 'babel' to v2.9.1 to include security fixes.", "cve": "CVE-2021-42771", "id": "pyup.io-48421", "more_info_path": "/vulnerabilities/CVE-2021-42771/48421", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Django-kaio 0.15.0 updates its dependency 'pyyaml' to v5.4 to include security fixes.", "cve": "CVE-2020-14343", "id": "pyup.io-48412", "more_info_path": "/vulnerabilities/CVE-2020-14343/48412", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Django-kaio 0.15.0 updates its dependency 'pygments' to v2.7.4 to include security fixes.", "cve": "CVE-2021-27291", "id": "pyup.io-48416", "more_info_path": "/vulnerabilities/CVE-2021-27291/48416", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Django-kaio 0.15.0 updates its dependency 'jinja2' to v2.11.3 to include a security fix.", "cve": "CVE-2020-28493", "id": "pyup.io-48410", "more_info_path": "/vulnerabilities/CVE-2020-28493/48410", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Django-kaio 0.15.0 updates its dependency 'urllib3' to v1.26.5 to include security fixes.", "cve": "CVE-2020-26137", "id": "pyup.io-48418", "more_info_path": "/vulnerabilities/CVE-2020-26137/48418", "specs": [ "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "Django-kaio 0.15.0 updates its dependency 'pyyaml' to v5.4 to include security fixes.", "cve": "CVE-2020-1747", "id": "pyup.io-48413", "more_info_path": "/vulnerabilities/CVE-2020-1747/48413", "specs": [ "<0.15.0" ], "v": "<0.15.0" } ], "django-lazysignup": [ { "advisory": "Django-lazysignup before 0.4.0 fixes a security issue: Generated usernames are now based on the session key, rather than actually being the session key. This is to avoid a potential security issue where an app might simply display a username, giving away a significant part of the user's session key. The username is now generated from a SHA1 hash of the session key. This change means that existing generated users will become invalid.\r\nhttps://github.com/danfairs/django-lazysignup/commit/ea27d50ea222063de81f005565dfbb7f83d8759f", "cve": "PVE-2021-25770", "id": "pyup.io-25770", "more_info_path": "/vulnerabilities/PVE-2021-25770/25770", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], "django-lfs": [ { "advisory": "Django-lfs before 0.6.9 protects all manage methods. Before, they could be reached from outside by anonymous users.\r\nhttps://github.com/diefenbach/django-lfs/commit/5bfa41d2b27e7d23967e4cf9b25107f9da389470", "cve": "PVE-2021-25772", "id": "pyup.io-25772", "more_info_path": "/vulnerabilities/PVE-2021-25772/25772", "specs": [ "<0.6.9" ], "v": "<0.6.9" } ], "django-loci": [ { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-25288", "id": "pyup.io-45495", "more_info_path": "/vulnerabilities/CVE-2021-25288/45495", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-25289", "id": "pyup.io-45496", "more_info_path": "/vulnerabilities/CVE-2021-25289/45496", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-25290", "id": "pyup.io-45497", "more_info_path": "/vulnerabilities/CVE-2021-25290/45497", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-28676", "id": "pyup.io-45493", "more_info_path": "/vulnerabilities/CVE-2021-28676/45493", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-27922", "id": "pyup.io-45501", "more_info_path": "/vulnerabilities/CVE-2021-27922/45501", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-27923", "id": "pyup.io-45502", "more_info_path": "/vulnerabilities/CVE-2021-27923/45502", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-25292", "id": "pyup.io-45499", "more_info_path": "/vulnerabilities/CVE-2021-25292/45499", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-25287", "id": "pyup.io-45494", "more_info_path": "/vulnerabilities/CVE-2021-25287/45494", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-28677", "id": "pyup.io-45492", "more_info_path": "/vulnerabilities/CVE-2021-28677/45492", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-28678", "id": "pyup.io-45404", "more_info_path": "/vulnerabilities/CVE-2021-28678/45404", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-27921", "id": "pyup.io-45500", "more_info_path": "/vulnerabilities/CVE-2021-27921/45500", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 0.4.3 updates its dependency 'Pillow' to versions ~=8.2.0 to include security fixes.", "cve": "CVE-2021-25291", "id": "pyup.io-45498", "more_info_path": "/vulnerabilities/CVE-2021-25291/45498", "specs": [ "<0.4.3" ], "v": "<0.4.3" }, { "advisory": "Django-loci 1.0.1 updates its dependency 'pillow' to v9.1.0 to include security fixes.", "cve": "CVE-2022-24303", "id": "pyup.io-48223", "more_info_path": "/vulnerabilities/CVE-2022-24303/48223", "specs": [ "<1.0.1" ], "v": "<1.0.1" }, { "advisory": "Django-loci 1.0.1 updates its dependency 'pillow' to v9.1.0 to include security fixes.", "cve": "CVE-2022-22817", "id": "pyup.io-48230", "more_info_path": "/vulnerabilities/CVE-2022-22817/48230", "specs": [ "<1.0.1" ], "v": "<1.0.1" } ], "django-magiclink": [ { "advisory": "Django-magiclink 1.0.4 adds csrf_protect decorator for POST requests by default to improve security.", "cve": "PVE-2021-41829", "id": "pyup.io-41829", "more_info_path": "/vulnerabilities/PVE-2021-41829/41829", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], "django-mail-auth": [ { "advisory": "Django-mail-auth before 0.1.3 uses a session hash always identical and predictable for an attacker.\r\nhttps://github.com/codingjoe/django-mail-auth/pull/1", "cve": "PVE-2021-37171", "id": "pyup.io-37171", "more_info_path": "/vulnerabilities/PVE-2021-37171/37171", "specs": [ "<0.1.3" ], "v": "<0.1.3" } ], "django-make-app": [ { "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.", "cve": "CVE-2017-16764", "id": "pyup.io-35722", "more_info_path": "/vulnerabilities/CVE-2017-16764/35722", "specs": [ "<0.1.3" ], "v": "<0.1.3" } ], "django-mapstore-adapter": [ { "advisory": "Django-mapstore-adapter 1.0.4 fixes unescaped \"ms2_config\" which may cause JS injection.\r\nhttps://github.com/GeoNode/django-mapstore-adapter/commit/57e01b55567672961f8c6b7ca3b9dec18cc425b9", "cve": "PVE-2021-38936", "id": "pyup.io-38936", "more_info_path": "/vulnerabilities/PVE-2021-38936/38936", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], "django-markdownx": [ { "advisory": "Cross-Site Scripting (XSS) vulnerability in the Django MarkdownX project, affecting version 4.0.2. An attacker could store a specially crafted JavaScript payload in the upload functionality due to lack of proper sanitisation of JavaScript elements. See CVE-2024-2319.", "cve": "CVE-2024-2319", "id": "pyup.io-66965", "more_info_path": "/vulnerabilities/CVE-2024-2319/66965", "specs": [ "<=4.0.2" ], "v": "<=4.0.2" } ], "django-markers": [ { "advisory": "Django-markers 1.4.0 fixes a XSS vulnerability in error messages.\r\nhttps://github.com/danielquinn/django-markers/commit/c0e27b36acb8ff3afba280556a980a7aff574263", "cve": "PVE-2022-52542", "id": "pyup.io-52542", "more_info_path": "/vulnerabilities/PVE-2022-52542/52542", "specs": [ "<1.4.0" ], "v": "<1.4.0" } ], "django-markupfield": [ { "advisory": "django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.", "cve": "CVE-2015-0846", "id": "pyup.io-25773", "more_info_path": "/vulnerabilities/CVE-2015-0846/25773", "specs": [ "<1.3.2" ], "v": "<1.3.2" } ], "django-material": [ { "advisory": "Django-material 0.9.0 fixes a XSS vulnerability in input fields.\r\nhttps://github.com/viewflow/django-material/issues/139", "cve": "PVE-2021-25775", "id": "pyup.io-25775", "more_info_path": "/vulnerabilities/PVE-2021-25775/25775", "specs": [ "<0.9.0" ], "v": "<0.9.0" }, { "advisory": "Django-material before 1.5.1 included a js injection vulnerability in a list view.\r\nhttps://github.com/viewflow/django-material/commit/778ad3e170a59e750ed7a86b83beebe5eccc39ee", "cve": "PVE-2021-36950", "id": "pyup.io-36950", "more_info_path": "/vulnerabilities/PVE-2021-36950/36950", "specs": [ "<1.5.1" ], "v": "<1.5.1" } ], "django-mfa2": [ { "advisory": "Django-mfa2 2.5.1 and 2.6.1 include a fix for CVE-2022-42731: mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage.", "cve": "CVE-2022-42731", "id": "pyup.io-51418", "more_info_path": "/vulnerabilities/CVE-2022-42731/51418", "specs": [ "<2.5.1", ">=2.6.0rc1,<2.6.1" ], "v": "<2.5.1,>=2.6.0rc1,<2.6.1" } ], "django-mfa3": [ { "advisory": "Django-mfa3 0.5.0 includes a fix for CVE-2022-24857: Django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition before the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL).\r\nhttps://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4", "cve": "CVE-2022-24857", "id": "pyup.io-48171", "more_info_path": "/vulnerabilities/CVE-2022-24857/48171", "specs": [ "<0.5.0" ], "v": "<0.5.0" } ], "django-modern-rpc": [ { "advisory": "Django-modern-rpc before 0.8.1 isn't correctly checking the authentication backend when executing 'system.multicall()'.\r\nhttps://github.com/alorence/django-modern-rpc/commit/88fb4c40ce1a6346d7a22f9eafbdc58a4b7b3a96", "cve": "PVE-2021-34991", "id": "pyup.io-34991", "more_info_path": "/vulnerabilities/PVE-2021-34991/34991", "specs": [ "<0.8.1" ], "v": "<0.8.1" } ], "django-mptt": [ { "advisory": "Django-mptt 0.8.0 drops support for Django versions <1.8. They no longer receive security patches.", "cve": "CVE-2015-0219", "id": "pyup.io-49761", "more_info_path": "/vulnerabilities/CVE-2015-0219/49761", "specs": [ "<0.8.0" ], "v": "<0.8.0" }, { "advisory": "Django-mptt 0.8.0 drops support for python versions <2.7. They no longer receive security patches.", "cve": "CVE-2011-1521", "id": "pyup.io-41205", "more_info_path": "/vulnerabilities/CVE-2011-1521/41205", "specs": [ "<0.8.0" ], "v": "<0.8.0" }, { "advisory": "Django-mptt 0.8.0 drops support for Django versions <1.8. They no longer receive security patches.", "cve": "CVE-2015-0221", "id": "pyup.io-49763", "more_info_path": "/vulnerabilities/CVE-2015-0221/49763", "specs": [ "<0.8.0" ], "v": "<0.8.0" }, { "advisory": "Django-mptt 0.8.0 drops support for python versions <2.7. They no longer receive security patches.", "cve": "CVE-2010-3492", "id": "pyup.io-49760", "more_info_path": "/vulnerabilities/CVE-2010-3492/49760", "specs": [ "<0.8.0" ], "v": "<0.8.0" }, { "advisory": "Django-mptt 0.8.0 drops support for Django versions <1.8. They no longer receive security patches.", "cve": "CVE-2015-0222", "id": "pyup.io-49764", "more_info_path": "/vulnerabilities/CVE-2015-0222/49764", "specs": [ "<0.8.0" ], "v": "<0.8.0" }, { "advisory": "Django-mptt 0.8.0 drops support for Django versions <1.8. They no longer receive security patches.", "cve": "CVE-2015-0220", "id": "pyup.io-49762", "more_info_path": "/vulnerabilities/CVE-2015-0220/49762", "specs": [ "<0.8.0" ], "v": "<0.8.0" } ], "django-mssql-backend": [ { "advisory": "Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability See CVE-2024-26164.", "cve": "CVE-2024-26164", "id": "pyup.io-66966", "more_info_path": "/vulnerabilities/CVE-2024-26164/66966", "specs": [ "<1.4.1" ], "v": "<1.4.1" } ], "django-music-publisher": [ { "advisory": "Django-music-publisher 18.9.1 updates its dependency 'Django' to v2.1.2 to include a security fix.", "cve": "CVE-2018-16984", "id": "pyup.io-36523", "more_info_path": "/vulnerabilities/CVE-2018-16984/36523", "specs": [ "<18.9.1" ], "v": "<18.9.1" }, { "advisory": "Django-music-publisher 18.9.3 updates its dependency 'requests' to v2.20.0 to include a security fix.", "cve": "CVE-2018-18074", "id": "pyup.io-36608", "more_info_path": "/vulnerabilities/CVE-2018-18074/36608", "specs": [ "<18.9.3" ], "v": "<18.9.3" } ], "django-nameko-standalone": [ { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", "cve": "CVE-2019-6975", "id": "pyup.io-43707", "more_info_path": "/vulnerabilities/CVE-2019-6975/43707", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", "cve": "CVE-2018-14574", "id": "pyup.io-43709", "more_info_path": "/vulnerabilities/CVE-2018-14574/43709", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", "cve": "CVE-2018-7537", "id": "pyup.io-38565", "more_info_path": "/vulnerabilities/CVE-2018-7537/38565", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", "cve": "CVE-2019-12781", "id": "pyup.io-43705", "more_info_path": "/vulnerabilities/CVE-2019-12781/43705", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", "cve": "CVE-2019-12308", "id": "pyup.io-43706", "more_info_path": "/vulnerabilities/CVE-2019-12308/43706", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", "cve": "CVE-2019-14233", "id": "pyup.io-43702", "more_info_path": "/vulnerabilities/CVE-2019-14233/43702", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", "cve": "CVE-2019-3498", "id": "pyup.io-43708", "more_info_path": "/vulnerabilities/CVE-2019-3498/43708", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", "cve": "CVE-2019-14232", "id": "pyup.io-43701", "more_info_path": "/vulnerabilities/CVE-2019-14232/43701", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", "cve": "CVE-2019-19844", "id": "pyup.io-43700", "more_info_path": "/vulnerabilities/CVE-2019-19844/43700", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", "cve": "CVE-2019-14234", "id": "pyup.io-43703", "more_info_path": "/vulnerabilities/CVE-2019-14234/43703", "specs": [ "<1.3.2" ], "v": "<1.3.2" }, { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to 1.11.27 to include security fixes.", "cve": "CVE-2019-14235", "id": "pyup.io-43704", "more_info_path": "/vulnerabilities/CVE-2019-14235/43704", "specs": [ "<1.3.2" ], "v": "<1.3.2" } ], "django-navbar-client": [ { "advisory": "Django-navbar-client v0.9.50 to v1.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.", "cve": "CVE-2022-32996", "id": "pyup.io-49646", "more_info_path": "/vulnerabilities/CVE-2022-32996/49646", "specs": [ ">=0.9.50,<=1.0.1" ], "v": ">=0.9.50,<=1.0.1" } ], "django-newsletter": [ { "advisory": "django-newsletter before 0.7 allowed a user to subscribe others to the newsletter without authorization.\r\nhttps://github.com/jazzband/django-newsletter/commit/bea5a5100cc40717995dafc65ff011bc76696ebd", "cve": "PVE-2021-36318", "id": "pyup.io-36318", "more_info_path": "/vulnerabilities/PVE-2021-36318/36318", "specs": [ "<0.7" ], "v": "<0.7" }, { "advisory": "Django-newsletter 0.9 updates its dependency 'Waitress' to v1.4.3 to include a security fix.", "cve": "CVE-2020-5236", "id": "pyup.io-43671", "more_info_path": "/vulnerabilities/CVE-2020-5236/43671", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Django-newsletter 0.9 updates its dependency 'Django' to v3.0.3 to include a security fix.", "cve": "CVE-2020-7471", "id": "pyup.io-37916", "more_info_path": "/vulnerabilities/CVE-2020-7471/37916", "specs": [ "<0.9" ], "v": "<0.9" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'waitress' to v1.4.2 to include security fixes.", "cve": "CVE-2019-16792", "id": "pyup.io-43674", "more_info_path": "/vulnerabilities/CVE-2019-16792/43674", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", "cve": "CVE-2019-14235", "id": "pyup.io-43685", "more_info_path": "/vulnerabilities/CVE-2019-14235/43685", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", "cve": "CVE-2019-3498", "id": "pyup.io-43680", "more_info_path": "/vulnerabilities/CVE-2019-3498/43680", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", "cve": "CVE-2019-12308", "id": "pyup.io-43687", "more_info_path": "/vulnerabilities/CVE-2019-12308/43687", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'waitress' to v1.4.2 to include security fixes.", "cve": "CVE-2019-16786", "id": "pyup.io-37677", "more_info_path": "/vulnerabilities/CVE-2019-16786/37677", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'pillow' to v7.0.0 to include security fixes.", "cve": "CVE-2019-19911", "id": "pyup.io-43675", "more_info_path": "/vulnerabilities/CVE-2019-19911/43675", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'waitress' to v1.4.2 to include security fixes.", "cve": "CVE-2019-16785", "id": "pyup.io-43672", "more_info_path": "/vulnerabilities/CVE-2019-16785/43672", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'pillow' to v7.0.0 to include security fixes.", "cve": "CVE-2020-5313", "id": "pyup.io-43679", "more_info_path": "/vulnerabilities/CVE-2020-5313/43679", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'pillow' to v7.0.0 to include security fixes.", "cve": "CVE-2020-5312", "id": "pyup.io-43678", "more_info_path": "/vulnerabilities/CVE-2020-5312/43678", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'pillow' to v7.0.0 to include security fixes.", "cve": "CVE-2020-5311", "id": "pyup.io-43677", "more_info_path": "/vulnerabilities/CVE-2020-5311/43677", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'pillow' to v7.0.0 to include security fixes.", "cve": "CVE-2020-5310", "id": "pyup.io-43676", "more_info_path": "/vulnerabilities/CVE-2020-5310/43676", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'waitress' to v1.4.2 to include security fixes.", "cve": "CVE-2019-16789", "id": "pyup.io-43673", "more_info_path": "/vulnerabilities/CVE-2019-16789/43673", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", "cve": "CVE-2019-19118", "id": "pyup.io-43681", "more_info_path": "/vulnerabilities/CVE-2019-19118/43681", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", "cve": "CVE-2019-14234", "id": "pyup.io-43682", "more_info_path": "/vulnerabilities/CVE-2019-14234/43682", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", "cve": "CVE-2019-14233", "id": "pyup.io-43683", "more_info_path": "/vulnerabilities/CVE-2019-14233/43683", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", "cve": "CVE-2019-12781", "id": "pyup.io-43686", "more_info_path": "/vulnerabilities/CVE-2019-12781/43686", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", "cve": "CVE-2019-14232", "id": "pyup.io-43684", "more_info_path": "/vulnerabilities/CVE-2019-14232/43684", "specs": [ "<0.9b1" ], "v": "<0.9b1" }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", "cve": "CVE-2019-6975", "id": "pyup.io-43688", "more_info_path": "/vulnerabilities/CVE-2019-6975/43688", "specs": [ "<0.9b1" ], "v": "<0.9b1" } ], "django-ninecms": [ { "advisory": "Django-ninecms before 0.4.5b has a unknown security issue in its url configuration.", "cve": "PVE-2021-25776", "id": "pyup.io-25776", "more_info_path": "/vulnerabilities/PVE-2021-25776/25776", "specs": [ "<0.4.5b" ], "v": "<0.4.5b" } ], "django-nopassword": [ { "advisory": "django-nopassword before 5.0.0 stores cleartext secrets in the database. See: CVE-2019-10682.", "cve": "CVE-2019-10682", "id": "pyup.io-38080", "more_info_path": "/vulnerabilities/CVE-2019-10682/38080", "specs": [ "<5.0.0" ], "v": "<5.0.0" } ], "django-oauth-toolkit": [ { "advisory": "Django-oauth-toolkit 0.8.0 includes fixes for various vulnerabilities on 'Basic' authentication.\r\nhttps://github.com/jazzband/django-oauth-toolkit/commit/83367ffe5ad1046f5a5338537a8655cb1c16400d", "cve": "PVE-2021-39609", "id": "pyup.io-39609", "more_info_path": "/vulnerabilities/PVE-2021-39609/39609", "specs": [ "<0.8.0" ], "v": "<0.8.0" }, { "advisory": "Django-oauth-toolkit upgrades oauthlib to 3.2.2+ to address CVE-2022-36087.", "cve": "CVE-2022-36087", "id": "pyup.io-73082", "more_info_path": "/vulnerabilities/CVE-2022-36087/73082", "specs": [ "<3.0.0" ], "v": "<3.0.0" } ], "django-orghierarchy": [ { "advisory": "Django-orghierarchy 0.1.13 updates its dependency 'Django' to v1.11.15 to include a security fix.", "cve": "CVE-2018-14574", "id": "pyup.io-37039", "more_info_path": "/vulnerabilities/CVE-2018-14574/37039", "specs": [ "<0.1.13" ], "v": "<0.1.13" }, { "advisory": "Django-orghierarchy 0.1.18 updates its dependency 'requests' to v2.20.0 to include a security fix.", "cve": "CVE-2018-18074", "id": "pyup.io-37038", "more_info_path": "/vulnerabilities/CVE-2018-18074/37038", "specs": [ "<0.1.18" ], "v": "<0.1.18" } ], "django-pagetree": [ { "advisory": "Django-pagetree version 1.0.4 adds csrf_tokens to several forms where it was missing.", "cve": "PVE-2021-41899", "id": "pyup.io-41899", "more_info_path": "/vulnerabilities/PVE-2021-41899/41899", "specs": [ "<1.0.4" ], "v": "<1.0.4" }, { "advisory": "Django-pagetree version 1.0.7 adds a csrf token for the import_json form.", "cve": "PVE-2021-41898", "id": "pyup.io-41898", "more_info_path": "/vulnerabilities/PVE-2021-41898/41898", "specs": [ "<1.0.7" ], "v": "<1.0.7" }, { "advisory": "Django-pagetree 1.1.8 adds a csrf_token to the base clone_hierarchy form.", "cve": "PVE-2021-41897", "id": "pyup.io-41897", "more_info_path": "/vulnerabilities/PVE-2021-41897/41897", "specs": [ "<1.1.8" ], "v": "<1.1.8" } ], "django-patchwork": [ { "advisory": "A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix.", "cve": "CVE-2019-13122", "id": "pyup.io-42262", "more_info_path": "/vulnerabilities/CVE-2019-13122/42262", "specs": [ ">=1.1,<2.0.4", ">=2.1.0,<2.1.4", "==2.1.0:rc1", "==2.1.0:rc2" ], "v": ">=1.1,<2.0.4,>=2.1.0,<2.1.4,==2.1.0:rc1,==2.1.0:rc2" } ], "django-perms-provisioner": [ { "advisory": "Django-perms-provisioner 0.0.4 updates PyYAML to v5.3.1 to include security fixes.", "cve": "CVE-2020-1747", "id": "pyup.io-38289", "more_info_path": "/vulnerabilities/CVE-2020-1747/38289", "specs": [ "<0.0.4" ], "v": "<0.0.4" }, { "advisory": "Django-perms-provisioner updates its dependency 'pyyaml' to v5.3.1 and code to include security fixes.\r\nhttps://github.com/labd/django-perms-provisioner/commit/1e65b781c47f6ba02805283a3ede56276ae14b44", "cve": "CVE-2019-20477", "id": "pyup.io-43456", "more_info_path": "/vulnerabilities/CVE-2019-20477/43456", "specs": [ "<0.0.4" ], "v": "<0.0.4" } ], "django-pgbulk": [ { "advisory": "Django-pgbulk 2.0.0 updates 'pgbulk.upsert' to no longer support the 'return_untouched` argument, as it had race conditions.", "cve": "PVE-2023-61662", "id": "pyup.io-61662", "more_info_path": "/vulnerabilities/PVE-2023-61662/61662", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "django-pghistory": [ { "advisory": "Django-pghistory 2.6.0 escapes all context data to avoid SQL injection attacks.\r\nhttps://github.com/Opus10/django-pghistory/commit/a5380fa85745731c6bc749f0e453ab66314c0bc7", "cve": "PVE-2023-53875", "id": "pyup.io-53875", "more_info_path": "/vulnerabilities/PVE-2023-53875/53875", "specs": [ "<2.6.0" ], "v": "<2.6.0" } ], "django-photologue": [ { "advisory": "A vulnerability was found in django-photologue up to 3.15.1 and classified as problematic. Affected by this issue is some unknown functionality of the file photologue/templates/photologue/photo_detail.html of the component Default Template Handler. The manipulation of the argument object.caption leads to cross site scripting. The attack may be launched remotely.\r\nhttps://github.com/richardbarran/django-photologue/issues/223", "cve": "CVE-2022-4526", "id": "pyup.io-52448", "more_info_path": "/vulnerabilities/CVE-2022-4526/52448", "specs": [ "<=3.15.1" ], "v": "<=3.15.1" } ], "django-piston": [ { "advisory": "emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.", "cve": "CVE-2011-4103", "id": "pyup.io-25777", "more_info_path": "/vulnerabilities/CVE-2011-4103/25777", "specs": [ "<0.2.3" ], "v": "<0.2.3" } ], "django-pluggable-filebrowser": [ { "advisory": "Django-pluggable-filebrowser 3.4.2 fixes a XSS vulnerability.\r\nhttps://github.com/sehmaschine/django-filebrowser/pull/88", "cve": "PVE-2021-25778", "id": "pyup.io-25778", "more_info_path": "/vulnerabilities/PVE-2021-25778/25778", "specs": [ "<3.4.2" ], "v": "<3.4.2" } ], "django-postman": [ { "advisory": "Django-postman 3.6.2 fixes an open redirect vulnerability within the \"next\" parameter.\r\nhttps://bitbucket.org/psam/django-postman/issues/101/open-redirect-vulnerability-within-the", "cve": "PVE-2021-36667", "id": "pyup.io-36667", "more_info_path": "/vulnerabilities/PVE-2021-36667/36667", "specs": [ "<3.6.2" ], "v": "<3.6.2" } ], "django-python3-ldap": [ { "advisory": "Django-python3-ldap 0.9.5 fixes a security vulnerability where username and password could be transmitted in plain text before starting TLS.\r\nhttps://github.com/etianen/django-python3-ldap/commit/a250194e2911e270a90b0eec2251343040a75ece", "cve": "PVE-2021-25779", "id": "pyup.io-25779", "more_info_path": "/vulnerabilities/PVE-2021-25779/25779", "specs": [ "<0.9.5" ], "v": "<0.9.5" }, { "advisory": "Django-python3-ldap 0.9.8 fixes a security vulnerability allowing users to authenticate with a valid username but with an empty password if anonymous authentication is allowed on the LDAP server.\r\nhttps://github.com/etianen/django-python3-ldap/commit/17a94be4d6cc147407ac427e3067d432ac01a732", "cve": "PVE-2021-25780", "id": "pyup.io-25780", "more_info_path": "/vulnerabilities/PVE-2021-25780/25780", "specs": [ "<0.9.8" ], "v": "<0.9.8" } ], "django-rated": [ { "advisory": "Django-rated 1.1.2 sets 'X-Forwarded-For=False' by default. X-Forwarded-For HTTP header should not be used for any Access Control List (ACL) checks because it can be spoofed by attackers.\r\nhttps://github.com/funkybob/django-rated/commit/bb0766470ab0a30ab374b291dded6212fa1285e2", "cve": "PVE-2021-25781", "id": "pyup.io-25781", "more_info_path": "/vulnerabilities/PVE-2021-25781/25781", "specs": [ "<1.1.2" ], "v": "<1.1.2" } ], "django-react-templatetags": [ { "advisory": "Django-react-templatetags 6.0.1 includes a fix for a XSS vulnerability.\r\nhttps://github.com/Frojd/django-react-templatetags/commit/62933728f6fb4b3ca31cf67dc1f673ca38b25286", "cve": "PVE-2023-52696", "id": "pyup.io-52696", "more_info_path": "/vulnerabilities/PVE-2023-52696/52696", "specs": [ "<6.0.1" ], "v": "<6.0.1" } ], "django-registration": [ { "advisory": "django-registration before 1.7 leaked password reset token through the Referer\r\nheader.\r\nhttps://github.com/macropin/django-registration/commit/3a2e0182ff92cc8ce39a932e463cbac37e485afa", "cve": "PVE-2021-36431", "id": "pyup.io-36431", "more_info_path": "/vulnerabilities/PVE-2021-36431/36431", "specs": [ "<1.7" ], "v": "<1.7" }, { "advisory": "django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters to sensitive data, with the result that sensitive data could be included in error reports rather than removed automatically by Django. Triggering this requires: A site is using django-registration < 3.1.2, The site has detailed error reports (such as Django's emailed error reports to site staff/developers) enabled and a server-side error (HTTP 5xx) occurs during an attempt by a user to register an account. Under these conditions, recipients of the detailed error report will see all submitted data from the account-registration attempt, which may include the user's proposed credentials (such as a password). See CVE-2021-21416.", "cve": "CVE-2021-21416", "id": "pyup.io-40136", "more_info_path": "/vulnerabilities/CVE-2021-21416/40136", "specs": [ "<3.1.2" ], "v": "<3.1.2" } ], "django-registration-redux": [ { "advisory": "django-registration-redux before 1.7 leaks password reset tokens through the Referer header. For more info, see: https://github.com/macropin/django-registration/pull/268", "cve": "PVE-2021-35199", "id": "pyup.io-35199", "more_info_path": "/vulnerabilities/PVE-2021-35199/35199", "specs": [ "<1.7" ], "v": "<1.7" } ], "django-relatives": [ { "advisory": "Django-relatives before 0.3.0 is vulnerable to XSS in html tags.\r\nhttps://github.com/treyhunner/django-relatives/commit/6410ae4695389cb377ce23d35883d8b70b789deb", "cve": "PVE-2021-25782", "id": "pyup.io-25782", "more_info_path": "/vulnerabilities/PVE-2021-25782/25782", "specs": [ "<0.3.0" ], "v": "<0.3.0" } ], "django-rest-framework": [ { "advisory": "Django-rest-framework 3.11.2 includes a fix for CVE-2020-25626: When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious \"script\" tags, leading to a cross-site-scripting (XSS) vulnerability.", "cve": "CVE-2020-25626", "id": "pyup.io-52573", "more_info_path": "/vulnerabilities/CVE-2020-25626/52573", "specs": [ "<3.11.2" ], "v": "<3.11.2" }, { "advisory": "Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping.", "cve": "CVE-2018-25045", "id": "pyup.io-50263", "more_info_path": "/vulnerabilities/CVE-2018-25045/50263", "specs": [ "<3.9.1" ], "v": "<3.9.1" } ], "django-rest-registration": [ { "advisory": "Django-rest-registration 0.5.0 includes a fix for CVE-2019-13177: verification.py in django-rest-registration before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.", "cve": "CVE-2019-13177", "id": "pyup.io-37266", "more_info_path": "/vulnerabilities/CVE-2019-13177/37266", "specs": [ "<0.5.0" ], "v": "<0.5.0" } ], "django-revproxy": [ { "advisory": "Django-revproxy 0.9.6 fixes a security issue that allowed remote-user header injection.\r\nhttps://github.com/jazzband/django-revproxy/commit/0ce23b632fc7c1b4cb5f5e03077b45e6ece802e6", "cve": "PVE-2021-25783", "id": "pyup.io-25783", "more_info_path": "/vulnerabilities/PVE-2021-25783/25783", "specs": [ "<0.9.6" ], "v": "<0.9.6" }, { "advisory": "Django-revproxy 0.9.7 fixes a security issue: when colon is present at URL path urljoin, it ignores the upstream and the request is redirected to the path itself, allowing content injection.\r\nhttps://github.com/jazzband/django-revproxy/commit/e9b4dfd162c73adbad6077355c9420d0c40d4f3f", "cve": "PVE-2021-25784", "id": "pyup.io-25784", "more_info_path": "/vulnerabilities/PVE-2021-25784/25784", "specs": [ "<0.9.7" ], "v": "<0.9.7" } ], "django-rq-scheduler": [ { "advisory": "Django-rq-scheduler 2023.6.1 includes a fix for a HTML injection vulnerability.\r\nhttps://github.com/dsoftwareinc/django-rq-scheduler/commit/51a47230babc583ebd8230c40bc264af215d404e", "cve": "PVE-2023-58913", "id": "pyup.io-58913", "more_info_path": "/vulnerabilities/PVE-2023-58913/58913", "specs": [ "<2023.6.1" ], "v": "<2023.6.1" } ], "django-s3file": [ { "advisory": "Django-s3file 5.5.1 includes a fix for CVE-2022-24840: In versions prior to 5.5.1 it was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. If the 'AWS_LOCATION' setting was set, traversal was limited to that location only. The issue was discovered by the maintainer. There were no reports of the vulnerability being known to or exploited by a third party, prior to the release of the patch.", "cve": "CVE-2022-24840", "id": "pyup.io-49313", "more_info_path": "/vulnerabilities/CVE-2022-24840/49313", "specs": [ "<5.5.1" ], "v": "<5.5.1" } ], "django-safedelete": [ { "advisory": "Django-safedelete 0.3.3 contains a security fix that prevents an XSS attack in the admin interface.\r\nhttps://github.com/makinacorpus/django-safedelete/commit/317c548c9d53e8983bb9a361c02f658f635ac13e", "cve": "PVE-2021-25785", "id": "pyup.io-25785", "more_info_path": "/vulnerabilities/PVE-2021-25785/25785", "specs": [ "<0.3.3" ], "v": "<0.3.3" } ], "django-sage-painless": [ { "advisory": "Django-sage-painless 1.10.2 stores sensitive data as env variables to avoid information exposure.\r\nhttps://github.com/sageteam-org/django-sage-painless/commit/b901519e5e8d371ee51166fff56000c8478f7268", "cve": "PVE-2021-41101", "id": "pyup.io-41101", "more_info_path": "/vulnerabilities/PVE-2021-41101/41101", "specs": [ "<1.10.2" ], "v": "<1.10.2" } ], "django-salesforce": [ { "advisory": "Django-salesforce 0.6.3 defaults to use the most secure TLS version (TLSv1.1).\r\nhttps://github.com/django-salesforce/django-salesforce/commit/78cfc735195ef0cc45d0709f31abf26b5570be83", "cve": "CVE-2014-3566", "id": "pyup.io-34352", "more_info_path": "/vulnerabilities/CVE-2014-3566/34352", "specs": [ "<0.6.3" ], "v": "<0.6.3" } ], "django-secured-fields": [ { "advisory": "Django-secured-fields 0.3.1 updates its dependency 'django' to v4.0.2 to include security fixes.", "cve": "CVE-2022-23833", "id": "pyup.io-45851", "more_info_path": "/vulnerabilities/CVE-2022-23833/45851", "specs": [ "<0.3.1" ], "v": "<0.3.1" }, { "advisory": "Django-secured-fields 0.3.1 updates its dependency 'django' to v4.0.2 to include security fixes.", "cve": "CVE-2022-22818", "id": "pyup.io-45850", "more_info_path": "/vulnerabilities/CVE-2022-22818/45850", "specs": [ "<0.3.1" ], "v": "<0.3.1" }, { "advisory": "Django-secured-fields 0.3.1 updates its dependency 'ipython' to v7.31.1 to include a security fix.", "cve": "CVE-2022-21699", "id": "pyup.io-45843", "more_info_path": "/vulnerabilities/CVE-2022-21699/45843", "specs": [ "<0.3.1" ], "v": "<0.3.1" }, { "advisory": "Django-secured-fields 0.3.2 updates its dependency 'pillow' to v9.0.1 to include security fixes.", "cve": "CVE-2022-22817", "id": "pyup.io-46498", "more_info_path": "/vulnerabilities/CVE-2022-22817/46498", "specs": [ "<0.3.2" ], "v": "<0.3.2" }, { "advisory": "Django-secured-fields 0.3.2 updates its dependency 'pillow' to v9.0.1 to include security fixes.", "cve": "CVE-2022-24303", "id": "pyup.io-46412", "more_info_path": "/vulnerabilities/CVE-2022-24303/46412", "specs": [ "<0.3.2" ], "v": "<0.3.2" }, { "advisory": "Django-secured-fields 0.4.1 updates its dependency 'Django' to v4.0.6 to include security fixes.", "cve": "CVE-2022-28346", "id": "pyup.io-52739", "more_info_path": "/vulnerabilities/CVE-2022-28346/52739", "specs": [ "<0.4.1" ], "v": "<0.4.1" }, { "advisory": "Django-secured-fields 0.4.1 updates its dependency 'Django' to v4.0.6 to include security fixes.", "cve": "CVE-2022-34265", "id": "pyup.io-52688", "more_info_path": "/vulnerabilities/CVE-2022-34265/52688", "specs": [ "<0.4.1" ], "v": "<0.4.1" }, { "advisory": "Django-secured-fields 0.4.1 updates its dependency 'Django' to v4.0.6 to include security fixes.", "cve": "CVE-2022-28347", "id": "pyup.io-52738", "more_info_path": "/vulnerabilities/CVE-2022-28347/52738", "specs": [ "<0.4.1" ], "v": "<0.4.1" } ], "django-select2": [ { "advisory": "Django-select2 5.7.0 contains a security fix that allows a `field_id` to only be used for the intended JSON endpoint.\r\nhttps://github.com/applegrew/django-select2/commit/4a1b83ad1e9b2523961a0f23706c70b01683494f", "cve": "PVE-2021-25787", "id": "pyup.io-25787", "more_info_path": "/vulnerabilities/PVE-2021-25787/25787", "specs": [ "<5.7.0" ], "v": "<5.7.0" } ], "django-selectable": [ { "advisory": "Django-selectable 0.5.2 fixes a XSS flaw with lookup \"get_item_*\" methods.\r\nhttps://github.com/mlavin/django-selectable/issues/63", "cve": "PVE-2021-25788", "id": "pyup.io-25788", "more_info_path": "/vulnerabilities/PVE-2021-25788/25788", "specs": [ "<0.5.2" ], "v": "<0.5.2" } ], "django-sendfile2": [ { "advisory": "Django-sendfile2 0.6.0 includes a fix for a path traversal vulnerability.\r\nhttps://github.com/moggers87/django-sendfile2/security/advisories/GHSA-6r3c-8xf3-ggrr", "cve": "PVE-2023-55171", "id": "pyup.io-55171", "more_info_path": "/vulnerabilities/PVE-2023-55171/55171", "specs": [ "<0.6.0" ], "v": "<0.6.0" }, { "advisory": "Django-sendfile2 0.7.0 includes a fix for a reflected file download vulnerability, similar to CVE-2022-36359.\r\nhttps://github.com/moggers87/django-sendfile2/commit/4c370859023292e3715200a57843f86c5ef3cd77\r\nhttps://github.com/moggers87/django-sendfile2/security/advisories/GHSA-pcjh-6r5h-r92r", "cve": "PVE-2022-50561", "id": "pyup.io-50561", "more_info_path": "/vulnerabilities/PVE-2022-50561/50561", "specs": [ "<0.7.0" ], "v": "<0.7.0" } ], "django-server": [ { "advisory": "django-server is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", "cve": "PVE-2021-34982", "id": "pyup.io-34982", "more_info_path": "/vulnerabilities/PVE-2021-34982/34982", "specs": [ ">0", "<0" ], "v": ">0,<0" } ], "django-ses": [ { "advisory": "Django-SES 3.5.0 includes a fix for CVE-2023-33185: The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the 'SESEventWebhookView class' intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates.\r\nhttps://github.com/django-ses/django-ses/security/advisories/GHSA-qg36-9jxh-fj25", "cve": "CVE-2023-33185", "id": "pyup.io-58824", "more_info_path": "/vulnerabilities/CVE-2023-33185/58824", "specs": [ "<3.5.0" ], "v": "<3.5.0" } ], "django-session-security": [ { "advisory": "Django-session-security 2.4.0 fixes a vulnerability when SESSION_EXPIRE_AT_BROWSER_CLOSE is off.\r\nhttps://github.com/yourlabs/django-session-security/commit/52d531928fd5e84a1dceaf0bc8ca47beefc52523", "cve": "PVE-2021-25789", "id": "pyup.io-25789", "more_info_path": "/vulnerabilities/PVE-2021-25789/25789", "specs": [ "<2.4.0" ], "v": "<2.4.0" } ], "django-silk": [ { "advisory": "Django-silk 3.2.0 masks sensitive data. Before, request bodies were stored as plain text in the database.\r\nhttps://github.com/jazzband/django-silk/commit/04d8175eb6c712f5f713ebd0c3306d5e99dc2e15", "cve": "PVE-2022-49564", "id": "pyup.io-49564", "more_info_path": "/vulnerabilities/PVE-2022-49564/49564", "specs": [ "<3.0.2" ], "v": "<3.0.2" }, { "advisory": "Django-silk version 4.0.0 masks request headers to avoid auth information leaking.\r\nhttps://github.com/jazzband/django-silk/issues/375", "cve": "PVE-2021-42216", "id": "pyup.io-42216", "more_info_path": "/vulnerabilities/PVE-2021-42216/42216", "specs": [ "<4.0.0" ], "v": "<4.0.0" } ], "django-smart-lists": [ { "advisory": "Django-smart-lists 1.0.26 fixes a XSS vulnerability in the render_function.\r\nhttps://github.com/plecto/django-smart-lists/commit/44314e51b371e01cd9bceb2e0ed6c8d75d7f87c3", "cve": "PVE-2021-38150", "id": "pyup.io-38150", "more_info_path": "/vulnerabilities/PVE-2021-38150/38150", "specs": [ "<1.0.26" ], "v": "<1.0.26" } ], "django-smart-selects": [ { "advisory": "Django-smart-selects before 1.5.0 allowed anybody to list arbitrary objects by tweaking URL parameters.\r\nhttps://github.com/jazzband/django-smart-selects/releases/tag/1.5.0", "cve": "PVE-2021-34234", "id": "pyup.io-34234", "more_info_path": "/vulnerabilities/PVE-2021-34234/34234", "specs": [ "<1.5.0" ], "v": "<1.5.0" } ], "django-social-auth": [ { "advisory": "Django-social-auth 0.7.2 fixes a security hole - redirects via the next param are now properly sanitized to disallow redirecting to external hosts.", "cve": "PVE-2021-25790", "id": "pyup.io-25790", "more_info_path": "/vulnerabilities/PVE-2021-25790/25790", "specs": [ "<0.7.2" ], "v": "<0.7.2" } ], "django-social-auth3": [ { "advisory": "Django-social-auth3 0.3.3 fixes a security hole: redirects via the next param are now properly sanitized to disallow redirecting to external hosts.\r\nhttps://github.com/omab/django-social-auth/commit/32a67fa2a751b59d6c775f8f201981c4a27b2610", "cve": "PVE-2021-25791", "id": "pyup.io-25791", "more_info_path": "/vulnerabilities/PVE-2021-25791/25791", "specs": [ "<0.3.3" ], "v": "<0.3.3" } ], "django-spectator": [ { "advisory": "Django-spectator 11.7.0 strips out EXIF data from images uploaded as thumbnails.\r\nhttps://github.com/philgyford/django-spectator/commit/370d1aa7109bddef206fe5e22aca3166a04a1d2a", "cve": "PVE-2022-47773", "id": "pyup.io-47773", "more_info_path": "/vulnerabilities/PVE-2022-47773/47773", "specs": [ "<11.7.0" ], "v": "<11.7.0" }, { "advisory": "Django-spectator 12.0.1 updates its dependency 'pillow' to v9.0.1 to include security fixes.", "cve": "PVE-2022-44524", "id": "pyup.io-47778", "more_info_path": "/vulnerabilities/PVE-2022-44524/47778", "specs": [ "<12.0.1" ], "v": "<12.0.1" }, { "advisory": "Django-spectator 12.0.1 updates its dependency 'pillow' to v9.0.1 to include security fixes.", "cve": "CVE-2022-22816", "id": "pyup.io-47779", "more_info_path": "/vulnerabilities/CVE-2022-22816/47779", "specs": [ "<12.0.1" ], "v": "<12.0.1" }, { "advisory": "Django-spectator 12.0.1 updates its dependency 'pillow' to v9.0.1 to include security fixes.", "cve": "CVE-2022-24303", "id": "pyup.io-47772", "more_info_path": "/vulnerabilities/CVE-2022-24303/47772", "specs": [ "<12.0.1" ], "v": "<12.0.1" }, { "advisory": "Django-spectator 12.0.1 updates its dependency 'pillow' to v9.0.1 to include security fixes.", "cve": "CVE-2022-22815", "id": "pyup.io-47780", "more_info_path": "/vulnerabilities/CVE-2022-22815/47780", "specs": [ "<12.0.1" ], "v": "<12.0.1" }, { "advisory": "Django-spectator 12.0.1 updates its dependency 'pillow' to v9.0.1 to include security fixes.", "cve": "CVE-2022-22817", "id": "pyup.io-47776", "more_info_path": "/vulnerabilities/CVE-2022-22817/47776", "specs": [ "<12.0.1" ], "v": "<12.0.1" }, { "advisory": "Django-spectator 12.0.1 updates its dependency 'pillow' to v9.0.1 to include security fixes.", "cve": "PVE-2021-44525", "id": "pyup.io-47777", "more_info_path": "/vulnerabilities/PVE-2021-44525/47777", "specs": [ "<12.0.1" ], "v": "<12.0.1" } ], "django-spirit": [ { "advisory": "django-spirit prior to version 0.12.3 is vulnerable to open redirect. In the /user/login endpoint, it doesn't check the value of the next parameter when the user is logged in and passes it directly to redirect which result to open redirect. This also affects /user/logout, /user/register, /user/login, /user/resend-activation.", "cve": "CVE-2022-0869", "id": "pyup.io-54306", "more_info_path": "/vulnerabilities/CVE-2022-0869/54306", "specs": [ ">=0,<0.12.3" ], "v": ">=0,<0.12.3" } ], "django-sql-dashboard": [ { "advisory": "Django-sql-dashboard 0.14 fixes a security and permissions flaw, where users without the 'execute_sql' permission could still run custom queries by editing saved dashboards using the Django admin interface.\r\nhttps://github.com/simonw/django-sql-dashboard/issues/94", "cve": "PVE-2021-40482", "id": "pyup.io-40482", "more_info_path": "/vulnerabilities/PVE-2021-40482/40482", "specs": [ "<0.14" ], "v": "<0.14" } ], "django-sql-explorer": [ { "advisory": "Django-sql-explorer before version 0.5 allows usage of query parameters to users with view permissions. This results in a potential for SQL injection.\r\nhttps://github.com/groveco/django-sql-explorer/commit/ed491b70a02eb626826abc1230c3001a7d5ed489", "cve": "PVE-2021-39445", "id": "pyup.io-39445", "more_info_path": "/vulnerabilities/PVE-2021-39445/39445", "specs": [ "<0.5" ], "v": "<0.5" }, { "advisory": "Django-sql-explorer before 1.1.0 isn't escaping values from the database correctly, making it open for potential XSS-attacks.\r\nhttps://github.com/groveco/django-sql-explorer/pull/286", "cve": "PVE-2021-33293", "id": "pyup.io-33293", "more_info_path": "/vulnerabilities/PVE-2021-33293/33293", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { "advisory": "Django-sql-explorer version 4.2.0b1 addresses a regex-injection vulnerability, enhancing security measures within the application.", "cve": "PVE-2024-70482", "id": "pyup.io-70482", "more_info_path": "/vulnerabilities/PVE-2024-70482/70482", "specs": [ "<4.2.0" ], "v": "<4.2.0" } ], "django-sticky-uploads": [ { "advisory": "Django-sticky-uploads 0.2.0 fixes a security issue related to a client changing the upload url specified by the widget for the upload.\r\nhttps://github.com/caktus/django-sticky-uploads/commit/81f4c1bf119b46c0716b0565c216e210960fc250", "cve": "PVE-2021-25793", "id": "pyup.io-25793", "more_info_path": "/vulnerabilities/PVE-2021-25793/25793", "specs": [ "<0.2.0" ], "v": "<0.2.0" } ], "django-storages": [ { "advisory": "Django-storages before 1.7 have an insecure default ACL of 'public-read' in the 'S3BotoStorage' and 'S3Boto3Storage' backends .\r\nhttps://github.com/jschneier/django-storages/commit/6ee6a739752923c60eaa1e82262c1d07208ec7f6", "cve": "PVE-2021-36434", "id": "pyup.io-36434", "more_info_path": "/vulnerabilities/PVE-2021-36434/36434", "specs": [ "<1.7" ], "v": "<1.7" } ], "django-su": [ { "advisory": "Django-su 0.6.0 makes sure all CSRF protection is enabled.\r\nhttps://github.com/adamcharnock/django-su/commit/f75ea076577a824b0f81e35fc0c568a23a16cad2", "cve": "PVE-2022-47921", "id": "pyup.io-47921", "more_info_path": "/vulnerabilities/PVE-2022-47921/47921", "specs": [ "<0.6.0" ], "v": "<0.6.0" } ], "django-tastypie": [ { "advisory": "The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.", "cve": "CVE-2011-4104", "id": "pyup.io-25794", "more_info_path": "/vulnerabilities/CVE-2011-4104/25794", "specs": [ "<0.9.10" ], "v": "<0.9.10" } ], "django-termsandconditions": [ { "advisory": "Django-termsandconditions 2.0.10 fixes an open redirect vulnerability.\r\nhttps://github.com/cyface/django-termsandconditions/commit/03396a1c2e0af95e12a45c5faef7e47a4b513e1a", "cve": "PVE-2022-49632", "id": "pyup.io-49632", "more_info_path": "/vulnerabilities/PVE-2022-49632/49632", "specs": [ "<2.0.10" ], "v": "<2.0.10" }, { "advisory": "Django-termsandconditions 2.0.10 updates its dependency 'Django' to v3.2.13 to include security fixes.", "cve": "CVE-2022-23833", "id": "pyup.io-49671", "more_info_path": "/vulnerabilities/CVE-2022-23833/49671", "specs": [ "<2.0.10" ], "v": "<2.0.10" }, { "advisory": "Django-termsandconditions 2.0.10 updates its dependency 'Django' to v3.2.13 to include security fixes.", "cve": "CVE-2021-45452", "id": "pyup.io-49672", "more_info_path": "/vulnerabilities/CVE-2021-45452/49672", "specs": [ "<2.0.10" ], "v": "<2.0.10" }, { "advisory": "Django-termsandconditions 2.0.10 updates its dependency 'Django' to v3.2.13 to include security fixes.", "cve": "CVE-2022-28347", "id": "pyup.io-49668", "more_info_path": "/vulnerabilities/CVE-2022-28347/49668", "specs": [ "<2.0.10" ], "v": "<2.0.10" }, { "advisory": "Django-termsandconditions 2.0.10 updates its dependency 'Django' to v3.2.13 to include security fixes.", "cve": "CVE-2021-45116", "id": "pyup.io-49673", "more_info_path": "/vulnerabilities/CVE-2021-45116/49673", "specs": [ "<2.0.10" ], "v": "<2.0.10" }, { "advisory": "Django-termsandconditions 2.0.10 updates its dependency 'Django' to v3.2.13 to include security fixes.", "cve": "CVE-2021-45115", "id": "pyup.io-49674", "more_info_path": "/vulnerabilities/CVE-2021-45115/49674", "specs": [ "<2.0.10" ], "v": "<2.0.10" }, { "advisory": "Django-termsandconditions 2.0.10 updates its dependency 'Django' to v3.2.13 to include security fixes.", "cve": "CVE-2022-28346", "id": "pyup.io-49669", "more_info_path": "/vulnerabilities/CVE-2022-28346/49669", "specs": [ "<2.0.10" ], "v": "<2.0.10" }, { "advisory": "Django-termsandconditions 2.0.10 updates its dependency 'Django' to v3.2.13 to include security fixes.", "cve": "CVE-2022-22818", "id": "pyup.io-49670", "more_info_path": "/vulnerabilities/CVE-2022-22818/49670", "specs": [ "<2.0.10" ], "v": "<2.0.10" }, { "advisory": "Django-termsandconditions 2.0.10 updates its dependency 'Django' to v3.2.13 to include security fixes.", "cve": "CVE-2021-44420", "id": "pyup.io-49675", "more_info_path": "/vulnerabilities/CVE-2021-44420/49675", "specs": [ "<2.0.10" ], "v": "<2.0.10" }, { "advisory": "A vulnerability has been found in cyface Terms and Conditions Module up to 2.0.9 and classified as problematic. Affected by this vulnerability is the function returnTo of the file termsandconditions/views.py. The manipulation leads to open redirect. The attack can be launched remotely.", "cve": "CVE-2022-4589", "id": "pyup.io-52467", "more_info_path": "/vulnerabilities/CVE-2022-4589/52467", "specs": [ "<2.0.10" ], "v": "<2.0.10" }, { "advisory": "Django-termsandconditions 2.0.9 updates its dependency 'django' to v3.2.8 to include security fixes.", "cve": "CVE-2021-33571", "id": "pyup.io-49660", "more_info_path": "/vulnerabilities/CVE-2021-33571/49660", "specs": [ "<2.0.9" ], "v": "<2.0.9" }, { "advisory": "Django-termsandconditions 2.0.9 updates its dependency 'pylint' to v2.11.1 to include security fixes.", "cve": "PVE-2021-39621", "id": "pyup.io-49633", "more_info_path": "/vulnerabilities/PVE-2021-39621/49633", "specs": [ "<2.0.9" ], "v": "<2.0.9" }, { "advisory": "Django-termsandconditions 2.0.9 updates its dependency 'poetry' to v1.1.11 to include a security fix.", "cve": "CVE-2022-26184", "id": "pyup.io-49666", "more_info_path": "/vulnerabilities/CVE-2022-26184/49666", "specs": [ "<2.0.9" ], "v": "<2.0.9" }, { "advisory": "Django-termsandconditions 2.0.9 updates its dependency 'django' to v3.2.8 to include security fixes.", "cve": "CVE-2021-31542", "id": "pyup.io-49662", "more_info_path": "/vulnerabilities/CVE-2021-31542/49662", "specs": [ "<2.0.9" ], "v": "<2.0.9" }, { "advisory": "Django-termsandconditions 2.0.9 fixes an open redirect vulnerability.\r\nhttps://github.com/cyface/django-termsandconditions/commit/0a0f7ac5ded705d4083a0ffa0db4909557412d04", "cve": "PVE-2022-49667", "id": "pyup.io-49667", "more_info_path": "/vulnerabilities/PVE-2022-49667/49667", "specs": [ "<2.0.9" ], "v": "<2.0.9" }, { "advisory": "Django-termsandconditions 2.0.9 updates its dependency 'pylint' to v2.11.1 to include security fixes.", "cve": "PVE-2021-38224", "id": "pyup.io-49657", "more_info_path": "/vulnerabilities/PVE-2021-38224/49657", "specs": [ "<2.0.9" ], "v": "<2.0.9" }, { "advisory": "Django-termsandconditions 2.0.9 updates its dependency 'django' to v3.2.8 to include security fixes.", "cve": "CVE-2021-33203", "id": "pyup.io-49659", "more_info_path": "/vulnerabilities/CVE-2021-33203/49659", "specs": [ "<2.0.9" ], "v": "<2.0.9" }, { "advisory": "Django-termsandconditions 2.0.9 updates its dependency 'django' to v3.2.8 to include security fixes.", "cve": "CVE-2021-32052", "id": "pyup.io-49661", "more_info_path": "/vulnerabilities/CVE-2021-32052/49661", "specs": [ "<2.0.9" ], "v": "<2.0.9" }, { "advisory": "Django-termsandconditions 2.0.9 updates its dependency 'django' to v3.2.8 to include security fixes.", "cve": "CVE-2021-28658", "id": "pyup.io-49663", "more_info_path": "/vulnerabilities/CVE-2021-28658/49663", "specs": [ "<2.0.9" ], "v": "<2.0.9" }, { "advisory": "Django-termsandconditions 2.0.9 updates its dependency 'django' to v3.2.8 to include security fixes.", "cve": "CVE-2021-23336", "id": "pyup.io-49664", "more_info_path": "/vulnerabilities/CVE-2021-23336/49664", "specs": [ "<2.0.9" ], "v": "<2.0.9" }, { "advisory": "Django-termsandconditions 2.0.9 updates its dependency 'django' to v3.2.8 to include security fixes.", "cve": "CVE-2021-3281", "id": "pyup.io-49665", "more_info_path": "/vulnerabilities/CVE-2021-3281/49665", "specs": [ "<2.0.9" ], "v": "<2.0.9" }, { "advisory": "Django-termsandconditions 2.0.9 updates its dependency 'django' to v3.2.8 to include security fixes.", "cve": "CVE-2021-35042", "id": "pyup.io-49658", "more_info_path": "/vulnerabilities/CVE-2021-35042/49658", "specs": [ "<2.0.9" ], "v": "<2.0.9" } ], "django-tinymce": [ { "advisory": "Django-tinymce 3.4.0 updates its NuGet dependency 'TinyMCE' to v5.10.1 to include a fix for a cross-site scripting vulnerability: a remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.", "cve": "CVE-2024-21910", "id": "pyup.io-63603", "more_info_path": "/vulnerabilities/CVE-2024-21910/63603", "specs": [ "<3.4.0" ], "v": "<3.4.0" }, { "advisory": "Django-tinymce 3.4.0 updates its dependency 'TinyMCE' to v5.7.1 to include a fix for a XSS vulnerability.\r\nhttps://github.com/jazzband/django-tinymce/issues/366\r\nhttps://github.com/tinymce/tinymce/security/advisories/GHSA-5vm8-hhgr-jcjp", "cve": "PVE-2023-55203", "id": "pyup.io-55203", "more_info_path": "/vulnerabilities/PVE-2023-55203/55203", "specs": [ ">=0,<3.4.0" ], "v": ">=0,<3.4.0" } ], "django-treenode": [ { "advisory": "Django-treenode 0.20.0 fixes an XSS vulnerability in `get_display_text` method.", "cve": "PVE-2024-64721", "id": "pyup.io-64721", "more_info_path": "/vulnerabilities/PVE-2024-64721/64721", "specs": [ "<0.20.0" ], "v": "<0.20.0" } ], "django-trench": [ { "advisory": "Django-trench 0.2.3 updates default backup codes settings to a more secure standard.\r\nhttps://github.com/merixstudio/django-trench/pull/52", "cve": "PVE-2021-42899", "id": "pyup.io-42899", "more_info_path": "/vulnerabilities/PVE-2021-42899/42899", "specs": [ "<0.2.3" ], "v": "<0.2.3" } ], "django-triggers": [ { "advisory": "Django-triggers 2.0.13 updates its dependency 'Django' to v2.1.5 to include security fixes.", "cve": "CVE-2018-14574", "id": "pyup.io-43669", "more_info_path": "/vulnerabilities/CVE-2018-14574/43669", "specs": [ "<2.0.13" ], "v": "<2.0.13" }, { "advisory": "Django-triggers 2.0.13 updates its dependency 'Django' to v2.1.5 to include security fixes.", "cve": "CVE-2018-7537", "id": "pyup.io-37072", "more_info_path": "/vulnerabilities/CVE-2018-7537/37072", "specs": [ "<2.0.13" ], "v": "<2.0.13" }, { "advisory": "Django-triggers 2.0.13 updates its dependency 'Django' to v2.1.5 to include security fixes.", "cve": "CVE-2019-3498", "id": "pyup.io-43668", "more_info_path": "/vulnerabilities/CVE-2019-3498/43668", "specs": [ "<2.0.13" ], "v": "<2.0.13" }, { "advisory": "Django-triggers 2.0.13 updates its dependency 'Django' to v2.1.5 to include security fixes.", "cve": "CVE-2020-9402", "id": "pyup.io-43667", "more_info_path": "/vulnerabilities/CVE-2020-9402/43667", "specs": [ "<2.0.13" ], "v": "<2.0.13" } ], "django-two-factor-auth": [ { "advisory": "Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password and then leaves before entering their two-factor authentication code. The severity of this issue depends on which type of session storage you have configured: in the worst case, if you're using Django's default database session storage, then users' passwords are stored in clear text in your database. In the best case, if you're using Django's signed cookie session, then users' passwords are only stored in clear text within their browser's cookie store. In the common case of using Django's cache session store, the users' passwords are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis). This has been fixed in 1.12. After upgrading, users should be sure to delete any clear text passwords that have been stored. For example, if you're using the database session backend, you'll likely want to delete any session record from the database and purge that data from any database backups or replicas. In addition, affected organizations who have suffered a database breach while using an affected version should inform their users that their clear text passwords have been compromised. All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django's session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading. See: CVE-2020-15105.", "cve": "CVE-2020-15105", "id": "pyup.io-38562", "more_info_path": "/vulnerabilities/CVE-2020-15105/38562", "specs": [ "<1.12" ], "v": "<1.12" }, { "advisory": "Certain configurations of django-two-factor-auth are susceptible to an Insecure Permissions vulnerability. This issue arises when a site's configuration permits users to circumvent the necessary two-factor authentication (2FA) process for login, such as improperly configured admin logins that allow access without 2FA. Consequently, an attacker can disable a user's two-factor devices and establish a new 2FA setup to access areas requiring one-time passwords (OTP). Additionally, this vulnerability could be exploited through any of the user's multiple active sessions, enabling the attacker to deactivate 2FA without needing the physical device.\r\nhttps://github.com/jazzband/django-two-factor-auth/pull/390/commits/cd7a2e1befd0acb7000c57c7d374684289c94e8b", "cve": "PVE-2024-99789", "id": "pyup.io-66027", "more_info_path": "/vulnerabilities/PVE-2024-99789/66027", "specs": [ ">=0,<1.13" ], "v": ">=0,<1.13" } ], "django-ucamlookup": [ { "advisory": "Django-ucamlookup 1.9.2 fixes lack of escaping in select2 calls.\r\nhttps://github.com/uisautomation/django-ucamlookup/commit/5e25e4765637ea4b9e0bf5fcd5e9a922abee7eb3", "cve": "PVE-2021-36744", "id": "pyup.io-36744", "more_info_path": "/vulnerabilities/PVE-2021-36744/36744", "specs": [ "<1.9.2" ], "v": "<1.9.2" }, { "advisory": "Django-ucamlookup 1.9.2 includes a fix for CVE-2016-15010: Affected by this vulnerability is an unknown functionality of the component Lookup Handler. The manipulation leads to cross site scripting. The attack can be launched remotely.", "cve": "CVE-2016-15010", "id": "pyup.io-52672", "more_info_path": "/vulnerabilities/CVE-2016-15010/52672", "specs": [ "<1.9.2" ], "v": "<1.9.2" } ], "django-uni-form": [ { "advisory": "Django-uni-form 0.9.0 fixes a XSS security issue. Errors weren't rendered safe: field's input was part of the error message, unsanitized.\r\nhttps://github.com/pydanny/django-uni-form/pull/98", "cve": "PVE-2021-25796", "id": "pyup.io-25796", "more_info_path": "/vulnerabilities/PVE-2021-25796/25796", "specs": [ "<0.9.0" ], "v": "<0.9.0" } ], "django-unicorn": [ { "advisory": "Django-unicorn version 0.29.0 sanitizes initial JSON to prevent XSS.\r\nhttps://github.com/adamghill/django-unicorn/commit/c38e2a8bbb3ec6a8cdba30813282d9159c90f0d2", "cve": "PVE-2021-42099", "id": "pyup.io-42099", "more_info_path": "/vulnerabilities/PVE-2021-42099/42099", "specs": [ "<0.29.0" ], "v": "<0.29.0" }, { "advisory": "Django-unicorn version 0.36.0 includes a fix for CVE-2021-42053: The Unicorn framework through 0.35.3 for Django allows XSS via component.name.\r\nhttps://github.com/adamghill/django-unicorn/pull/288/files", "cve": "CVE-2021-42053", "id": "pyup.io-42060", "more_info_path": "/vulnerabilities/CVE-2021-42053/42060", "specs": [ "<0.36.0" ], "v": "<0.36.0" }, { "advisory": "The Unicorn framework before 0.36.1 for Django allows XSS via a component. NOTE: this issue exists because of an incomplete fix for CVE-2021-42053.\r\nhttps://github.com/adamghill/django-unicorn/commit/3a832a9e3f6455ddd3b87f646247269918ad10c6\r\nhttps://github.com/adamghill/django-unicorn/compare/0.36.0...0.36.1", "cve": "CVE-2021-42134", "id": "pyup.io-42107", "more_info_path": "/vulnerabilities/CVE-2021-42134/42107", "specs": [ "<0.36.1" ], "v": "<0.36.1" } ], "django-url-security": [ { "advisory": "Django-url-security 0.0.2 updates its dependency 'mkdocs' to version '1.3.0' to include a fix for a Cross-Site Scripting vulnerability.\r\nhttps://github.com/Edrolo/django-url-security/commit/858bab7be8b5dc7e871c1177ef6a2153d5aea5a4", "cve": "PVE-2022-47794", "id": "pyup.io-59457", "more_info_path": "/vulnerabilities/PVE-2022-47794/59457", "specs": [ "<0.0.2" ], "v": "<0.0.2" } ], "django-urlconf-export": [ { "advisory": "Django-urlconf-export 1.1.1 updates Django to v3.0.7 to include security fixes.", "cve": "CVE-2020-13596", "id": "pyup.io-38386", "more_info_path": "/vulnerabilities/CVE-2020-13596/38386", "specs": [ "<1.1.1" ], "v": "<1.1.1" }, { "advisory": "Django-urlconf-export 1.1.1 updates Django to v3.0.7 to include security fixes.", "cve": "CVE-2020-13254", "id": "pyup.io-43660", "more_info_path": "/vulnerabilities/CVE-2020-13254/43660", "specs": [ "<1.1.1" ], "v": "<1.1.1" } ], "django-user-accounts": [ { "advisory": "Django-user-accounts before 2.0.2 has a potential security issue with leaking password reset tokens through HTTP Referer header.\r\nhttps://github.com/pinax/django-user-accounts/issues/258", "cve": "PVE-2021-34774", "id": "pyup.io-34774", "more_info_path": "/vulnerabilities/PVE-2021-34774/34774", "specs": [ "<2.0.2" ], "v": "<2.0.2" } ], "django-user-management": [ { "advisory": "Django-user-management 18.0.0 updates its dependency 'pillow' to a version >3.3.2 to include security fixes.", "cve": "CVE-2016-9190", "id": "pyup.io-43474", "more_info_path": "/vulnerabilities/CVE-2016-9190/43474", "specs": [ "<18.0.0" ], "v": "<18.0.0" }, { "advisory": "Django-user-management 18.0.0 updates its dependency 'pillow' to a version >3.3.2 to include security fixes.", "cve": "CVE-2016-9189", "id": "pyup.io-43473", "more_info_path": "/vulnerabilities/CVE-2016-9189/43473", "specs": [ "<18.0.0" ], "v": "<18.0.0" }, { "advisory": "Django-user-management 18.0.0 updates its dependency 'djangorestframework' to a version >=3.9.1 to patch an XSS vulnerability.", "cve": "CVE-2018-25045", "id": "pyup.io-38634", "more_info_path": "/vulnerabilities/CVE-2018-25045/38634", "specs": [ "<18.0.0" ], "v": "<18.0.0" } ], "django-user-sessions": [ { "advisory": "In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen. See: CVE-2020-5224.", "cve": "CVE-2020-5224", "id": "pyup.io-37777", "more_info_path": "/vulnerabilities/CVE-2020-5224/37777", "specs": [ "<1.7.1" ], "v": "<1.7.1" } ], "django-userena-ce": [ { "advisory": "Django-userena-ce 4.0.0 uses class based auth views to fix leaking of password reset token.\r\nhttps://github.com/django-userena-ce/django-userena-ce/commit/210a50fd227a1ccec2c857f5b75712011656c23b", "cve": "PVE-2022-45296", "id": "pyup.io-45296", "more_info_path": "/vulnerabilities/PVE-2022-45296/45296", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "Django-userena-ce 4.0.0 drops support for Django 1.8 to use as default a more secure version (1.11) \r\nhttps://github.com/django-userena-ce/django-userena-ce/commit/210a50fd227a1ccec2c857f5b75712011656c23b", "cve": "CVE-2018-7536", "id": "pyup.io-45307", "more_info_path": "/vulnerabilities/CVE-2018-7536/45307", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { "advisory": "Django-userena-ce 4.0.0 drops support for Django 1.8 to use as default a more secure version (1.11) \r\nhttps://github.com/django-userena-ce/django-userena-ce/commit/210a50fd227a1ccec2c857f5b75712011656c23b", "cve": "CVE-2018-7537", "id": "pyup.io-45308", "more_info_path": "/vulnerabilities/CVE-2018-7537/45308", "specs": [ "<4.0.0" ], "v": "<4.0.0" } ], "django-watchman": [ { "advisory": "Django-watchman 0.10.0 improves security by keeping tokens out of logs.\r\nhttps://github.com/mwarkentin/django-watchman/issues/73", "cve": "PVE-2021-25797", "id": "pyup.io-25797", "more_info_path": "/vulnerabilities/PVE-2021-25797/25797", "specs": [ "<0.10.0" ], "v": "<0.10.0" } ], "django-webix": [ { "advisory": "Django-webix 1.2.0 includes a fix for a CSRF vulnerability.\r\nhttps://github.com/MPASolutions/django-webix/commit/4190a0934e8389d6f73687331d6814ad9fdec358", "cve": "PVE-2023-59135", "id": "pyup.io-59135", "more_info_path": "/vulnerabilities/PVE-2023-59135/59135", "specs": [ "<1.2.0" ], "v": "<1.2.0" } ], "django-websocket": [ { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2022-22818", "id": "pyup.io-47968", "more_info_path": "/vulnerabilities/CVE-2022-22818/47968", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2013-0305", "id": "pyup.io-47944", "more_info_path": "/vulnerabilities/CVE-2013-0305/47944", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2015-0221", "id": "pyup.io-47951", "more_info_path": "/vulnerabilities/CVE-2015-0221/47951", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2015-5143", "id": "pyup.io-47954", "more_info_path": "/vulnerabilities/CVE-2015-5143/47954", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2013-0306", "id": "pyup.io-47945", "more_info_path": "/vulnerabilities/CVE-2013-0306/47945", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2015-0219", "id": "pyup.io-47949", "more_info_path": "/vulnerabilities/CVE-2015-0219/47949", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2015-0220", "id": "pyup.io-47950", "more_info_path": "/vulnerabilities/CVE-2015-0220/47950", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2015-2317", "id": "pyup.io-47953", "more_info_path": "/vulnerabilities/CVE-2015-2317/47953", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2022-23833", "id": "pyup.io-47969", "more_info_path": "/vulnerabilities/CVE-2022-23833/47969", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2012-4520", "id": "pyup.io-47597", "more_info_path": "/vulnerabilities/CVE-2012-4520/47597", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2013-1443", "id": "pyup.io-47946", "more_info_path": "/vulnerabilities/CVE-2013-1443/47946", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2013-6044", "id": "pyup.io-47947", "more_info_path": "/vulnerabilities/CVE-2013-6044/47947", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2014-0483", "id": "pyup.io-47948", "more_info_path": "/vulnerabilities/CVE-2014-0483/47948", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2015-2241", "id": "pyup.io-47952", "more_info_path": "/vulnerabilities/CVE-2015-2241/47952", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2015-5144", "id": "pyup.io-47955", "more_info_path": "/vulnerabilities/CVE-2015-5144/47955", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2015-5963", "id": "pyup.io-47956", "more_info_path": "/vulnerabilities/CVE-2015-5963/47956", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2015-5964", "id": "pyup.io-47957", "more_info_path": "/vulnerabilities/CVE-2015-5964/47957", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2016-7401", "id": "pyup.io-47961", "more_info_path": "/vulnerabilities/CVE-2016-7401/47961", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2016-2512", "id": "pyup.io-47959", "more_info_path": "/vulnerabilities/CVE-2016-2512/47959", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2016-2513", "id": "pyup.io-47960", "more_info_path": "/vulnerabilities/CVE-2016-2513/47960", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2015-8213", "id": "pyup.io-47958", "more_info_path": "/vulnerabilities/CVE-2015-8213/47958", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2019-19844", "id": "pyup.io-47962", "more_info_path": "/vulnerabilities/CVE-2019-19844/47962", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2021-33203", "id": "pyup.io-47963", "more_info_path": "/vulnerabilities/CVE-2021-33203/47963", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2021-45116", "id": "pyup.io-47966", "more_info_path": "/vulnerabilities/CVE-2021-45116/47966", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2021-45115", "id": "pyup.io-47965", "more_info_path": "/vulnerabilities/CVE-2021-45115/47965", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2021-45452", "id": "pyup.io-47967", "more_info_path": "/vulnerabilities/CVE-2021-45452/47967", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" }, { "advisory": "Django-websocket 0.3.0 and prior use a version of 'Django' (1.4.1) with known vulnerabilities.", "cve": "CVE-2021-44420", "id": "pyup.io-47964", "more_info_path": "/vulnerabilities/CVE-2021-44420/47964", "specs": [ "<=0.3.0" ], "v": "<=0.3.0" } ], "django-widgy": [ { "advisory": "Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page' (https://github.com/fusionbox/django-widgy/issues/387). See CVE-2020-18704.", "cve": "CVE-2020-18704", "id": "pyup.io-41185", "more_info_path": "/vulnerabilities/CVE-2020-18704/41185", "specs": [ "==0.8.4" ], "v": "==0.8.4" } ], "django-wiki": [ { "advisory": "django-wiki is a wiki system for Django. Installations of django-wiki prior to version 0.10.1 are vulnerable to maliciously crafted article content that can cause severe use of server CPU through a regular expression loop. Version 0.10.1 fixes this issue. As a workaround, close off access to create and edit articles by anonymous users. See CVE-2024-28865.", "cve": "CVE-2024-28865", "id": "pyup.io-66971", "more_info_path": "/vulnerabilities/CVE-2024-28865/66971", "specs": [ "<0.10.1" ], "v": "<0.10.1" } ], "django-wm": [ { "advisory": "Django-wm 2.0.0 updates the celery dependency to versions =< 5.2.2 due to the CVE-2021-23727.\r\nhttps://github.com/beatonma/django-wm/compare/1.3.1...2.0.0#diff-fa602a8a75dc9dcc92261bac5f533c2a85e34fcceaff63b3a3a81d9acde2fc52R28", "cve": "CVE-2021-23727", "id": "pyup.io-62986", "more_info_path": "/vulnerabilities/CVE-2021-23727/62986", "specs": [ "<2.0.0" ], "v": "<2.0.0" } ], "django-x509": [ { "advisory": "Django-x509 0.9.1 updates the minimum version of 'cryptography' to 3.2 for security reasons.", "cve": "CVE-2020-25659", "id": "pyup.io-39116", "more_info_path": "/vulnerabilities/CVE-2020-25659/39116", "specs": [ "<0.9.1" ], "v": "<0.9.1" } ], "djangocms-admin-style": [ { "advisory": "Djangocms-admin-style 1.2.5 fixes a potential security issue if the 'Site.name' field contains malicious code.\r\nhttps://github.com/django-cms/djangocms-admin-style/pull/375/files", "cve": "PVE-2021-36834", "id": "pyup.io-36834", "more_info_path": "/vulnerabilities/PVE-2021-36834/36834", "specs": [ "<1.2.5" ], "v": "<1.2.5" } ], "djangocms-frontend": [ { "advisory": "Djangocms-frontend 1.0.1 avoids HTML injection into carousels when ckeditor is not installed.\r\nhttps://github.com/django-cms/djangocms-frontend/commit/80972e7bf9f7a361d26ca35bcaa5b7578277b3ff", "cve": "PVE-2022-51669", "id": "pyup.io-51669", "more_info_path": "/vulnerabilities/PVE-2022-51669/51669", "specs": [ "<1.0.1" ], "v": "<1.0.1" } ], "djangocms-highlightjs": [ { "advisory": "Djangocms-highlightjs 0.3.1 escapes code in plugin template.\r\nhttps://github.com/nephila/djangocms-highlightjs/pull/1", "cve": "PVE-2021-25798", "id": "pyup.io-25798", "more_info_path": "/vulnerabilities/PVE-2021-25798/25798", "specs": [ "<0.3.1" ], "v": "<0.3.1" } ], "djangoo": [ { "advisory": "Djangoo is a malicious package. It injects obfuscated JS code that replaces crypto addresses in developer clipboards.", "cve": "PVE-2022-51740", "id": "pyup.io-51740", "more_info_path": "/vulnerabilities/PVE-2022-51740/51740", "specs": [ ">0" ], "v": ">0" } ], "djangorestframework": [ { "advisory": "djangorestframework 2.2.1 fixes a security issue: Use `defusedxml` package to address XML parsing vulnerabilities.\r\nhttps://github.com/encode/django-rest-framework/commit/dcee027fa97f015ff3b87f0fd72b7995cdd6e155", "cve": "PVE-2021-25799", "id": "pyup.io-25799", "more_info_path": "/vulnerabilities/PVE-2021-25799/25799", "specs": [ "<2.2.1" ], "v": "<2.2.1" }, { "advisory": "djangorestframework 2.3.12 fixes a security issue: `OrderingField` now only allows ordering on readable serializer fields, or on fields explicitly specified using `ordering_fields`. This prevents users being able to order by fields that are not visible in the API, and exploiting the ordering of sensitive data such as password hashes.\r\nhttps://github.com/encode/django-rest-framework/commit/71c03b9db97edbde228777981de0ac7b664302de", "cve": "PVE-2021-25800", "id": "pyup.io-25800", "more_info_path": "/vulnerabilities/PVE-2021-25800/25800", "specs": [ "<2.3.12" ], "v": "<2.3.12" }, { "advisory": "Djangorestframework 2.3.14 fixes a security issue. It escapes the request path when it is included as part of the login and logout links in the browsable API.\r\nhttps://github.com/encode/django-rest-framework/commit/e11f41ebc4ef088a5849771dfda5a7fba4f82904", "cve": "PVE-2021-25801", "id": "pyup.io-25801", "more_info_path": "/vulnerabilities/PVE-2021-25801/25801", "specs": [ "<2.3.14" ], "v": "<2.3.14" }, { "advisory": "djangorestframework 2.4.4 fixes a security issue: Escape URLs when replacing `format=` query parameter, as used in dropdown on `GET` button in browsable API to allow explicit selection of JSON vs HTML output.\r\nhttps://github.com/encode/django-rest-framework/commit/b5c98f686d8aa8f249aa0270f8ee0560482d9538", "cve": "PVE-2021-25802", "id": "pyup.io-25802", "more_info_path": "/vulnerabilities/PVE-2021-25802/25802", "specs": [ "<2.4.4" ], "v": "<2.4.4" }, { "advisory": "A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious