From 78a2c6cbabb8f91eea49c5c8452978e8819ad929 Mon Sep 17 00:00:00 2001 From: "pyup.io vuln bot" Date: Fri, 31 May 2024 23:00:50 -0700 Subject: [PATCH] june update --- data/insecure_full.json | 15020 +++++++++++++++++++++----------------- 1 file changed, 8431 insertions(+), 6589 deletions(-) diff --git a/data/insecure_full.json b/data/insecure_full.json index bcece28a..d6e40bfa 100644 --- a/data/insecure_full.json +++ b/data/insecure_full.json @@ -2,7 +2,7 @@ "$meta": { "advisory": "PyUp.io metadata", "base_domain": "https://pyup.io", - "timestamp": 1714543250 + "timestamp": 1717221649 }, "10cent10": [ { @@ -110,20 +110,20 @@ ], "aa-timezones": [ { - "advisory": "Aa-timezones 1.12.0 updates its NPM dependency 'moment-timezone' to include security fixes.\r\nhttps://github.com/ppfeufer/aa-timezones/pull/58/commits/8f382a1a3a3f9ddd77f10fb3b1d3380e6267eab1\r\nhttps://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9", - "cve": "PVE-2022-51033", - "id": "pyup.io-51033", - "more_info_path": "/vulnerabilities/PVE-2022-51033/51033", + "advisory": "Aa-timezones 1.12.0 updates its NPM dependency 'moment-timezone' to include security fixes.\r\nhttps://github.com/ppfeufer/aa-timezones/pull/58/commits/8f382a1a3a3f9ddd77f10fb3b1d3380e6267eab1\r\nhttps://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c", + "cve": "PVE-2023-54978", + "id": "pyup.io-54978", + "more_info_path": "/vulnerabilities/PVE-2023-54978/54978", "specs": [ "<1.12.0" ], "v": "<1.12.0" }, { - "advisory": "Aa-timezones 1.12.0 updates its NPM dependency 'moment-timezone' to include security fixes.\r\nhttps://github.com/ppfeufer/aa-timezones/pull/58/commits/8f382a1a3a3f9ddd77f10fb3b1d3380e6267eab1\r\nhttps://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c", - "cve": "PVE-2023-54978", - "id": "pyup.io-54978", - "more_info_path": "/vulnerabilities/PVE-2023-54978/54978", + "advisory": "Aa-timezones 1.12.0 updates its NPM dependency 'moment-timezone' to include security fixes.\r\nhttps://github.com/ppfeufer/aa-timezones/pull/58/commits/8f382a1a3a3f9ddd77f10fb3b1d3380e6267eab1\r\nhttps://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9", + "cve": "PVE-2022-51033", + "id": "pyup.io-51033", + "more_info_path": "/vulnerabilities/PVE-2022-51033/51033", "specs": [ "<1.12.0" ], @@ -293,50 +293,50 @@ ], "acryl-datahub": [ { - "advisory": "In DataHub versions prior to 0.8.45, session cookies are only cleared upon new sign-ins, not during logouts. This allows potential attackers to bypass authentication checks using the AuthUtils.hasValidSessionCookie() method by using a cookie from a logged-out session. Consequently, any logged-out session cookie might be considered valid, leading to an authentication bypass. Users are advised to upgrade to version 0.8.45 to rectify this vulnerability. Currently, there are no known workarounds. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-083.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-3974-hxjh-m3jj\r\nhttps://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/datahub-frontend/app/auth/AuthUtils.java#L78", - "cve": "CVE-2023-25562", - "id": "pyup.io-63338", - "more_info_path": "/vulnerabilities/CVE-2023-25562/63338", + "advisory": "DataHub under 0.8.45 frontend, acting as a proxy, is found to have a vulnerability where it doesn't properly construct URLs when forwarding data to the DataHub Metadata Store (GMS), potentially allowing external users to reroute requests from the DataHub Frontend to any host. This could enable attackers to reroute a request from the frontend proxy to any other server and return the result. The vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-076.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-5w2h-q83m-65xg", + "cve": "CVE-2023-25557", + "id": "pyup.io-63341", + "more_info_path": "/vulnerabilities/CVE-2023-25557/63341", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { - "advisory": "DataHub's AuthServiceClient, particularly versions below 0.8.45, creates JSON strings using format strings with user-controlled data. This approach lets potential attackers alter these JSON strings and forward them to the backend, causing potential misuse and authentication bypasses. This could lead to the creation of system accounts, potentially resulting in full system compromise. This vulnerability was discovered and reported by the GitHub Security lab and is being tracked under GHSL-2022-081.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-7wc6-p6c4-522c", - "cve": "CVE-2023-25561", - "id": "pyup.io-63339", - "more_info_path": "/vulnerabilities/CVE-2023-25561/63339", + "advisory": "DataHub under 0.8.45 uses the X-DataHub-Actor HTTP header to identify the user making requests without authentication. However, this can be exploited by attackers who can manipulate the case of the header (e.g., X-DATAHUB-ACTOR), leading to potential authorization bypass and unauthorized actions. This issue, identified and reported by GitHub Security Lab, is known as GHSL-2022-079.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-qgp2-qr66-j8r8", + "cve": "CVE-2023-25559", + "id": "pyup.io-63343", + "more_info_path": "/vulnerabilities/CVE-2023-25559/63343", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { - "advisory": "DataHub under 0.8.45 uses the X-DataHub-Actor HTTP header to identify the user making requests without authentication. However, this can be exploited by attackers who can manipulate the case of the header (e.g., X-DATAHUB-ACTOR), leading to potential authorization bypass and unauthorized actions. This issue, identified and reported by GitHub Security Lab, is known as GHSL-2022-079.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-qgp2-qr66-j8r8", - "cve": "CVE-2023-25559", - "id": "pyup.io-63343", - "more_info_path": "/vulnerabilities/CVE-2023-25559/63343", + "advisory": "In DataHub versions prior to 0.8.45, session cookies are only cleared upon new sign-ins, not during logouts. This allows potential attackers to bypass authentication checks using the AuthUtils.hasValidSessionCookie() method by using a cookie from a logged-out session. Consequently, any logged-out session cookie might be considered valid, leading to an authentication bypass. Users are advised to upgrade to version 0.8.45 to rectify this vulnerability. Currently, there are no known workarounds. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-083.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-3974-hxjh-m3jj\r\nhttps://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/datahub-frontend/app/auth/AuthUtils.java#L78", + "cve": "CVE-2023-25562", + "id": "pyup.io-63338", + "more_info_path": "/vulnerabilities/CVE-2023-25562/63338", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { - "advisory": "DataHub's AuthServiceClient, specifically versions prior to 0.8.45, creates JSON strings using format strings containing user-controlled data. This method enables potential attackers to manipulate these JSON strings and forward them to the backend, leading to potential misuse and authentication bypasses. Such misuse could result in the generation of system accounts, potentially leading to full system compromise. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-080.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-6rpf-5cfg-h8f3", - "cve": "CVE-2023-25560", - "id": "pyup.io-63340", - "more_info_path": "/vulnerabilities/CVE-2023-25560/63340", + "advisory": "DataHub's AuthServiceClient, particularly versions below 0.8.45, creates JSON strings using format strings with user-controlled data. This approach lets potential attackers alter these JSON strings and forward them to the backend, causing potential misuse and authentication bypasses. This could lead to the creation of system accounts, potentially resulting in full system compromise. This vulnerability was discovered and reported by the GitHub Security lab and is being tracked under GHSL-2022-081.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-7wc6-p6c4-522c", + "cve": "CVE-2023-25561", + "id": "pyup.io-63339", + "more_info_path": "/vulnerabilities/CVE-2023-25561/63339", "specs": [ "<0.8.45" ], "v": "<0.8.45" }, { - "advisory": "DataHub under 0.8.45 frontend, acting as a proxy, is found to have a vulnerability where it doesn't properly construct URLs when forwarding data to the DataHub Metadata Store (GMS), potentially allowing external users to reroute requests from the DataHub Frontend to any host. This could enable attackers to reroute a request from the frontend proxy to any other server and return the result. The vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-076.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-5w2h-q83m-65xg", - "cve": "CVE-2023-25557", - "id": "pyup.io-63341", - "more_info_path": "/vulnerabilities/CVE-2023-25557/63341", + "advisory": "DataHub's AuthServiceClient, specifically versions prior to 0.8.45, creates JSON strings using format strings containing user-controlled data. This method enables potential attackers to manipulate these JSON strings and forward them to the backend, leading to potential misuse and authentication bypasses. Such misuse could result in the generation of system accounts, potentially leading to full system compromise. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-080.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-6rpf-5cfg-h8f3", + "cve": "CVE-2023-25560", + "id": "pyup.io-63340", + "more_info_path": "/vulnerabilities/CVE-2023-25560/63340", "specs": [ "<0.8.45" ], @@ -384,6 +384,26 @@ ], "v": "<4.11.0" }, + { + "advisory": "Actinia-core version 4.14.0 updates its Flask dependency from \"Flask>=1.1.4\" to \"Flask>=3.0.0\" to address the security vulnerability identified as CVE-2023-30861.", + "cve": "CVE-2023-30861", + "id": "pyup.io-71176", + "more_info_path": "/vulnerabilities/CVE-2023-30861/71176", + "specs": [ + "<4.14.0" + ], + "v": "<4.14.0" + }, + { + "advisory": "Actinia-core version 4.14.0 updates its dependency from version 2.3.6 to 3.0.1 to address the security vulnerability identified as CVE-2023-46136.", + "cve": "CVE-2023-46136", + "id": "pyup.io-71172", + "more_info_path": "/vulnerabilities/CVE-2023-46136/71172", + "specs": [ + "<4.14.0" + ], + "v": "<4.14.0" + }, { "advisory": "Actinia-core 4.5.0 includes a fix for a path traversal vulnerability.\r\nhttps://github.com/actinia-org/actinia-core/commit/be5299efb6490c9a8b0804f185421c0828c6d126", "cve": "PVE-2023-58948", @@ -410,9 +430,9 @@ "actipy": [ { "advisory": "Actipy 1.1.0 updates its dependency 'numpy' requirement to '>=1.22' to include security fixes.", - "cve": "CVE-2021-34141", - "id": "pyup.io-51296", - "more_info_path": "/vulnerabilities/CVE-2021-34141/51296", + "cve": "CVE-2021-41496", + "id": "pyup.io-51303", + "more_info_path": "/vulnerabilities/CVE-2021-41496/51303", "specs": [ "<1.1.0" ], @@ -420,9 +440,9 @@ }, { "advisory": "Actipy 1.1.0 updates its dependency 'numpy' requirement to '>=1.22' to include security fixes.", - "cve": "CVE-2021-41496", - "id": "pyup.io-51303", - "more_info_path": "/vulnerabilities/CVE-2021-41496/51303", + "cve": "CVE-2021-34141", + "id": "pyup.io-51296", + "more_info_path": "/vulnerabilities/CVE-2021-34141/51296", "specs": [ "<1.1.0" ], @@ -441,28 +461,6 @@ "v": "<2.9.0" } ], - "admesh": [ - { - "advisory": "Admesh 0.98.5 fixes an improper array index validation vulnerability exists in the stl_fix_normal_directions functionality of ADMesh Master Commit 767a105 and v0.98.4. A specially-crafted stl file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.\r\nhttps://github.com/admesh/admesh/commit/5fab257268a0ee6f832c18d72af89810a29fbd5f", - "cve": "CVE-2022-38072", - "id": "pyup.io-62745", - "more_info_path": "/vulnerabilities/CVE-2022-38072/62745", - "specs": [ - "<0.98.5" - ], - "v": "<0.98.5" - }, - { - "advisory": "ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_connects_remove_1 (called from stl_remove_degenerate) in connect.c in libadmesh.a.", - "cve": "CVE-2018-25033", - "id": "pyup.io-54184", - "more_info_path": "/vulnerabilities/CVE-2018-25033/54184", - "specs": [ - ">=0,<0.98.5" - ], - "v": ">=0,<0.98.5" - } - ], "adversarial-robustness-toolbox": [ { "advisory": "Adversarial-robustness-toolbox version 1.6.1 updates its dependency \"Pillow\" to a secure version. See CVE-2021-28675.", @@ -573,6 +571,16 @@ "<1.2.4" ], "v": "<1.2.4" + }, + { + "advisory": "Agixt version 1.5.17 fixes an issue with context injection strings, enhancing the handling of feedback and web search data. This update prevents potential vulnerabilities where maliciously crafted inputs could inject unintended commands or data into the application's context, thereby improving the security and reliability of the application's response generation.", + "cve": "PVE-2024-71135", + "id": "pyup.io-71135", + "more_info_path": "/vulnerabilities/PVE-2024-71135/71135", + "specs": [ + "<1.5.17" + ], + "v": "<1.5.17" } ], "agraph-python": [ @@ -1189,7 +1197,7 @@ ], "aiob": [ { - "advisory": "AIOHTTP 3.8.1 can report a \"ValueError: Invalid IPv6 URL\" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application.\r\nAlias: GHSA-rwqr-c348-m5wr", + "advisory": "** DISPUTED ** AIOHTTP 3.8.1 can report a \"ValueError: Invalid IPv6 URL\" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application.\r\nAlias: GHSA-rwqr-c348-m5wr", "cve": "CVE-2022-33124", "id": "pyup.io-62742", "more_info_path": "/vulnerabilities/CVE-2022-33124/62742", @@ -1310,16 +1318,6 @@ ], "v": "<3.8.0" }, - { - "advisory": "** Disputed ** AIOHTTP 3.8.1 can report a \"ValueError: Invalid IPv6 URL\" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application", - "cve": "CVE-2022-33124", - "id": "pyup.io-68501", - "more_info_path": "/vulnerabilities/CVE-2022-33124/68501", - "specs": [ - "<3.8.1" - ], - "v": "<3.8.1" - }, { "advisory": "Aiohttp 3.8.6 updates vendored copy of 'llhttp' to v9.1.3 to include a security fix.\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9", "cve": "PVE-2023-61657", @@ -1370,6 +1368,16 @@ ], "v": "<3.9.1" }, + { + "advisory": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. See CVE-2024-27306.", + "cve": "CVE-2024-27306", + "id": "pyup.io-70630", + "more_info_path": "/vulnerabilities/CVE-2024-27306/70630", + "specs": [ + "<3.9.4" + ], + "v": "<3.9.4" + }, { "advisory": "Aiohttp 3.8.5 includes a fix for CVE-2023-37276: Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.\r\nhttps://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40\r\nhttps://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w", "cve": "CVE-2023-37276", @@ -1738,6 +1746,16 @@ "<1.4.5" ], "v": "<1.4.5" + }, + { + "advisory": "aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue. See CVE-2024-34083.", + "cve": "CVE-2024-34083", + "id": "pyup.io-71242", + "more_info_path": "/vulnerabilities/CVE-2024-34083/71242", + "specs": [ + "<=1.4.5" + ], + "v": "<=1.4.5" } ], "aiosmtplib": [ @@ -1832,6 +1850,28 @@ "v": "<0.1.2" } ], + "ait-core": [ + { + "advisory": "An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands via supplying a crafted YAML file. See CVE-2024-35060.", + "cve": "CVE-2024-35060", + "id": "pyup.io-71244", + "more_info_path": "/vulnerabilities/CVE-2024-35060/71244", + "specs": [ + "<2.5.2" + ], + "v": "<2.5.2" + }, + { + "advisory": "An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands. See CVE-2024-35059.", + "cve": "CVE-2024-35059", + "id": "pyup.io-71243", + "more_info_path": "/vulnerabilities/CVE-2024-35059/71243", + "specs": [ + "<2.5.2" + ], + "v": "<2.5.2" + } + ], "aiutil": [ { "advisory": "Aiutil 0.71.1 includes a fix for an injection vulnerability through password input.\r\nhttps://github.com/legendu-net/aiutil/pull/333/commits/e1d016d329b39b5e799de9c2fcacb2249582863f", @@ -2765,16 +2805,6 @@ } ], "ansible": [ - { - "advisory": "Ansible 1.2.1 includes a fix for CVE-2013-2233: Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=980821", - "cve": "CVE-2013-2233", - "id": "pyup.io-42921", - "more_info_path": "/vulnerabilities/CVE-2013-2233/42921", - "specs": [ - "<1.2.1" - ], - "v": "<1.2.1" - }, { "advisory": "Ansible 1.2.2 includes a fix for CVE-2021-3447: A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker could take advantage of this information to steal those credentials, provided it had access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1939349", "cve": "CVE-2021-3447", @@ -2815,6 +2845,167 @@ ], "v": "<1.5.4" }, + { + "advisory": "ansible 1.7.1 contains a security fix to disallow specifying 'args:' as a string, which could allow the insertion of extra module parameters through variables.", + "cve": "PVE-2021-25623", + "id": "pyup.io-25623", + "more_info_path": "/vulnerabilities/PVE-2021-25623/25623", + "specs": [ + "<1.7.1" + ], + "v": "<1.7.1" + }, + { + "advisory": "ansible 1.8.3 fixes a security bug related to the default permissions set on a temporary file created when using \"ansible-vault view \".", + "cve": "PVE-2021-25624", + "id": "pyup.io-25624", + "more_info_path": "/vulnerabilities/PVE-2021-25624/25624", + "specs": [ + "<1.8.3" + ], + "v": "<1.8.3" + }, + { + "advisory": "Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "cve": "CVE-2015-3908", + "id": "pyup.io-25625", + "more_info_path": "/vulnerabilities/CVE-2015-3908/25625", + "specs": [ + "<1.9.2" + ], + "v": "<1.9.2" + }, + { + "advisory": "Ansible versions 2.1.4 and 2.2.1 include a fix for CVE-2016-9587: Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.\r\nhttps://www.exploit-db.com/exploits/41013/", + "cve": "CVE-2016-9587", + "id": "pyup.io-33285", + "more_info_path": "/vulnerabilities/CVE-2016-9587/33285", + "specs": [ + "<2.1.4.0", + ">2.1.4.0,<2.2.1.0" + ], + "v": "<2.1.4.0,>2.1.4.0,<2.2.1.0" + }, + { + "advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.", + "cve": "CVE-2020-25635", + "id": "pyup.io-54230", + "more_info_path": "/vulnerabilities/CVE-2020-25635/54230", + "specs": [ + "<2.10.5" + ], + "v": "<2.10.5" + }, + { + "advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.", + "cve": "CVE-2020-25636", + "id": "pyup.io-54229", + "more_info_path": "/vulnerabilities/CVE-2020-25636/54229", + "specs": [ + "<2.10.5" + ], + "v": "<2.10.5" + }, + { + "advisory": "Ansible 2.3 includes a fix for CVE-2017-7466: Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466", + "cve": "CVE-2017-7466", + "id": "pyup.io-42890", + "more_info_path": "/vulnerabilities/CVE-2017-7466/42890", + "specs": [ + "<2.3" + ], + "v": "<2.3" + }, + { + "advisory": "Ansible 2.9.18 includes a fix for CVE-2021-20178: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1914774", + "cve": "CVE-2021-20178", + "id": "pyup.io-42858", + "more_info_path": "/vulnerabilities/CVE-2021-20178/42858", + "specs": [ + "<2.9.18" + ], + "v": "<2.9.18" + }, + { + "advisory": "An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.", + "cve": "CVE-2022-1632", + "id": "pyup.io-62625", + "more_info_path": "/vulnerabilities/CVE-2022-1632/62625", + "specs": [ + "==2.0", + "==4.0" + ], + "v": "==2.0,==4.0" + }, + { + "advisory": "A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.", + "cve": "CVE-2020-1753", + "id": "pyup.io-54240", + "more_info_path": "/vulnerabilities/CVE-2020-1753/54240", + "specs": [ + ">=0,<2.7.18", + ">=2.8.0,<2.8.11", + ">=2.9.0,<2.9.7" + ], + "v": ">=0,<2.7.18,>=2.8.0,<2.8.11,>=2.9.0,<2.9.7" + }, + { + "advisory": "Ansible 1.9.6 and 2.0.2 include a fix for CVE-2016-3096: The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.", + "cve": "CVE-2016-3096", + "id": "pyup.io-25627", + "more_info_path": "/vulnerabilities/CVE-2016-3096/25627", + "specs": [ + ">=2.0.0.0,<2.0.2", + "<1.9.6" + ], + "v": ">=2.0.0.0,<2.0.2,<1.9.6" + }, + { + "advisory": "A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.", + "cve": "CVE-2022-3697", + "id": "pyup.io-54564", + "more_info_path": "/vulnerabilities/CVE-2022-3697/54564", + "specs": [ + ">=2.5.0,<7.0.0" + ], + "v": ">=2.5.0,<7.0.0" + }, + { + "advisory": "Ansible 2.6.18, 2.7.12 and 2.8.2 include a fix for CVE-2019-10156: A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156", + "cve": "CVE-2019-10156", + "id": "pyup.io-42887", + "more_info_path": "/vulnerabilities/CVE-2019-10156/42887", + "specs": [ + ">=2.8.0a0,<2.8.2", + ">=2.7.0a0,<2.7.12", + ">=2.6.0a0,<2.6.18" + ], + "v": ">=2.8.0a0,<2.8.2,>=2.7.0a0,<2.7.12,>=2.6.0a0,<2.6.18" + }, + { + "advisory": "Ansible versions 2.7.16, 2.8.8 and 2.9.3 include a fix for CVE-2019-14904: A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1776944", + "cve": "CVE-2019-14904", + "id": "pyup.io-42881", + "more_info_path": "/vulnerabilities/CVE-2019-14904/42881", + "specs": [ + ">=2.8.0a0,<2.8.8", + ">=2.9.0a0,<2.9.3", + "<2.7.16" + ], + "v": ">=2.8.0a0,<2.8.8,>=2.9.0a0,<2.9.3,<2.7.16" + } + ], + "ansible-core": [ + { + "advisory": "Ansible 1.2.1 includes a fix for CVE-2013-2233: Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=980821", + "cve": "CVE-2013-2233", + "id": "pyup.io-42921", + "more_info_path": "/vulnerabilities/CVE-2013-2233/42921", + "specs": [ + "<1.2.1" + ], + "v": "<1.2.1" + }, { "advisory": "Ansible 1.5.4 includes a fix for CVE-2014-4657: The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.", "cve": "CVE-2014-4657", @@ -2896,7 +3087,7 @@ "v": "<1.6.7" }, { - "advisory": "Ansible 1.7.0 adds path checking for relative/escaped tar filenames in the ansible-galaxy command.\r\nhttps://github.com/ansible/ansible/commit/92382c41810a4496e7f894696da645fe5151c232", + "advisory": "Ansible 1.7.0 adds path checking for relative/escaped tar filenames in the ansible-galaxy command.", "cve": "PVE-2021-25622", "id": "pyup.io-25622", "more_info_path": "/vulnerabilities/PVE-2021-25622/25622", @@ -2906,7 +3097,7 @@ "v": "<1.7" }, { - "advisory": "Ansible 1.7.0 avoids templating raw lookup strings.\r\nhttps://github.com/ansible/ansible/commit/650e967b30f26c285441fb848a408044c51ad622", + "advisory": "Ansible 1.7.0 avoids templating raw lookup strings.", "cve": "PVE-2022-45329", "id": "pyup.io-45329", "more_info_path": "/vulnerabilities/PVE-2022-45329/45329", @@ -2915,36 +3106,6 @@ ], "v": "<1.7" }, - { - "advisory": "ansible 1.7.1 contains a security fix to disallow specifying 'args:' as a string, which could allow the insertion of extra module parameters through variables.", - "cve": "PVE-2021-25623", - "id": "pyup.io-25623", - "more_info_path": "/vulnerabilities/PVE-2021-25623/25623", - "specs": [ - "<1.7.1" - ], - "v": "<1.7.1" - }, - { - "advisory": "ansible 1.8.3 fixes a security bug related to the default permissions set on a temporary file created when using \"ansible-vault view \".", - "cve": "PVE-2021-25624", - "id": "pyup.io-25624", - "more_info_path": "/vulnerabilities/PVE-2021-25624/25624", - "specs": [ - "<1.8.3" - ], - "v": "<1.8.3" - }, - { - "advisory": "Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", - "cve": "CVE-2015-3908", - "id": "pyup.io-25625", - "more_info_path": "/vulnerabilities/CVE-2015-3908/25625", - "specs": [ - "<1.9.2" - ], - "v": "<1.9.2" - }, { "advisory": "Ansible 1.9.2 includes a fix for CVE-2015-6240: The chroot, jail, and zone connection plugins in Ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1243468", "cve": "CVE-2015-6240", @@ -2955,411 +3116,6 @@ ], "v": "<1.9.2" }, - { - "advisory": "Ansible versions 2.1.4 and 2.2.1 include a fix for CVE-2016-9587: Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.\r\nhttps://www.exploit-db.com/exploits/41013/", - "cve": "CVE-2016-9587", - "id": "pyup.io-33285", - "more_info_path": "/vulnerabilities/CVE-2016-9587/33285", - "specs": [ - "<2.1.4.0", - ">2.1.4.0,<2.2.1.0" - ], - "v": "<2.1.4.0,>2.1.4.0,<2.2.1.0" - }, - { - "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8628: Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628", - "cve": "CVE-2016-8628", - "id": "pyup.io-42915", - "more_info_path": "/vulnerabilities/CVE-2016-8628/42915", - "specs": [ - "<2.2.0" - ], - "v": "<2.2.0" - }, - { - "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8614: A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing a remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614", - "cve": "CVE-2016-8614", - "id": "pyup.io-42916", - "more_info_path": "/vulnerabilities/CVE-2016-8614/42916", - "specs": [ - "<2.2.0" - ], - "v": "<2.2.0" - }, - { - "advisory": "Ansible 2.3 includes a fix for CVE-2017-7466: Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466", - "cve": "CVE-2017-7466", - "id": "pyup.io-42890", - "more_info_path": "/vulnerabilities/CVE-2017-7466/42890", - "specs": [ - "<2.3" - ], - "v": "<2.3" - }, - { - "advisory": "Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. See: CVE-2017-7481.", - "cve": "CVE-2017-7481", - "id": "pyup.io-34941", - "more_info_path": "/vulnerabilities/CVE-2017-7481/34941", - "specs": [ - "<2.3.1" - ], - "v": "<2.3.1" - }, - { - "advisory": "Ansible 2.8.19, 2.9.18 and 2.10.7 include a fix for CVE-2021-20191: Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1916813", - "cve": "CVE-2021-20191", - "id": "pyup.io-42856", - "more_info_path": "/vulnerabilities/CVE-2021-20191/42856", - "specs": [ - "<2.8.19", - ">=2.9.0b1,<2.9.18", - ">=2.10.0a1,<2.10.7" - ], - "v": "<2.8.19,>=2.9.0b1,<2.9.18,>=2.10.0a1,<2.10.7" - }, - { - "advisory": "Ansible 2.9.18 includes a fix for CVE-2021-20178: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1914774", - "cve": "CVE-2021-20178", - "id": "pyup.io-42858", - "more_info_path": "/vulnerabilities/CVE-2021-20178/42858", - "specs": [ - "<2.9.18" - ], - "v": "<2.9.18" - }, - { - "advisory": "Ansible 2.9.23 includes a fix for CVE-2021-3583: A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1968412", - "cve": "CVE-2021-3583", - "id": "pyup.io-42924", - "more_info_path": "/vulnerabilities/CVE-2021-3583/42924", - "specs": [ - "<2.9.23" - ], - "v": "<2.9.23" - }, - { - "advisory": "A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6.", - "cve": "CVE-2020-10709", - "id": "pyup.io-70602", - "more_info_path": "/vulnerabilities/CVE-2020-10709/70602", - "specs": [ - "<3.5.6", - ">=3.6.0,<3.6.4" - ], - "v": "<3.5.6,>=3.6.0,<3.6.4" - }, - { - "advisory": "A vulnerability was found in Ansible Tower before 3.6.1 where an attacker with low privilege could retrieve usernames and passwords credentials from the new RHSM saved in plain text into the database at '/api/v2/config' when applying the Ansible Tower license.", - "cve": "CVE-2019-14890", - "id": "pyup.io-70527", - "more_info_path": "/vulnerabilities/CVE-2019-14890/70527", - "specs": [ - "<3.6.1" - ], - "v": "<3.6.1" - }, - { - "advisory": "An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.", - "cve": "CVE-2022-1632", - "id": "pyup.io-62625", - "more_info_path": "/vulnerabilities/CVE-2022-1632/62625", - "specs": [ - "==2.0", - "==4.0" - ], - "v": "==2.0,==4.0" - }, - { - "advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality.", - "cve": "CVE-2020-25635", - "id": "pyup.io-54230", - "more_info_path": "/vulnerabilities/CVE-2020-25635/54230", - "specs": [ - ">=0" - ], - "v": ">=0" - }, - { - "advisory": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability.", - "cve": "CVE-2020-25636", - "id": "pyup.io-54229", - "more_info_path": "/vulnerabilities/CVE-2020-25636/54229", - "specs": [ - ">=0" - ], - "v": ">=0" - }, - { - "advisory": "In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.", - "cve": "CVE-2018-10874", - "id": "pyup.io-53995", - "more_info_path": "/vulnerabilities/CVE-2018-10874/53995", - "specs": [ - ">=0,<2.4.6.0", - ">=2.5,<2.5.6", - ">=2.6,<2.6.1" - ], - "v": ">=0,<2.4.6.0,>=2.5,<2.5.6,>=2.6,<2.6.1" - }, - { - "advisory": "A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.", - "cve": "CVE-2020-1753", - "id": "pyup.io-54240", - "more_info_path": "/vulnerabilities/CVE-2020-1753/54240", - "specs": [ - ">=0,<2.7.18", - ">=2.8.0,<2.8.11", - ">=2.9.0,<2.9.7" - ], - "v": ">=0,<2.7.18,>=2.8.0,<2.8.11,>=2.9.0,<2.9.7" - }, - { - "advisory": "A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.", - "cve": "CVE-2019-14858", - "id": "pyup.io-54153", - "more_info_path": "/vulnerabilities/CVE-2019-14858/54153", - "specs": [ - ">=2.0,<2.8.1" - ], - "v": ">=2.0,<2.8.1" - }, - { - "advisory": "Ansible 1.9.6 and 2.0.2 include a fix for CVE-2016-3096: The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.", - "cve": "CVE-2016-3096", - "id": "pyup.io-25627", - "more_info_path": "/vulnerabilities/CVE-2016-3096/25627", - "specs": [ - ">=2.0.0.0,<2.0.2", - "<1.9.6" - ], - "v": ">=2.0.0.0,<2.0.2,<1.9.6" - }, - { - "advisory": "Ansible 2.3.3 and 2.4.1 include a fix for CVE-2017-7550: A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the \"params\" argument, and noting this in the module documentation.\r\nhttps://github.com/ansible/ansible/issues/30874\r\nhttps://access.redhat.com/errata/RHSA-2017:2966", - "cve": "CVE-2017-7550", - "id": "pyup.io-42853", - "more_info_path": "/vulnerabilities/CVE-2017-7550/42853", - "specs": [ - ">=2.3.0,<2.3.3", - ">=2.4.0,<2.4.1" - ], - "v": ">=2.3.0,<2.3.3,>=2.4.0,<2.4.1" - }, - { - "advisory": "A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.", - "cve": "CVE-2022-3697", - "id": "pyup.io-54564", - "more_info_path": "/vulnerabilities/CVE-2022-3697/54564", - "specs": [ - ">=2.5.0,<7.0.0" - ], - "v": ">=2.5.0,<7.0.0" - }, - { - "advisory": "Ansible 2.5.14, 2.6.11 and 2.7.5 include a fix for CVE-2018-16876: Ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16876", - "cve": "CVE-2018-16876", - "id": "pyup.io-42889", - "more_info_path": "/vulnerabilities/CVE-2018-16876/42889", - "specs": [ - ">=2.5.0a0,<2.5.14", - ">=2.6.0a0,<2.6.11", - ">=2.7.0a0,<2.7.5" - ], - "v": ">=2.5.0a0,<2.5.14,>=2.6.0a0,<2.6.11,>=2.7.0a0,<2.7.5" - }, - { - "advisory": "Ansible 2.5.15, 2.6.14 and 2.7.8 include a fix for CVE-2019-3828: Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local Ansible controller host by not restricting an absolute path.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828\r\nhttps://github.com/ansible/ansible/pull/52133", - "cve": "CVE-2019-3828", - "id": "pyup.io-42888", - "more_info_path": "/vulnerabilities/CVE-2019-3828/42888", - "specs": [ - ">=2.6.0a0,<2.6.14", - ">=2.7.0a0,<2.7.8", - "<2.5.15" - ], - "v": ">=2.6.0a0,<2.6.14,>=2.7.0a0,<2.7.8,<2.5.15" - }, - { - "advisory": "Ansible versions 2.6.20, 2.7.14 and 2.8.6 include a fix for CVE-2019-14856: The fix for CVE-2019-10206 was found to be incomplete for the data disclosure flaw in Ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856", - "cve": "CVE-2019-14856", - "id": "pyup.io-42884", - "more_info_path": "/vulnerabilities/CVE-2019-14856/42884", - "specs": [ - ">=2.6.0a0,<2.6.20", - ">=2.7.0a0,<2.7.14", - ">=2.8.0a0,<2.8.6" - ], - "v": ">=2.6.0a0,<2.6.20,>=2.7.0a0,<2.7.14,>=2.8.0a0,<2.8.6" - }, - { - "advisory": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.", - "cve": "CVE-2018-16837", - "id": "pyup.io-54010", - "more_info_path": "/vulnerabilities/CVE-2018-16837/54010", - "specs": [ - ">=2.7,<2.7.1", - ">=2.6,<2.6.7", - ">=0,<2.5.11" - ], - "v": ">=2.7,<2.7.1,>=2.6,<2.6.7,>=0,<2.5.11" - }, - { - "advisory": "Ansible versions 2.7.15, 2.8.7 and 2.9.1 include a fix for CVE-2019-14864: Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, are not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used to send tasks results events to collectors. This would disclose and collect any sensitive data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864", - "cve": "CVE-2019-14864", - "id": "pyup.io-42882", - "more_info_path": "/vulnerabilities/CVE-2019-14864/42882", - "specs": [ - ">=2.7.0a0,<2.7.15", - ">=2.8.0a0,<2.8.7", - ">=2.9.0a0,<2.9.1" - ], - "v": ">=2.7.0a0,<2.7.15,>=2.8.0a0,<2.8.7,>=2.9.0a0,<2.9.1" - }, - { - "advisory": "Ansible versions 2.7.17, 2.8.11 and 2.9.7 include a fix for CVE-2020-1733: A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 && mkdir -p \"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733", - "cve": "CVE-2020-1733", - "id": "pyup.io-42879", - "more_info_path": "/vulnerabilities/CVE-2020-1733/42879", - "specs": [ - ">=2.7.0a0,<2.7.17", - ">=2.8.0a0,<2.8.11", - ">=2.9.0a0,<2.9.7" - ], - "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.11,>=2.9.0a0,<2.9.7" - }, - { - "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1736: A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736", - "cve": "CVE-2020-1736", - "id": "pyup.io-42875", - "more_info_path": "/vulnerabilities/CVE-2020-1736/42875", - "specs": [ - ">=2.7.0a0,<2.7.17", - ">=2.8.0a0,<2.8.9", - ">=2.9.0a0,<2.9.6" - ], - "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" - }, - { - "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684", - "cve": "CVE-2020-10684", - "id": "pyup.io-42864", - "more_info_path": "/vulnerabilities/CVE-2020-10684/42864", - "specs": [ - ">=2.7.0a0,<2.7.17", - ">=2.8.0a0,<2.8.9", - ">=2.9.0a0,<2.9.6" - ], - "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" - }, - { - "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1738: A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738", - "cve": "CVE-2020-1738", - "id": "pyup.io-42873", - "more_info_path": "/vulnerabilities/CVE-2020-1738/42873", - "specs": [ - ">=2.7.0a0,<2.7.17", - ">=2.8.0a0,<2.8.9", - ">=2.9.0a0,<2.9.6" - ], - "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" - }, - { - "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1739: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739", - "cve": "CVE-2020-1739", - "id": "pyup.io-42871", - "more_info_path": "/vulnerabilities/CVE-2020-1739/42871", - "specs": [ - ">=2.7.0a0,<2.7.17", - ">=2.8.0a0,<2.8.9", - ">=2.9.0a0,<2.9.6" - ], - "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" - }, - { - "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1735: A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735", - "cve": "CVE-2020-1735", - "id": "pyup.io-42877", - "more_info_path": "/vulnerabilities/CVE-2020-1735/42877", - "specs": [ - ">=2.7.0a0,<2.7.17", - ">=2.8.0a0,<2.8.9", - ">=2.9.0a0,<2.9.6" - ], - "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" - }, - { - "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1740: A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740", - "cve": "CVE-2020-1740", - "id": "pyup.io-42869", - "more_info_path": "/vulnerabilities/CVE-2020-1740/42869", - "specs": [ - ">=2.7.0a0,<2.7.17", - ">=2.8.0a0,<2.8.9", - ">=2.9.0a0,<2.9.6" - ], - "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" - }, - { - "advisory": "Ansible versions 2.7.18, 2.8.12 and 2.9.9 include a fix for CVE-2020-10744: The provided fix for CVE-2020-1733 was insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 and previous versions are affected. Also Ansible Tower 3.4.5, 3.5.6 and 3.6.4 and previous versions.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744", - "cve": "CVE-2020-10744", - "id": "pyup.io-42862", - "more_info_path": "/vulnerabilities/CVE-2020-10744/42862", - "specs": [ - ">=2.7.0a0,<2.7.18", - ">=2.8.0a0,<2.8.12", - ">=2.9.0a0,<2.9.9" - ], - "v": ">=2.7.0a0,<2.7.18,>=2.8.0a0,<2.8.12,>=2.9.0a0,<2.9.9" - }, - { - "advisory": "Ansible 2.6.18, 2.7.12 and 2.8.2 include a fix for CVE-2019-10156: A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156", - "cve": "CVE-2019-10156", - "id": "pyup.io-42887", - "more_info_path": "/vulnerabilities/CVE-2019-10156/42887", - "specs": [ - ">=2.8.0a0,<2.8.2", - ">=2.7.0a0,<2.7.12", - ">=2.6.0a0,<2.6.18" - ], - "v": ">=2.8.0a0,<2.8.2,>=2.7.0a0,<2.7.12,>=2.6.0a0,<2.6.18" - }, - { - "advisory": "Ansible 2.8.4 includes a fix for CVE-2019-10217: A flaw was found in Ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all GCP modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running Ansible playbooks.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217", - "cve": "CVE-2019-10217", - "id": "pyup.io-42885", - "more_info_path": "/vulnerabilities/CVE-2019-10217/42885", - "specs": [ - ">=2.8.0a0,<2.8.4" - ], - "v": ">=2.8.0a0,<2.8.4" - }, - { - "advisory": "Ansible 2.6.19, 2.7.13 and 2.8.4 include a fix for CVE-2019-10206: Ansible-playbook -k and Ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206", - "cve": "CVE-2019-10206", - "id": "pyup.io-42886", - "more_info_path": "/vulnerabilities/CVE-2019-10206/42886", - "specs": [ - ">=2.8.0a0,<2.8.4", - ">=2.7.0a0,<2.7.13", - ">=2.6.0a0,<2.6.19" - ], - "v": ">=2.8.0a0,<2.8.4,>=2.7.0a0,<2.7.13,>=2.6.0a0,<2.6.19" - }, - { - "advisory": "Ansible versions 2.7.16, 2.8.8 and 2.9.3 include a fix for CVE-2019-14904: A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1776944", - "cve": "CVE-2019-14904", - "id": "pyup.io-42881", - "more_info_path": "/vulnerabilities/CVE-2019-14904/42881", - "specs": [ - ">=2.8.0a0,<2.8.8", - ">=2.9.0a0,<2.9.3", - "<2.7.16" - ], - "v": ">=2.8.0a0,<2.8.8,>=2.9.0a0,<2.9.3,<2.7.16" - } - ], - "ansible-core": [ { "advisory": "Ansible 1.9.5 and 2.0.0.0 include a security fix: Information disclosure of sensitive data in log files.\r\nhttps://github.com/ansible/ansible/commit/a65543bbafbd328e7848a99d2a570f71c43a53a0", "cve": "PVE-2023-99974", @@ -3403,6 +3159,26 @@ ], "v": "<2.15.8" }, + { + "advisory": "Ansible 2.2.0 includes a fix for CVE-2016-8628: Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628", + "cve": "CVE-2016-8628", + "id": "pyup.io-42915", + "more_info_path": "/vulnerabilities/CVE-2016-8628/42915", + "specs": [ + "<2.2.0" + ], + "v": "<2.2.0" + }, + { + "advisory": "Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. See: CVE-2017-7481.", + "cve": "CVE-2017-7481", + "id": "pyup.io-34941", + "more_info_path": "/vulnerabilities/CVE-2017-7481/34941", + "specs": [ + "<2.3.1" + ], + "v": "<2.3.1" + }, { "advisory": "A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user from outside the isolated environment.", "cve": "CVE-2021-4112", @@ -3535,6 +3311,16 @@ ], "v": ">=0,<2.9.6" }, + { + "advisory": "A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.", + "cve": "CVE-2019-14858", + "id": "pyup.io-54153", + "more_info_path": "/vulnerabilities/CVE-2019-14858/54153", + "specs": [ + ">=2.0,<2.8.1" + ], + "v": ">=2.0,<2.8.1" + }, { "advisory": "Ansible 2.4.0.0rc1 includes a security fix: There is a mismatch between two hash formats that causes the generation of a relatively shorter salt value (8 characters), which would make it easier to do dictionary/brute force attacks.\r\nhttps://github.com/ansible/ansible/commit/f5aa9df1fddb4448d5d81fbb9d03bb82a16eda52", "cve": "PVE-2023-60874", @@ -3590,6 +3376,54 @@ ], "v": ">=2.5.0,<2.5.5,>=2.4.0,<2.4.5" }, + { + "advisory": "Ansible 2.5.14, 2.6.11 and 2.7.5 include a fix for CVE-2018-16876: Ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16876", + "cve": "CVE-2018-16876", + "id": "pyup.io-42889", + "more_info_path": "/vulnerabilities/CVE-2018-16876/42889", + "specs": [ + ">=2.5.0a0,<2.5.14", + ">=2.6.0a0,<2.6.11", + ">=2.7.0a0,<2.7.5" + ], + "v": ">=2.5.0a0,<2.5.14,>=2.6.0a0,<2.6.11,>=2.7.0a0,<2.7.5" + }, + { + "advisory": "Ansible 2.5.15, 2.6.14 and 2.7.8 include a fix for CVE-2019-3828: Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local Ansible controller host by not restricting an absolute path.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828\r\nhttps://github.com/ansible/ansible/pull/52133", + "cve": "CVE-2019-3828", + "id": "pyup.io-42888", + "more_info_path": "/vulnerabilities/CVE-2019-3828/42888", + "specs": [ + ">=2.6.0a0,<2.6.14", + ">=2.7.0a0,<2.7.8", + "<2.5.15" + ], + "v": ">=2.6.0a0,<2.6.14,>=2.7.0a0,<2.7.8,<2.5.15" + }, + { + "advisory": "Ansible versions 2.6.20, 2.7.14 and 2.8.6 include a fix for CVE-2019-14856: The fix for CVE-2019-10206 was found to be incomplete for the data disclosure flaw in Ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856", + "cve": "CVE-2019-14856", + "id": "pyup.io-42884", + "more_info_path": "/vulnerabilities/CVE-2019-14856/42884", + "specs": [ + ">=2.6.0a0,<2.6.20", + ">=2.7.0a0,<2.7.14", + ">=2.8.0a0,<2.8.6" + ], + "v": ">=2.6.0a0,<2.6.20,>=2.7.0a0,<2.7.14,>=2.8.0a0,<2.8.6" + }, + { + "advisory": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.", + "cve": "CVE-2018-16837", + "id": "pyup.io-54010", + "more_info_path": "/vulnerabilities/CVE-2018-16837/54010", + "specs": [ + ">=2.7,<2.7.1", + ">=2.6,<2.6.7", + ">=0,<2.5.11" + ], + "v": ">=2.7,<2.7.1,>=2.6,<2.6.7,>=0,<2.5.11" + }, { "advisory": "A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.", "cve": "CVE-2019-14905", @@ -3627,6 +3461,122 @@ ], "v": ">=2.7.0,<2.7.4,>=2.7.5,<2.8.1,>=0,<2.5.13,>=2.6.0,<2.6.10" }, + { + "advisory": "Ansible versions 2.7.15, 2.8.7 and 2.9.1 include a fix for CVE-2019-14864: Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, are not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used to send tasks results events to collectors. This would disclose and collect any sensitive data.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864", + "cve": "CVE-2019-14864", + "id": "pyup.io-42882", + "more_info_path": "/vulnerabilities/CVE-2019-14864/42882", + "specs": [ + ">=2.7.0a0,<2.7.15", + ">=2.8.0a0,<2.8.7", + ">=2.9.0a0,<2.9.1" + ], + "v": ">=2.7.0a0,<2.7.15,>=2.8.0a0,<2.8.7,>=2.9.0a0,<2.9.1" + }, + { + "advisory": "Ansible versions 2.7.17, 2.8.11 and 2.9.7 include a fix for CVE-2020-1733: A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 && mkdir -p \"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733", + "cve": "CVE-2020-1733", + "id": "pyup.io-42879", + "more_info_path": "/vulnerabilities/CVE-2020-1733/42879", + "specs": [ + ">=2.7.0a0,<2.7.17", + ">=2.8.0a0,<2.8.11", + ">=2.9.0a0,<2.9.7" + ], + "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.11,>=2.9.0a0,<2.9.7" + }, + { + "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1738: A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738", + "cve": "CVE-2020-1738", + "id": "pyup.io-42873", + "more_info_path": "/vulnerabilities/CVE-2020-1738/42873", + "specs": [ + ">=2.7.0a0,<2.7.17", + ">=2.8.0a0,<2.8.9", + ">=2.9.0a0,<2.9.6" + ], + "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" + }, + { + "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684", + "cve": "CVE-2020-10684", + "id": "pyup.io-42864", + "more_info_path": "/vulnerabilities/CVE-2020-10684/42864", + "specs": [ + ">=2.7.0a0,<2.7.17", + ">=2.8.0a0,<2.8.9", + ">=2.9.0a0,<2.9.6" + ], + "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" + }, + { + "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1735: A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735", + "cve": "CVE-2020-1735", + "id": "pyup.io-42877", + "more_info_path": "/vulnerabilities/CVE-2020-1735/42877", + "specs": [ + ">=2.7.0a0,<2.7.17", + ">=2.8.0a0,<2.8.9", + ">=2.9.0a0,<2.9.6" + ], + "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" + }, + { + "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1739: A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739", + "cve": "CVE-2020-1739", + "id": "pyup.io-42871", + "more_info_path": "/vulnerabilities/CVE-2020-1739/42871", + "specs": [ + ">=2.7.0a0,<2.7.17", + ">=2.8.0a0,<2.8.9", + ">=2.9.0a0,<2.9.6" + ], + "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" + }, + { + "advisory": "Ansible versions 2.7.17, 2.8.9 and 2.9.6 include a fix for CVE-2020-1736: A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736", + "cve": "CVE-2020-1736", + "id": "pyup.io-42875", + "more_info_path": "/vulnerabilities/CVE-2020-1736/42875", + "specs": [ + ">=2.7.0a0,<2.7.17", + ">=2.8.0a0,<2.8.9", + ">=2.9.0a0,<2.9.6" + ], + "v": ">=2.7.0a0,<2.7.17,>=2.8.0a0,<2.8.9,>=2.9.0a0,<2.9.6" + }, + { + "advisory": "A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.", + "cve": "CVE-2023-4237", + "id": "pyup.io-70895", + "more_info_path": "/vulnerabilities/CVE-2023-4237/70895", + "specs": [ + ">=2.8.0,<=2.15.2" + ], + "v": ">=2.8.0,<=2.15.2" + }, + { + "advisory": "Ansible 2.8.4 includes a fix for CVE-2019-10217: A flaw was found in Ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all GCP modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running Ansible playbooks.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217", + "cve": "CVE-2019-10217", + "id": "pyup.io-42885", + "more_info_path": "/vulnerabilities/CVE-2019-10217/42885", + "specs": [ + ">=2.8.0a0,<2.8.4" + ], + "v": ">=2.8.0a0,<2.8.4" + }, + { + "advisory": "Ansible 2.6.19, 2.7.13 and 2.8.4 include a fix for CVE-2019-10206: Ansible-playbook -k and Ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206", + "cve": "CVE-2019-10206", + "id": "pyup.io-42886", + "more_info_path": "/vulnerabilities/CVE-2019-10206/42886", + "specs": [ + ">=2.8.0a0,<2.8.4", + ">=2.7.0a0,<2.7.13", + ">=2.6.0a0,<2.6.19" + ], + "v": ">=2.8.0a0,<2.8.4,>=2.7.0a0,<2.7.13,>=2.6.0a0,<2.6.19" + }, { "advisory": "A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.", "cve": "CVE-2021-20180", @@ -3980,6 +3930,18 @@ "v": ">=0,<1.0.1" } ], + "anyio": [ + { + "advisory": "Anyio version 4.4.0 addresses a thread race condition in `_eventloop.get_asynclib()` that caused crashes when multiple event loops of the same backend were running in separate threads and simultaneously attempted to use AnyIO for the first time. This fix ensures more stable and reliable performance in multi-threaded environments.", + "cve": "PVE-2024-71199", + "id": "pyup.io-71199", + "more_info_path": "/vulnerabilities/PVE-2024-71199/71199", + "specs": [ + "<4.4.0" + ], + "v": "<4.4.0" + } + ], "anymotion-sdk": [ { "advisory": "Anymotion-sdk 1.2.5 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", @@ -4188,10 +4150,10 @@ "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-28710.", - "cve": "CVE-2023-28710", - "id": "pyup.io-63173", - "more_info_path": "/vulnerabilities/CVE-2023-28710/63173", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Amazon provider integration. Therefore, it is affected by CVE-2023-25956.", + "cve": "CVE-2023-25956", + "id": "pyup.io-63177", + "more_info_path": "/vulnerabilities/CVE-2023-25956/63177", "specs": [ "<2.0.0b1" ], @@ -4218,70 +4180,70 @@ "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Google Cloud provider integration. Therefore, it is affected by CVE-2023-25691.", - "cve": "CVE-2023-25691", - "id": "pyup.io-63175", - "more_info_path": "/vulnerabilities/CVE-2023-25691/63175", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-40195.", + "cve": "CVE-2023-40195", + "id": "pyup.io-63170", + "more_info_path": "/vulnerabilities/CVE-2023-40195/63170", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-40195.", - "cve": "CVE-2023-40195", - "id": "pyup.io-63170", - "more_info_path": "/vulnerabilities/CVE-2023-40195/63170", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Google Cloud Provider integration. Therefore, it is affected by CVE-2023-25692.", + "cve": "CVE-2023-25692", + "id": "pyup.io-63176", + "more_info_path": "/vulnerabilities/CVE-2023-25692/63176", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the JDBC provider integration. Therefore, it is affected by CVE-2023-22886.", - "cve": "CVE-2023-22886", - "id": "pyup.io-63171", - "more_info_path": "/vulnerabilities/CVE-2023-22886/63171", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2022-46421.", + "cve": "CVE-2022-46421", + "id": "pyup.io-63180", + "more_info_path": "/vulnerabilities/CVE-2022-46421/63180", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Amazon provider integration. Therefore, it is affected by CVE-2023-25956.", - "cve": "CVE-2023-25956", - "id": "pyup.io-63177", - "more_info_path": "/vulnerabilities/CVE-2023-25956/63177", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the JDBC provider integration. Therefore, it is affected by CVE-2023-22886.", + "cve": "CVE-2023-22886", + "id": "pyup.io-63171", + "more_info_path": "/vulnerabilities/CVE-2023-22886/63171", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Docker provider integration. Therefore, it is affected by CVE-2022-38362.", - "cve": "CVE-2022-38362", - "id": "pyup.io-63172", - "more_info_path": "/vulnerabilities/CVE-2022-38362/63172", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Spark provider integration. Therefore, it is affected by CVE-2023-28710.", + "cve": "CVE-2023-28710", + "id": "pyup.io-63173", + "more_info_path": "/vulnerabilities/CVE-2023-28710/63173", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Apache Hive provider integration. Therefore, it is affected by CVE-2022-46421.", - "cve": "CVE-2022-46421", - "id": "pyup.io-63180", - "more_info_path": "/vulnerabilities/CVE-2022-46421/63180", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Google Cloud provider integration. Therefore, it is affected by CVE-2023-25691.", + "cve": "CVE-2023-25691", + "id": "pyup.io-63175", + "more_info_path": "/vulnerabilities/CVE-2023-25691/63175", "specs": [ "<2.0.0b1" ], "v": "<2.0.0b1" }, { - "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Google Cloud Provider integration. Therefore, it is affected by CVE-2023-25692.", - "cve": "CVE-2023-25692", - "id": "pyup.io-63176", - "more_info_path": "/vulnerabilities/CVE-2023-25692/63176", + "advisory": "Apache-airflow before 2.0.0b1 bundles the code for the Docker provider integration. Therefore, it is affected by CVE-2022-38362.", + "cve": "CVE-2022-38362", + "id": "pyup.io-63172", + "more_info_path": "/vulnerabilities/CVE-2022-38362/63172", "specs": [ "<2.0.0b1" ], @@ -4398,10 +4360,10 @@ "v": "<2.6.0" }, { - "advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected", - "cve": "CVE-2023-22887", - "id": "pyup.io-62890", - "more_info_path": "/vulnerabilities/CVE-2023-22887/62890", + "advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.", + "cve": "PVE-2023-99911", + "id": "pyup.io-62823", + "more_info_path": "/vulnerabilities/PVE-2023-99911/62823", "specs": [ "<2.6.3" ], @@ -4418,20 +4380,20 @@ "v": "<2.6.3" }, { - "advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.", - "cve": "PVE-2023-99911", - "id": "pyup.io-62823", - "more_info_path": "/vulnerabilities/PVE-2023-99911/62823", + "advisory": "Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected", + "cve": "PVE-2024-99900", + "id": "pyup.io-64989", + "more_info_path": "/vulnerabilities/PVE-2024-99900/64989", "specs": [ "<2.6.3" ], "v": "<2.6.3" }, { - "advisory": "Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected", - "cve": "PVE-2024-99900", - "id": "pyup.io-64989", - "more_info_path": "/vulnerabilities/PVE-2024-99900/64989", + "advisory": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected", + "cve": "CVE-2023-22887", + "id": "pyup.io-62890", + "more_info_path": "/vulnerabilities/CVE-2023-22887/62890", "specs": [ "<2.6.3" ], @@ -4447,16 +4409,6 @@ ], "v": "<2.7.0" }, - { - "advisory": "Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and\u00a0Apache Airflow before 2.7.0 are affected by the\u00a0Validation of OpenSSL Certificate vulnerability.\r\n\r\nThe default SSL context with SSL library did not check a server's X.509\u00a0certificate.\u00a0 Instead, the code accepted any certificate, which could\u00a0result in the disclosure of mail server credentials or mail contents\u00a0when the client connects to an attacker in a MITM position.\r\n\r\nUsers are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability", - "cve": "CVE-2023-39441", - "id": "pyup.io-65020", - "more_info_path": "/vulnerabilities/CVE-2023-39441/65020", - "specs": [ - "<2.7.0" - ], - "v": "<2.7.0" - }, { "advisory": "Apache-airflow 2.7.0 disables support for the deserialize flag by default in the 'xcomEntries' API. This was an unsafe default, as deserialization may instantiates arbitrary objects.\r\nhttps://github.com/apache/airflow/pull/32176", "cve": "PVE-2023-60962", @@ -4477,6 +4429,16 @@ ], "v": "<2.7.0" }, + { + "advisory": "Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and\u00a0Apache Airflow before 2.7.0 are affected by the\u00a0Validation of OpenSSL Certificate vulnerability.\r\n\r\nThe default SSL context with SSL library did not check a server's X.509\u00a0certificate.\u00a0 Instead, the code accepted any certificate, which could\u00a0result in the disclosure of mail server credentials or mail contents\u00a0when the client connects to an attacker in a MITM position.\r\n\r\nUsers are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability", + "cve": "CVE-2023-39441", + "id": "pyup.io-65020", + "more_info_path": "/vulnerabilities/CVE-2023-39441/65020", + "specs": [ + "<2.7.0" + ], + "v": "<2.7.0" + }, { "advisory": "Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated\u00a0users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.", "cve": "CVE-2023-40712", @@ -4498,20 +4460,20 @@ "v": "<2.7.1" }, { - "advisory": "A security flaw in Apache Airflow allows authenticated users to view warnings and related details for all Directed Acyclic Graphs (DAGs), including those they are not permitted to see. This exposure includes DAG IDs and stack traces from import errors, posing a risk to versions of Apache Airflow before 2.7.2.", - "cve": "CVE-2023-42780", - "id": "pyup.io-65392", - "more_info_path": "/vulnerabilities/CVE-2023-42780/65392", + "advisory": "Apache Airflow contains a vulnerability where an authorized user with limited permissions can access task instance information across unintended DAGs, posing a risk to versions prior to 2.7.2. Users are encouraged to upgrade to mitigate this security risk.", + "cve": "CVE-2023-42663", + "id": "pyup.io-65393", + "more_info_path": "/vulnerabilities/CVE-2023-42663/65393", "specs": [ "<2.7.2" ], "v": "<2.7.2" }, { - "advisory": "Apache Airflow contains a vulnerability where an authorized user with limited permissions can access task instance information across unintended DAGs, posing a risk to versions prior to 2.7.2. Users are encouraged to upgrade to mitigate this security risk.", - "cve": "CVE-2023-42663", - "id": "pyup.io-65393", - "more_info_path": "/vulnerabilities/CVE-2023-42663/65393", + "advisory": "A security flaw in Apache Airflow allows authenticated users to view warnings and related details for all Directed Acyclic Graphs (DAGs), including those they are not permitted to see. This exposure includes DAG IDs and stack traces from import errors, posing a risk to versions of Apache Airflow before 2.7.2.", + "cve": "CVE-2023-42780", + "id": "pyup.io-65392", + "more_info_path": "/vulnerabilities/CVE-2023-42780/65392", "specs": [ "<2.7.2" ], @@ -4548,20 +4510,20 @@ "v": "<2.7.3" }, { - "advisory": "Apache-airflow 2.3.2 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49787", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49787", + "advisory": "Apache-airflow 2.3.2 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49786", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49786", "specs": [ "<=2.3.2" ], "v": "<=2.3.2" }, { - "advisory": "Apache-airflow 2.3.2 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49786", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49786", + "advisory": "Apache-airflow 2.3.2 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49787", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49787", "specs": [ "<=2.3.2" ], @@ -4608,20 +4570,20 @@ "v": ">=0,<1.10.11" }, { - "advisory": "Apache-airflow 1.10.11rc1 includes a fix for CVE-2020-11978: A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.", - "cve": "CVE-2020-11978", - "id": "pyup.io-54349", - "more_info_path": "/vulnerabilities/CVE-2020-11978/54349", + "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.", + "cve": "CVE-2020-11982", + "id": "pyup.io-54179", + "more_info_path": "/vulnerabilities/CVE-2020-11982/54179", "specs": [ ">=0,<1.10.11rc1" ], "v": ">=0,<1.10.11rc1" }, { - "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.", - "cve": "CVE-2020-11981", - "id": "pyup.io-54177", - "more_info_path": "/vulnerabilities/CVE-2020-11981/54177", + "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.", + "cve": "CVE-2020-11983", + "id": "pyup.io-54181", + "more_info_path": "/vulnerabilities/CVE-2020-11983/54181", "specs": [ ">=0,<1.10.11rc1" ], @@ -4638,20 +4600,20 @@ "v": ">=0,<1.10.11rc1" }, { - "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.", - "cve": "CVE-2020-11982", - "id": "pyup.io-54179", - "more_info_path": "/vulnerabilities/CVE-2020-11982/54179", + "advisory": "Apache-airflow 1.10.11rc1 includes a fix for CVE-2020-11978: A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.", + "cve": "CVE-2020-11978", + "id": "pyup.io-54349", + "more_info_path": "/vulnerabilities/CVE-2020-11978/54349", "specs": [ ">=0,<1.10.11rc1" ], "v": ">=0,<1.10.11rc1" }, { - "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.", - "cve": "CVE-2020-11983", - "id": "pyup.io-54181", - "more_info_path": "/vulnerabilities/CVE-2020-11983/54181", + "advisory": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.", + "cve": "CVE-2020-11981", + "id": "pyup.io-54177", + "more_info_path": "/vulnerabilities/CVE-2020-11981/54177", "specs": [ ">=0,<1.10.11rc1" ], @@ -4687,16 +4649,6 @@ ], "v": ">=0,<1.10.2" }, - { - "advisory": "A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.", - "cve": "CVE-2019-0216", - "id": "pyup.io-54125", - "more_info_path": "/vulnerabilities/CVE-2019-0216/54125", - "specs": [ - ">=0,<1.10.3b1" - ], - "v": ">=0,<1.10.3b1" - }, { "advisory": "A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.", "cve": "CVE-2019-0229", @@ -4708,14 +4660,14 @@ "v": ">=0,<1.10.3b1" }, { - "advisory": "In Apache Airflow before 1.10.5 when running with the \"classic\" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new \"RBAC\" UI is unaffected.", - "cve": "CVE-2019-12398", - "id": "pyup.io-54139", - "more_info_path": "/vulnerabilities/CVE-2019-12398/54139", + "advisory": "A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.", + "cve": "CVE-2019-0216", + "id": "pyup.io-54125", + "more_info_path": "/vulnerabilities/CVE-2019-0216/54125", "specs": [ - ">=0,<1.10.5" + ">=0,<1.10.3b1" ], - "v": ">=0,<1.10.5" + "v": ">=0,<1.10.3b1" }, { "advisory": "Versions of Apache Airflow prior to 1.10.5 expose a vulnerability where the Databricks operator logs API keys in plaintext during task execution. This exposure results from the operator encouraging users to input their API key into a connection's \"extra\" field, which the Databricks hook subsequently logs, leading to information exposure.\r\nhttps://github.com/apache/airflow/pull/5635/commits/89f015e6c89392b6de61dab8ab90182e6ee42b74", @@ -4727,6 +4679,16 @@ ], "v": ">=0,<1.10.5" }, + { + "advisory": "In Apache Airflow before 1.10.5 when running with the \"classic\" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new \"RBAC\" UI is unaffected.", + "cve": "CVE-2019-12398", + "id": "pyup.io-54139", + "more_info_path": "/vulnerabilities/CVE-2019-12398/54139", + "specs": [ + ">=0,<1.10.5" + ], + "v": ">=0,<1.10.5" + }, { "advisory": "A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.", "cve": "CVE-2019-12417", @@ -4798,40 +4760,40 @@ "v": ">=0,<2.2.4rc1" }, { - "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.", - "cve": "CVE-2022-38649", - "id": "pyup.io-54586", - "more_info_path": "/vulnerabilities/CVE-2022-38649/54586", + "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).", + "cve": "CVE-2022-41131", + "id": "pyup.io-54592", + "more_info_path": "/vulnerabilities/CVE-2022-41131/54592", "specs": [ ">=0,<2.3.0" ], "v": ">=0,<2.3.0" }, { - "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).", - "cve": "CVE-2022-40954", - "id": "pyup.io-54588", - "more_info_path": "/vulnerabilities/CVE-2022-40954/54588", + "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.", + "cve": "CVE-2022-40189", + "id": "pyup.io-54587", + "more_info_path": "/vulnerabilities/CVE-2022-40189/54587", "specs": [ ">=0,<2.3.0" ], "v": ">=0,<2.3.0" }, { - "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).", - "cve": "CVE-2022-41131", - "id": "pyup.io-54592", - "more_info_path": "/vulnerabilities/CVE-2022-41131/54592", + "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).", + "cve": "CVE-2022-40954", + "id": "pyup.io-54588", + "more_info_path": "/vulnerabilities/CVE-2022-40954/54588", "specs": [ ">=0,<2.3.0" ], "v": ">=0,<2.3.0" }, { - "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.", - "cve": "CVE-2022-40189", - "id": "pyup.io-54587", - "more_info_path": "/vulnerabilities/CVE-2022-40189/54587", + "advisory": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.", + "cve": "CVE-2022-38649", + "id": "pyup.io-54586", + "more_info_path": "/vulnerabilities/CVE-2022-38649/54586", "specs": [ ">=0,<2.3.0" ], @@ -4978,20 +4940,20 @@ "v": ">=0,<2.8.1" }, { - "advisory": "Apache Airflow is affected by a vulnerability impacting versions before 2.8.2, where authenticated users can access DAG code and import errors for DAGs without required permissions via the API and UI. To mitigate this risk, upgrading to version 2.8.2 or newer is recommended.", - "cve": "CVE-2023-46052", + "advisory": "** DISPUTED ** Apache Airflow is affected by a vulnerability impacting versions before 2.8.2, where authenticated users can access DAG code and import errors for DAGs without required permissions via the API and UI. To mitigate this risk, upgrading to version 2.8.2 or newer is recommended.", + "cve": "CVE-2024-27906", "id": "pyup.io-68475", - "more_info_path": "/vulnerabilities/CVE-2023-46052/68475", + "more_info_path": "/vulnerabilities/CVE-2024-27906/68475", "specs": [ ">=0,<2.8.2" ], "v": ">=0,<2.8.2" }, { - "advisory": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view.\u00a0With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability", - "cve": "CVE-2023-46051", + "advisory": "** DISPUTED ** Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view.\u00a0With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability.", + "cve": "CVE-2024-26280", "id": "pyup.io-68489", - "more_info_path": "/vulnerabilities/CVE-2023-46051/68489", + "more_info_path": "/vulnerabilities/CVE-2024-26280/68489", "specs": [ ">=0,<2.8.2" ], @@ -5151,6 +5113,16 @@ } ], "apache-airflow-backport-providers-amazon": [ + { + "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", + "cve": "CVE-2021-33026", + "id": "pyup.io-49926", + "more_info_path": "/vulnerabilities/CVE-2021-33026/49926", + "specs": [ + "<=2021.3.3" + ], + "v": "<=2021.3.3" + }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (apache-airflow == 1.10.15).", "cve": "CVE-2020-7753", @@ -5301,16 +5273,6 @@ ], "v": "<=2021.3.3" }, - { - "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", - "cve": "CVE-2021-33026", - "id": "pyup.io-49926", - "more_info_path": "/vulnerabilities/CVE-2021-33026/49926", - "specs": [ - "<=2021.3.3" - ], - "v": "<=2021.3.3" - }, { "advisory": "Apache-airflow-backport-providers-amazon 2021.3.3 and prior versions ship with vulnerable dependencies (urllib3 == 1.25.11).", "cve": "CVE-2021-33503", @@ -5441,6 +5403,16 @@ ], "v": "<=2021.3.3" }, + { + "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", + "cve": "CVE-2021-33026", + "id": "pyup.io-49942", + "more_info_path": "/vulnerabilities/CVE-2021-33026/49942", + "specs": [ + "<=2021.3.3" + ], + "v": "<=2021.3.3" + }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", @@ -5561,16 +5533,6 @@ ], "v": "<=2021.3.3" }, - { - "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (flask-caching == 1.3.3).", - "cve": "CVE-2021-33026", - "id": "pyup.io-49942", - "more_info_path": "/vulnerabilities/CVE-2021-33026/49942", - "specs": [ - "<=2021.3.3" - ], - "v": "<=2021.3.3" - }, { "advisory": "Apache-airflow-backport-providers-cncf-kubernetes 2021.3.3 and prior versions ship with vulnerable dependencies (urllib3 == 1.25.11).", "cve": "CVE-2021-33503", @@ -6766,20 +6728,20 @@ ], "apache-airflow-providers-airbyte": [ { - "advisory": "Apache-airflow-providers-airbyte 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49836", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49836", + "advisory": "Apache-airflow-providers-airbyte 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49837", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49837", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-airbyte 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49837", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49837", + "advisory": "Apache-airflow-providers-airbyte 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49836", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49836", "specs": [ "<=3.0.0" ], @@ -6933,16 +6895,6 @@ ], "v": "<6.1.2" }, - { - "advisory": "Apache-airflow-providers-apache-hive 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49871", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49871", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" - }, { "advisory": "Apache-airflow-providers-apache-hive 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", @@ -6963,6 +6915,16 @@ ], "v": "<=3.0.0" }, + { + "advisory": "Apache-airflow-providers-apache-hive 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49871", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49871", + "specs": [ + "<=3.0.0" + ], + "v": "<=3.0.0" + }, { "advisory": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider before 5.0.0.\r\nhttps://github.com/apache/airflow/pull/28101", "cve": "CVE-2022-46421", @@ -7037,16 +6999,6 @@ ], "v": "<4.1.3" }, - { - "advisory": "Apache-airflow-providers-apache-spark 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49846", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49846", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" - }, { "advisory": "Apache-airflow-providers-apache-spark 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", @@ -7067,6 +7019,16 @@ ], "v": "<=3.0.0" }, + { + "advisory": "Apache-airflow-providers-apache-spark 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49846", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49846", + "specs": [ + "<=3.0.0" + ], + "v": "<=3.0.0" + }, { "advisory": "Apache-airflow-providers-apache-spark is affected by CVE-2023-40195: Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider.\r\nWhen the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users.\r\nhttps://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html", "cve": "CVE-2023-40195", @@ -7133,16 +7095,6 @@ } ], "apache-airflow-providers-cloudant": [ - { - "advisory": "Apache-airflow-providers-cloudant 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49842", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49842", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" - }, { "advisory": "Apache-airflow-providers-cloudant 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", "cve": "CVE-2022-29217", @@ -7162,6 +7114,16 @@ "<=3.0.0" ], "v": "<=3.0.0" + }, + { + "advisory": "Apache-airflow-providers-cloudant 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49842", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49842", + "specs": [ + "<=3.0.0" + ], + "v": "<=3.0.0" } ], "apache-airflow-providers-cncf-kubernetes": [ @@ -7188,20 +7150,20 @@ ], "apache-airflow-providers-databricks": [ { - "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49824", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49824", + "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49825", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49825", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49825", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49825", + "advisory": "Apache-airflow-providers-databricks 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49824", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49824", "specs": [ "<=3.0.0" ], @@ -7230,20 +7192,20 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-datadog 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49889", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49889", + "advisory": "Apache-airflow-providers-datadog 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49888", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49888", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-datadog 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49888", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49888", + "advisory": "Apache-airflow-providers-datadog 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49889", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49889", "specs": [ "<=3.0.0" ], @@ -7272,37 +7234,39 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-docker 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49815", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49815", + "advisory": "Apache-airflow-providers-docker 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49816", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49816", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-docker 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49816", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49816", + "advisory": "Apache-airflow-providers-docker 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49815", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49815", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" } ], - "apache-airflow-providers-google": [ + "apache-airflow-providers-ftp": [ { - "advisory": "apache-airflow-providers-google 8.1.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49884", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49884", + "advisory": "Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. The FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.create_default_context() during FTP_TLS instantiation is used as mitigation to validate the certificates properly. This issue affects Apache Airflow FTP Provider: before 3.7.0. Users are recommended to upgrade to version 3.7.0, which fixes the issue. See CVE-2024-29733.", + "cve": "CVE-2024-29733", + "id": "pyup.io-70645", + "more_info_path": "/vulnerabilities/CVE-2024-29733/70645", "specs": [ - "<=8.1.0" + "<3.7.0" ], - "v": "<=8.1.0" - }, + "v": "<3.7.0" + } + ], + "apache-airflow-providers-google": [ { "advisory": "Apache-airflow-providers-google 8.1.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", @@ -7323,6 +7287,16 @@ ], "v": "<=8.1.0" }, + { + "advisory": "apache-airflow-providers-google 8.1.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49884", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49884", + "specs": [ + "<=8.1.0" + ], + "v": "<=8.1.0" + }, { "advisory": "Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.\r\nhttps://github.com/apache/airflow/pull/29497", "cve": "CVE-2023-25691", @@ -7356,20 +7330,20 @@ "v": "<4.0.0" }, { - "advisory": "Apache-airflow-providers-jdbc 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49878", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49878", + "advisory": "Apache-airflow-providers-jdbc 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49880", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49880", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-jdbc 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49880", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49880", + "advisory": "Apache-airflow-providers-jdbc 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49878", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49878", "specs": [ "<=3.0.0" ], @@ -7388,20 +7362,20 @@ ], "apache-airflow-providers-jenkins": [ { - "advisory": "Apache-airflow-providers-jenkins 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49813", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49813", + "advisory": "Apache-airflow-providers-jenkins 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49812", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49812", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-jenkins 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49812", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49812", + "advisory": "Apache-airflow-providers-jenkins 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49813", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49813", "specs": [ "<=3.0.0" ], @@ -7462,20 +7436,20 @@ "v": "<=4.0.0" }, { - "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49875", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49875", + "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49876", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49876", "specs": [ "<=4.0.0" ], "v": "<=4.0.0" }, { - "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49876", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49876", + "advisory": "Apache-airflow-providers-microsoft-azure 4.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49875", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49875", "specs": [ "<=4.0.0" ], @@ -7493,6 +7467,16 @@ ], "v": "<3.4.1" }, + { + "advisory": "Apache-airflow-providers-microsoft-mssql 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49828", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49828", + "specs": [ + "<=3.0.0" + ], + "v": "<=3.0.0" + }, { "advisory": "Apache-airflow-providers-microsoft-mssql 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", @@ -7512,16 +7496,6 @@ "<=3.0.0" ], "v": "<=3.0.0" - }, - { - "advisory": "Apache-airflow-providers-microsoft-mssql 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49828", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49828", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" } ], "apache-airflow-providers-mongo": [ @@ -7567,16 +7541,6 @@ } ], "apache-airflow-providers-mysql": [ - { - "advisory": "Apache-airflow-providers-mysql 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49832", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49832", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" - }, { "advisory": "Apache-airflow-providers-mysql 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", @@ -7597,6 +7561,16 @@ ], "v": "<=3.0.0" }, + { + "advisory": "Apache-airflow-providers-mysql 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49832", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49832", + "specs": [ + "<=3.0.0" + ], + "v": "<=3.0.0" + }, { "advisory": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider. This issue affects Apache Airflow before 2.5.1 and Apache Airflow MySQL Provider before 4.0.0.", "cve": "CVE-2023-22884", @@ -7610,20 +7584,20 @@ ], "apache-airflow-providers-odbc": [ { - "advisory": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0.", - "cve": "CVE-2023-34395", - "id": "pyup.io-64201", - "more_info_path": "/vulnerabilities/CVE-2023-34395/64201", + "advisory": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\r\n\r\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\r\n\r\nIt is recommended to\u00a0upgrade to a version that is not affected", + "cve": "CVE-2023-35798", + "id": "pyup.io-64200", + "more_info_path": "/vulnerabilities/CVE-2023-35798/64200", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { - "advisory": "Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This\u00a0vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically\u00a0updating the connection to exploit it.\r\n\r\nThis issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.\r\n\r\nIt is recommended to\u00a0upgrade to a version that is not affected", - "cve": "CVE-2023-35798", - "id": "pyup.io-64200", - "more_info_path": "/vulnerabilities/CVE-2023-35798/64200", + "advisory": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0.", + "cve": "CVE-2023-34395", + "id": "pyup.io-64201", + "more_info_path": "/vulnerabilities/CVE-2023-34395/64201", "specs": [ "<4.0.0" ], @@ -7640,20 +7614,20 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-odbc 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49895", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49895", + "advisory": "Apache-airflow-providers-odbc 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49894", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49894", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-odbc 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49894", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49894", + "advisory": "Apache-airflow-providers-odbc 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49895", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49895", "specs": [ "<=3.0.0" ], @@ -7662,20 +7636,20 @@ ], "apache-airflow-providers-oracle": [ { - "advisory": "Apache-airflow-providers-oracle 3.1.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49867", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49867", + "advisory": "Apache-airflow-providers-oracle 3.1.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49866", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49866", "specs": [ "<=3.1.0" ], "v": "<=3.1.0" }, { - "advisory": "Apache-airflow-providers-oracle 3.1.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49866", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49866", + "advisory": "Apache-airflow-providers-oracle 3.1.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49867", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49867", "specs": [ "<=3.1.0" ], @@ -7704,20 +7678,20 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-pagerduty 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49860", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49860", + "advisory": "Apache-airflow-providers-pagerduty 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49861", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49861", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-pagerduty 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49861", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49861", + "advisory": "Apache-airflow-providers-pagerduty 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49860", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49860", "specs": [ "<=3.0.0" ], @@ -7757,16 +7731,6 @@ } ], "apache-airflow-providers-postgres": [ - { - "advisory": "Apache-airflow-providers-postgres 5.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49821", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49821", - "specs": [ - "<=5.0.0" - ], - "v": "<=5.0.0" - }, { "advisory": "Apache-airflow-providers-postgres 5.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", @@ -7786,6 +7750,16 @@ "<=5.0.0" ], "v": "<=5.0.0" + }, + { + "advisory": "Apache-airflow-providers-postgres 5.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49821", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49821", + "specs": [ + "<=5.0.0" + ], + "v": "<=5.0.0" } ], "apache-airflow-providers-presto": [ @@ -7800,20 +7774,20 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-presto 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49864", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49864", + "advisory": "Apache-airflow-providers-presto 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49865", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49865", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-presto 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49865", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49865", + "advisory": "Apache-airflow-providers-presto 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49864", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49864", "specs": [ "<=3.0.0" ], @@ -7821,6 +7795,16 @@ } ], "apache-airflow-providers-redis": [ + { + "advisory": "Apache-airflow-providers-redis 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49873", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49873", + "specs": [ + "<=3.0.0" + ], + "v": "<=3.0.0" + }, { "advisory": "Apache-airflow-providers-redis 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", "cve": "PVE-2022-47833", @@ -7840,34 +7824,24 @@ "<=3.0.0" ], "v": "<=3.0.0" - }, - { - "advisory": "Apache-airflow-providers-redis 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49873", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49873", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" } ], "apache-airflow-providers-sendgrid": [ { - "advisory": "Apache-airflow-providers-sendgrid 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49811", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49811", + "advisory": "Apache-airflow-providers-sendgrid 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", + "cve": "PVE-2022-47833", + "id": "pyup.io-49809", + "more_info_path": "/vulnerabilities/PVE-2022-47833/49809", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-sendgrid 3.0.0 and prior versions ship with vulnerable dependencies (click == 7.1.2).", - "cve": "PVE-2022-47833", - "id": "pyup.io-49809", - "more_info_path": "/vulnerabilities/PVE-2022-47833/49809", + "advisory": "Apache-airflow-providers-sendgrid 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49811", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49811", "specs": [ "<=3.0.0" ], @@ -7886,10 +7860,10 @@ ], "apache-airflow-providers-sftp": [ { - "advisory": "Apache-airflow-providers-sftp 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49901", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49901", + "advisory": "Apache-airflow-providers-sftp 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49900", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49900", "specs": [ "<=3.0.0" ], @@ -7906,10 +7880,10 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-sftp 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49900", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49900", + "advisory": "Apache-airflow-providers-sftp 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49901", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49901", "specs": [ "<=3.0.0" ], @@ -7928,20 +7902,20 @@ "v": "<=5.0.0" }, { - "advisory": "Apache-airflow-providers-slack 5.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49852", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49852", + "advisory": "Apache-airflow-providers-slack 5.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49853", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49853", "specs": [ "<=5.0.0" ], "v": "<=5.0.0" }, { - "advisory": "Apache-airflow-providers-slack 5.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49853", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49853", + "advisory": "Apache-airflow-providers-slack 5.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49852", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49852", "specs": [ "<=5.0.0" ], @@ -7981,16 +7955,6 @@ } ], "apache-airflow-providers-ssh": [ - { - "advisory": "Apache-airflow-providers-ssh 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49897", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49897", - "specs": [ - "<=3.0.0" - ], - "v": "<=3.0.0" - }, { "advisory": "Apache-airflow-providers-ssh 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", "cve": "PVE-2021-42852", @@ -8010,6 +7974,16 @@ "<=3.0.0" ], "v": "<=3.0.0" + }, + { + "advisory": "Apache-airflow-providers-ssh 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49897", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49897", + "specs": [ + "<=3.0.0" + ], + "v": "<=3.0.0" } ], "apache-airflow-providers-tableau": [ @@ -8024,20 +7998,20 @@ "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-tableau 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", - "cve": "CVE-2022-29217", - "id": "pyup.io-49882", - "more_info_path": "/vulnerabilities/CVE-2022-29217/49882", + "advisory": "Apache-airflow-providers-tableau 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", + "cve": "PVE-2021-42852", + "id": "pyup.io-49883", + "more_info_path": "/vulnerabilities/PVE-2021-42852/49883", "specs": [ "<=3.0.0" ], "v": "<=3.0.0" }, { - "advisory": "Apache-airflow-providers-tableau 3.0.0 and prior versions ship with vulnerable dependencies (wtforms == 2.3.3).", - "cve": "PVE-2021-42852", - "id": "pyup.io-49883", - "more_info_path": "/vulnerabilities/PVE-2021-42852/49883", + "advisory": "Apache-airflow-providers-tableau 3.0.0 and prior versions ship with vulnerable dependencies (pyjwt == 1.7.1).", + "cve": "CVE-2022-29217", + "id": "pyup.io-49882", + "more_info_path": "/vulnerabilities/CVE-2022-29217/49882", "specs": [ "<=3.0.0" ], @@ -8179,16 +8153,6 @@ ], "v": "<3.0.0" }, - { - "advisory": "Apache-dolphinscheduler 3.0.0 (Python SDK) corresponds to DolphinScheduler version 3.0.0, that updates its Maven dependency 'postgresql' to v42.3.4 to include security fixes.", - "cve": "CVE-2022-26520", - "id": "pyup.io-49234", - "more_info_path": "/vulnerabilities/CVE-2022-26520/49234", - "specs": [ - "<3.0.0" - ], - "v": "<3.0.0" - }, { "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "cve": "CVE-2020-8840", @@ -8269,6 +8233,16 @@ ], "v": "<3.0.0" }, + { + "advisory": "Apache-dolphinscheduler 3.0.0 (Python SDK) corresponds to DolphinScheduler version 3.0.0, that updates its Maven dependency 'postgresql' to v42.3.4 to include security fixes.", + "cve": "CVE-2022-26520", + "id": "pyup.io-49234", + "more_info_path": "/vulnerabilities/CVE-2022-26520/49234", + "specs": [ + "<3.0.0" + ], + "v": "<3.0.0" + }, { "advisory": "Apache-dolphinscheduler 3.0.0 updates its MAVEN dependency 'jackson.databind' to v2.9.10.8 to include security fixes.", "cve": "CVE-2020-9547", @@ -8940,6 +8914,18 @@ "v": ">=0,<8.1.0" } ], + "apache-submarine": [ + { + "advisory": "Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml https://nvd.nist.gov/vuln/detail/CVE-2022-1471. Apache Submarine uses JAXRS to define REST endpoints. In order to handle YAML requests (using application/yaml content-type), it defines a YamlEntityProvider entity provider that will process all incoming YAML requests. In order to unmarshal the request, the readFrom method is invoked, passing the entityStream containing the user-supplied data in `submarine-server/server-core/src/main/java/org/apache/submarine/server/utils/YamlUtils.java`. We have now fixed this issue in the new version by replacing to `jackson-dataformat-yaml`. This issue affects Apache Submarine: from 0.7.0 before 0.8.0.\u00a0Users are recommended to upgrade to version 0.8.0, which fixes this issue.If using the version smaller than 0.8.0 and not want to upgrade, you can try cherry-pick PR https://github.com/apache/submarine/pull/1054 and rebuild the submart-server image to fix this.", + "cve": "CVE-2023-46302", + "id": "pyup.io-70898", + "more_info_path": "/vulnerabilities/CVE-2023-46302/70898", + "specs": [ + ">=0.7.0,<0.8.0" + ], + "v": ">=0.7.0,<0.8.0" + } + ], "apache-superset": [ { "advisory": "Apache-superset 0.14.0 improves the security scheme (#1587).", @@ -9113,9 +9099,9 @@ }, { "advisory": "Apache-superset 0.36.0 updates its NPM dependency 'serialize-javascript' to v2.1.2 to include security fixes.\r\nhttps://github.com/apache/superset/pull/9106/commits/788faad7f33e1b69afcee0f01c9fc7cdccb7f81f", - "cve": "CVE-2019-16772", - "id": "pyup.io-44578", - "more_info_path": "/vulnerabilities/CVE-2019-16772/44578", + "cve": "CVE-2019-16769", + "id": "pyup.io-44577", + "more_info_path": "/vulnerabilities/CVE-2019-16769/44577", "specs": [ "<0.36.0" ], @@ -9123,9 +9109,9 @@ }, { "advisory": "Apache-superset 0.36.0 updates its NPM dependency 'serialize-javascript' to v2.1.2 to include security fixes.\r\nhttps://github.com/apache/superset/pull/9106/commits/788faad7f33e1b69afcee0f01c9fc7cdccb7f81f", - "cve": "CVE-2019-16769", - "id": "pyup.io-44577", - "more_info_path": "/vulnerabilities/CVE-2019-16769/44577", + "cve": "CVE-2019-16772", + "id": "pyup.io-44578", + "more_info_path": "/vulnerabilities/CVE-2019-16772/44578", "specs": [ "<0.36.0" ], @@ -9262,30 +9248,30 @@ "v": "<2.1.1" }, { - "advisory": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.", - "cve": "CVE-2023-40610", - "id": "pyup.io-65225", - "more_info_path": "/vulnerabilities/CVE-2023-40610/65225", + "advisory": "Improper payload validation and an improper REST API response type made it possible for an authenticated malicious actor to store malicious code in Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint.\u00a0This issue affects Apache Superset versions before 2.1.2.", + "cve": "CVE-2023-43701", + "id": "pyup.io-65230", + "more_info_path": "/vulnerabilities/CVE-2023-43701/65230", "specs": [ "<2.1.2" ], "v": "<2.1.2" }, { - "advisory": "Improper payload validation and an improper REST API response type made it possible for an authenticated malicious actor to store malicious code in Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint.\u00a0This issue affects Apache Superset versions before 2.1.2.", - "cve": "CVE-2023-43701", - "id": "pyup.io-65230", - "more_info_path": "/vulnerabilities/CVE-2023-43701/65230", + "advisory": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.", + "cve": "CVE-2023-40610", + "id": "pyup.io-65225", + "more_info_path": "/vulnerabilities/CVE-2023-40610/65225", "specs": [ "<2.1.2" ], "v": "<2.1.2" }, { - "advisory": "Apache-superset 3.0.0 updates its NPM dependency 'ansi-regex' to include a security fix.", - "cve": "CVE-2021-3807", - "id": "pyup.io-61908", - "more_info_path": "/vulnerabilities/CVE-2021-3807/61908", + "advisory": "An authenticated user with read permissions on database connection metadata could potentially access sensitive information such as the connection's username. This issue affects Apache Superset before 3.0.0.", + "cve": "CVE-2023-42505", + "id": "pyup.io-65229", + "more_info_path": "/vulnerabilities/CVE-2023-42505/65229", "specs": [ "<3.0.0" ], @@ -9302,30 +9288,30 @@ "v": "<3.0.0" }, { - "advisory": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.", - "cve": "CVE-2023-42502", - "id": "pyup.io-65227", - "more_info_path": "/vulnerabilities/CVE-2023-42502/65227", + "advisory": "Apache-superset 3.0.0 updates its dependency 'flask_caching' to v1.11.1 to include a security fix.", + "cve": "CVE-2021-33026", + "id": "pyup.io-61921", + "more_info_path": "/vulnerabilities/CVE-2021-33026/61921", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { - "advisory": "An authenticated user with read permissions on database connection metadata could potentially access sensitive information such as the connection's username. This issue affects Apache Superset before 3.0.0.", - "cve": "CVE-2023-42505", - "id": "pyup.io-65229", - "more_info_path": "/vulnerabilities/CVE-2023-42505/65229", + "advisory": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.", + "cve": "CVE-2023-42502", + "id": "pyup.io-65227", + "more_info_path": "/vulnerabilities/CVE-2023-42502/65227", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { - "advisory": "Apache-superset 3.0.0 updates its dependency 'flask_caching' to v1.11.1 to include a security fix.", - "cve": "CVE-2021-33026", - "id": "pyup.io-61921", - "more_info_path": "/vulnerabilities/CVE-2021-33026/61921", + "advisory": "Apache-superset 3.0.0 updates its NPM dependency 'ansi-regex' to include a security fix.", + "cve": "CVE-2021-3807", + "id": "pyup.io-61908", + "more_info_path": "/vulnerabilities/CVE-2021-3807/61908", "specs": [ "<3.0.0" ], @@ -9363,17 +9349,6 @@ ], "v": "<=1.5.2,==2.0.0" }, - { - "advisory": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", - "cve": "CVE-2022-43721", - "id": "pyup.io-54615", - "more_info_path": "/vulnerabilities/CVE-2022-43721/54615", - "specs": [ - "<=1.5.2", - "==2.0.0" - ], - "v": "<=1.5.2,==2.0.0" - }, { "advisory": "When explicitly enabling the feature flag 'DASHBOARD_CACHE' (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", "cve": "CVE-2022-45438", @@ -9419,14 +9394,15 @@ "v": "<=1.5.2,==2.0.0" }, { - "advisory": "An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1", - "cve": "CVE-2023-27525", - "id": "pyup.io-62902", - "more_info_path": "/vulnerabilities/CVE-2023-27525/62902", + "advisory": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.", + "cve": "CVE-2022-43721", + "id": "pyup.io-54615", + "more_info_path": "/vulnerabilities/CVE-2022-43721/54615", "specs": [ - "<=2.0.1" + "<=1.5.2", + "==2.0.0" ], - "v": "<=2.0.1" + "v": "<=1.5.2,==2.0.0" }, { "advisory": "A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery\r\nattacks and query internal resources on behalf of the server where Superset\r\nis deployed. This vulnerability exists\u00a0in Apache Superset versions up to and including 2.0.1.", @@ -9448,6 +9424,26 @@ ], "v": "<=2.0.1" }, + { + "advisory": "An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1", + "cve": "CVE-2023-27525", + "id": "pyup.io-62902", + "more_info_path": "/vulnerabilities/CVE-2023-27525/62902", + "specs": [ + "<=2.0.1" + ], + "v": "<=2.0.1" + }, + { + "advisory": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0.", + "cve": "CVE-2023-39264", + "id": "pyup.io-64999", + "more_info_path": "/vulnerabilities/CVE-2023-39264/64999", + "specs": [ + "<=2.1.0" + ], + "v": "<=2.1.0" + }, { "advisory": "Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.", "cve": "CVE-2023-36388", @@ -9498,16 +9494,6 @@ ], "v": "<=2.1.0" }, - { - "advisory": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0.", - "cve": "CVE-2023-39264", - "id": "pyup.io-64999", - "more_info_path": "/vulnerabilities/CVE-2023-39264/64999", - "specs": [ - "<=2.1.0" - ], - "v": "<=2.1.0" - }, { "advisory": "In Apache Incubator Superset before 0.31 user could query database metadata information from a database it has no access to, by using a specially crafted complex query.", "cve": "CVE-2019-12413", @@ -9528,6 +9514,16 @@ ], "v": ">=0,<0.32.0" }, + { + "advisory": "Apache Superset versions before 0.34.0 are susceptible to a Cross-site Scripting (XSS) vulnerability that involves an issue through FAB list views.\r\nhttps://github.com/apache/superset/commit/b62d7e3e8eaa80e201af3141fb4fe26c39e1ff79", + "cve": "PVE-2024-99800", + "id": "pyup.io-66015", + "more_info_path": "/vulnerabilities/PVE-2024-99800/66015", + "specs": [ + ">=0,<0.34.0" + ], + "v": ">=0,<0.34.0" + }, { "advisory": "Cross-site Scripting (XSS) vulnerabilities have been detected in versions of apache-superset before 0.34.0, specifically through its Markup viz feature. XSS attacks manipulate a web application to execute malicious scripts on a client's browser, performing actions usually blocked by browser security, such as hijacking user sessions or exposing sensitive information. These attacks exploit the application\u2019s failure to sufficiently sanitize, validate, or escape user input, particularly special characters in dynamic content. Different XSS attacks include Stored, Reflected, DOM-based, and Mutated types, each with unique methods of injecting harmful code. To mitigate XSS risks, implementations should include sanitizing data inputs, encoding special characters, disabling client-side scripts where possible, redirecting invalid requests, detecting simultaneous logins, enforcing Content Security Policies, and understanding the security implications of third-party library usage.\r\nhttps://github.com/apache/superset/commit/0c5db55d55471c1c61c0750733733c157551b2d8", "cve": "PVE-2024-99797", @@ -9548,16 +9544,6 @@ ], "v": ">=0,<0.34.0" }, - { - "advisory": "Apache Superset versions before 0.34.0 are susceptible to a Cross-site Scripting (XSS) vulnerability that involves an issue through FAB list views.\r\nhttps://github.com/apache/superset/commit/b62d7e3e8eaa80e201af3141fb4fe26c39e1ff79", - "cve": "PVE-2024-99800", - "id": "pyup.io-66015", - "more_info_path": "/vulnerabilities/PVE-2024-99800/66015", - "specs": [ - ">=0,<0.34.0" - ], - "v": ">=0,<0.34.0" - }, { "advisory": "The vulnerability threatens the security of apache-superset before 0.35.1, arising from insecure default settings that allow unrestricted metrics.\r\nhttps://github.com/apache/superset/commit/05b67673c3fdb4c94e5af5bc2fe83f1b227d7d08", "cve": "PVE-2024-99801", @@ -9619,20 +9605,20 @@ "v": ">=0,<1.3.1" }, { - "advisory": "Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.", - "cve": "CVE-2021-41972", - "id": "pyup.io-54371", - "more_info_path": "/vulnerabilities/CVE-2021-41972/54371", + "advisory": "Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.", + "cve": "CVE-2021-42250", + "id": "pyup.io-54375", + "more_info_path": "/vulnerabilities/CVE-2021-42250/54375", "specs": [ ">=0,<1.3.2" ], "v": ">=0,<1.3.2" }, { - "advisory": "Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.", - "cve": "CVE-2021-42250", - "id": "pyup.io-54375", - "more_info_path": "/vulnerabilities/CVE-2021-42250/54375", + "advisory": "Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.", + "cve": "CVE-2021-41972", + "id": "pyup.io-54371", + "more_info_path": "/vulnerabilities/CVE-2021-41972/54371", "specs": [ ">=0,<1.3.2" ], @@ -9668,6 +9654,17 @@ ], "v": ">=0,<1.5.1" }, + { + "advisory": "A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement\u00a0would allow for SQL injection\u00a0in Apache Superset. This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.", + "cve": "CVE-2023-49736", + "id": "pyup.io-65196", + "more_info_path": "/vulnerabilities/CVE-2023-49736/65196", + "specs": [ + ">=0,<2.1.3", + ">=3.0.0,<3.0.2" + ], + "v": ">=0,<2.1.3,>=3.0.0,<3.0.2" + }, { "advisory": "An authenticated Gamma user can create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts. This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue.", "cve": "CVE-2023-49734", @@ -9690,22 +9687,11 @@ ], "v": ">=0,<2.1.3,>=3.0.0,<3.0.2" }, - { - "advisory": "A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement\u00a0would allow for SQL injection\u00a0in Apache Superset. This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.", - "cve": "CVE-2023-49736", - "id": "pyup.io-65196", - "more_info_path": "/vulnerabilities/CVE-2023-49736/65196", - "specs": [ - ">=0,<2.1.3", - ">=3.0.0,<3.0.2" - ], - "v": ">=0,<2.1.3,>=3.0.0,<3.0.2" - }, { "advisory": "A vulnerability in various versions of Apache Superset allows authenticated users with alert creation privileges to execute a specially crafted SQL statement, leading to a database error. This error, improperly handled, could expose sensitive information in the alert's error log. Users are advised to upgrade their systems to mitigate this issue.", - "cve": "CVE-2023-29134", + "cve": "CVE-2024-27315", "id": "pyup.io-68480", - "more_info_path": "/vulnerabilities/CVE-2023-29134/68480", + "more_info_path": "/vulnerabilities/CVE-2024-27315/68480", "specs": [ ">=0,<3.0.4", ">=3.1.0,<3.1.1" @@ -9713,10 +9699,10 @@ "v": ">=0,<3.0.4,>=3.1.0,<3.1.1" }, { - "advisory": "A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.", - "cve": "CVE-2024-22299", - "id": "pyup.io-68490", - "more_info_path": "/vulnerabilities/CVE-2024-22299/68490", + "advisory": "Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1, which fixes the issue.", + "cve": "CVE-2024-24773", + "id": "pyup.io-68495", + "more_info_path": "/vulnerabilities/CVE-2024-24773/68495", "specs": [ ">=0,<3.0.4", ">=3.1.0,<3.1.1" @@ -9724,10 +9710,10 @@ "v": ">=0,<3.0.4,>=3.1.0,<3.1.1" }, { - "advisory": "Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.", - "cve": "CVE-2024-30178", - "id": "pyup.io-68494", - "more_info_path": "/vulnerabilities/CVE-2024-30178/68494", + "advisory": "A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.", + "cve": "CVE-2024-24772", + "id": "pyup.io-68496", + "more_info_path": "/vulnerabilities/CVE-2024-24772/68496", "specs": [ ">=0,<3.0.4", ">=3.1.0,<3.1.1" @@ -9735,10 +9721,10 @@ "v": ">=0,<3.0.4,>=3.1.0,<3.1.1" }, { - "advisory": "Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1, which fixes the issue.", - "cve": "CVE-2024-22149", - "id": "pyup.io-68495", - "more_info_path": "/vulnerabilities/CVE-2024-22149/68495", + "advisory": "A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.", + "cve": "CVE-2024-26016", + "id": "pyup.io-68490", + "more_info_path": "/vulnerabilities/CVE-2024-26016/68490", "specs": [ ">=0,<3.0.4", ">=3.1.0,<3.1.1" @@ -9746,10 +9732,10 @@ "v": ">=0,<3.0.4,>=3.1.0,<3.1.1" }, { - "advisory": "A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.", - "cve": "CVE-2023-45935", - "id": "pyup.io-68496", - "more_info_path": "/vulnerabilities/CVE-2023-45935/68496", + "advisory": "Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.", + "cve": "CVE-2024-24779", + "id": "pyup.io-68494", + "more_info_path": "/vulnerabilities/CVE-2024-24779/68494", "specs": [ ">=0,<3.0.4", ">=3.1.0,<3.1.1" @@ -10160,20 +10146,20 @@ "v": "<2.1.0rc2" }, { - "advisory": "Aqtinstall 2.1.0rc2 uses 'secrets' instead of 'random' module to generate cryptographically safe numbers.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0", - "cve": "PVE-2022-47013", - "id": "pyup.io-47013", - "more_info_path": "/vulnerabilities/PVE-2022-47013/47013", + "advisory": "Aqtinstall 2.1.0rc2 uses 'defusedxml' instead of 'xml.etree.ElementTree' to avoid XXE attacks.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0", + "cve": "CVE-2013-1664", + "id": "pyup.io-47852", + "more_info_path": "/vulnerabilities/CVE-2013-1664/47852", "specs": [ "<2.1.0rc2" ], "v": "<2.1.0rc2" }, { - "advisory": "Aqtinstall 2.1.0rc2 uses 'defusedxml' instead of 'xml.etree.ElementTree' to avoid XXE attacks.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0", - "cve": "CVE-2013-1664", - "id": "pyup.io-47852", - "more_info_path": "/vulnerabilities/CVE-2013-1664/47852", + "advisory": "Aqtinstall 2.1.0rc2 uses 'secrets' instead of 'random' module to generate cryptographically safe numbers.\r\nhttps://github.com/miurahr/aqtinstall/commit/745e6a25e46411ff526387615a1db51a6ba968e0", + "cve": "PVE-2022-47013", + "id": "pyup.io-47013", + "more_info_path": "/vulnerabilities/PVE-2022-47013/47013", "specs": [ "<2.1.0rc2" ], @@ -10331,9 +10317,9 @@ }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", - "cve": "CVE-2018-11694", - "id": "pyup.io-52815", - "more_info_path": "/vulnerabilities/CVE-2018-11694/52815", + "cve": "CVE-2018-19839", + "id": "pyup.io-52812", + "more_info_path": "/vulnerabilities/CVE-2018-19839/52812", "specs": [ "<0.13.0" ], @@ -10341,9 +10327,9 @@ }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", - "cve": "CVE-2019-18798", - "id": "pyup.io-52810", - "more_info_path": "/vulnerabilities/CVE-2019-18798/52810", + "cve": "CVE-2018-11694", + "id": "pyup.io-52815", + "more_info_path": "/vulnerabilities/CVE-2018-11694/52815", "specs": [ "<0.13.0" ], @@ -10351,9 +10337,9 @@ }, { "advisory": "Argilla 0.13.0 stops requiring its NPM dependency 'node-sass' to avoid security issues.", - "cve": "CVE-2018-19839", - "id": "pyup.io-52812", - "more_info_path": "/vulnerabilities/CVE-2018-19839/52812", + "cve": "CVE-2019-18798", + "id": "pyup.io-52810", + "more_info_path": "/vulnerabilities/CVE-2019-18798/52810", "specs": [ "<0.13.0" ], @@ -10402,20 +10388,20 @@ ], "argo-workflows": [ { - "advisory": "Argo-workflows 5.0.0 (Python SDK) is compatible with Argo-workflows core v3.0.0, which fixes a XSS vulnerability.\r\nhttps://github.com/argoproj/argo-workflows/pull/3975", - "cve": "PVE-2022-46473", - "id": "pyup.io-46473", - "more_info_path": "/vulnerabilities/PVE-2022-46473/46473", + "advisory": "Argo-workflows 5.0.0 (Python SDK) is compatible with Argo-workflows core v3.0.0, which updates its NPM dependency 'swagger-ui-react' to v3.29.0, that includes a version of 'lodash' that fixes a vulnerability.", + "cve": "CVE-2020-8203", + "id": "pyup.io-46474", + "more_info_path": "/vulnerabilities/CVE-2020-8203/46474", "specs": [ "<5.0.0" ], "v": "<5.0.0" }, { - "advisory": "Argo-workflows 5.0.0 (Python SDK) is compatible with Argo-workflows core v3.0.0, which updates its NPM dependency 'swagger-ui-react' to v3.29.0, that includes a version of 'lodash' that fixes a vulnerability.", - "cve": "CVE-2020-8203", - "id": "pyup.io-46474", - "more_info_path": "/vulnerabilities/CVE-2020-8203/46474", + "advisory": "Argo-workflows 5.0.0 (Python SDK) is compatible with Argo-workflows core v3.0.0, which fixes a XSS vulnerability.\r\nhttps://github.com/argoproj/argo-workflows/pull/3975", + "cve": "PVE-2022-46473", + "id": "pyup.io-46473", + "more_info_path": "/vulnerabilities/PVE-2022-46473/46473", "specs": [ "<5.0.0" ], @@ -10483,9 +10469,9 @@ }, { "advisory": "Argo-workflows 6.3.10 and 6.4.4 (Python SDK) are compatible with Argo-workflows core v3.3.10 and v3.4.4, that update 'kubectl' to v1.24.8 to fix vulnerabilities.\r\nhttps://github.com/argoproj/argo-workflows/commit/fd31eb811160c62f16b5aef002bf232235e0d2c6\r\nhttps://github.com/argoproj/argo-workflows/issues/10006", - "cve": "CVE-2022-3172", - "id": "pyup.io-53058", - "more_info_path": "/vulnerabilities/CVE-2022-3172/53058", + "cve": "CVE-2021-25740", + "id": "pyup.io-53017", + "more_info_path": "/vulnerabilities/CVE-2021-25740/53017", "specs": [ "<6.3.10", ">=6.4.0rc1,<6.4.4" @@ -10494,9 +10480,9 @@ }, { "advisory": "Argo-workflows 6.3.10 and 6.4.4 (Python SDK) are compatible with Argo-workflows core v3.3.10 and v3.4.4, that update 'kubectl' to v1.24.8 to fix vulnerabilities.\r\nhttps://github.com/argoproj/argo-workflows/commit/fd31eb811160c62f16b5aef002bf232235e0d2c6\r\nhttps://github.com/argoproj/argo-workflows/issues/10006", - "cve": "CVE-2021-25740", - "id": "pyup.io-53017", - "more_info_path": "/vulnerabilities/CVE-2021-25740/53017", + "cve": "CVE-2022-3172", + "id": "pyup.io-53058", + "more_info_path": "/vulnerabilities/CVE-2022-3172/53058", "specs": [ "<6.3.10", ">=6.4.0rc1,<6.4.4" @@ -10505,9 +10491,9 @@ }, { "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates Maven dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/481137c259b05c6a5b3c0e3adab1649c2b512364", - "cve": "CVE-2021-22569", - "id": "pyup.io-50686", - "more_info_path": "/vulnerabilities/CVE-2021-22569/50686", + "cve": "CVE-2021-35517", + "id": "pyup.io-50689", + "more_info_path": "/vulnerabilities/CVE-2021-35517/50689", "specs": [ "<6.3.9" ], @@ -10515,9 +10501,9 @@ }, { "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates Maven dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/481137c259b05c6a5b3c0e3adab1649c2b512364", - "cve": "CVE-2020-28052", - "id": "pyup.io-50691", - "more_info_path": "/vulnerabilities/CVE-2020-28052/50691", + "cve": "CVE-2021-22569", + "id": "pyup.io-50686", + "more_info_path": "/vulnerabilities/CVE-2021-22569/50686", "specs": [ "<6.3.9" ], @@ -10535,29 +10521,29 @@ }, { "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates Maven dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/481137c259b05c6a5b3c0e3adab1649c2b512364", - "cve": "CVE-2021-35517", - "id": "pyup.io-50689", - "more_info_path": "/vulnerabilities/CVE-2021-35517/50689", + "cve": "CVE-2020-8908", + "id": "pyup.io-50685", + "more_info_path": "/vulnerabilities/CVE-2020-8908/50685", "specs": [ "<6.3.9" ], "v": "<6.3.9" }, { - "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates NPM dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/d874c1a87b65b300b2a4c93032bd2970d6f91d8f", - "cve": "CVE-2021-23648", - "id": "pyup.io-50680", - "more_info_path": "/vulnerabilities/CVE-2021-23648/50680", + "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates Maven dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/481137c259b05c6a5b3c0e3adab1649c2b512364", + "cve": "CVE-2020-28052", + "id": "pyup.io-50691", + "more_info_path": "/vulnerabilities/CVE-2020-28052/50691", "specs": [ "<6.3.9" ], "v": "<6.3.9" }, { - "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates Maven dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/481137c259b05c6a5b3c0e3adab1649c2b512364", - "cve": "CVE-2020-8908", - "id": "pyup.io-50685", - "more_info_path": "/vulnerabilities/CVE-2020-8908/50685", + "advisory": "Argo-workflows 6.3.9 (Python SDK) is compatible with Argo-workflows core v3.3.9, that updates NPM dependencies to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/commit/d874c1a87b65b300b2a4c93032bd2970d6f91d8f", + "cve": "CVE-2021-23648", + "id": "pyup.io-50680", + "more_info_path": "/vulnerabilities/CVE-2021-23648/50680", "specs": [ "<6.3.9" ], @@ -10585,9 +10571,9 @@ }, { "advisory": "Argo-workflows 6.4.7 (Python SDK) is compatible with Argo-workflows core v3.4.7, which upgrades docker to v20.10.24 to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/pull/10868", - "cve": "CVE-2023-28841", - "id": "pyup.io-54995", - "more_info_path": "/vulnerabilities/CVE-2023-28841/54995", + "cve": "CVE-2023-28842", + "id": "pyup.io-54996", + "more_info_path": "/vulnerabilities/CVE-2023-28842/54996", "specs": [ "<6.4.7" ], @@ -10595,9 +10581,9 @@ }, { "advisory": "Argo-workflows 6.4.7 (Python SDK) is compatible with Argo-workflows core v3.4.7, which upgrades docker to v20.10.24 to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/pull/10868", - "cve": "CVE-2023-28840", - "id": "pyup.io-54979", - "more_info_path": "/vulnerabilities/CVE-2023-28840/54979", + "cve": "CVE-2023-28841", + "id": "pyup.io-54995", + "more_info_path": "/vulnerabilities/CVE-2023-28841/54995", "specs": [ "<6.4.7" ], @@ -10605,9 +10591,9 @@ }, { "advisory": "Argo-workflows 6.4.7 (Python SDK) is compatible with Argo-workflows core v3.4.7, which upgrades docker to v20.10.24 to include security fixes.\r\nhttps://github.com/argoproj/argo-workflows/pull/10868", - "cve": "CVE-2023-28842", - "id": "pyup.io-54996", - "more_info_path": "/vulnerabilities/CVE-2023-28842/54996", + "cve": "CVE-2023-28840", + "id": "pyup.io-54979", + "more_info_path": "/vulnerabilities/CVE-2023-28840/54979", "specs": [ "<6.4.7" ], @@ -10895,6 +10881,16 @@ } ], "astropy": [ + { + "advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", + "cve": "CVE-2018-3846", + "id": "pyup.io-48550", + "more_info_path": "/vulnerabilities/CVE-2018-3846/48550", + "specs": [ + "<3.0.1" + ], + "v": "<3.0.1" + }, { "advisory": "Astropy 3.0.1 updates cfitsio to v3.43: NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43. NOTE: this CVE refers to the issues not covered by CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849. One example is ftp_status in drvrnet.c mishandling a long string beginning with a '4' character.", "cve": "CVE-2019-1010060", @@ -10917,19 +10913,9 @@ }, { "advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", - "cve": "CVE-2018-3849", - "id": "pyup.io-48548", - "more_info_path": "/vulnerabilities/CVE-2018-3849/48548", - "specs": [ - "<3.0.1" - ], - "v": "<3.0.1" - }, - { - "advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", - "cve": "CVE-2018-3846", - "id": "pyup.io-48550", - "more_info_path": "/vulnerabilities/CVE-2018-3846/48550", + "cve": "CVE-2018-3848", + "id": "pyup.io-35810", + "more_info_path": "/vulnerabilities/CVE-2018-3848/35810", "specs": [ "<3.0.1" ], @@ -10937,9 +10923,9 @@ }, { "advisory": "Astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", - "cve": "CVE-2018-3848", - "id": "pyup.io-35810", - "more_info_path": "/vulnerabilities/CVE-2018-3848/35810", + "cve": "CVE-2018-3849", + "id": "pyup.io-48548", + "more_info_path": "/vulnerabilities/CVE-2018-3849/48548", "specs": [ "<3.0.1" ], @@ -11669,9 +11655,9 @@ "autogluon": [ { "advisory": "Autogluon 0.4.1 updates its dependency 'pillow' minimum requirement to v9.0.1 to include security fixes.", - "cve": "CVE-2022-24303", - "id": "pyup.io-48619", - "more_info_path": "/vulnerabilities/CVE-2022-24303/48619", + "cve": "CVE-2022-22817", + "id": "pyup.io-48597", + "more_info_path": "/vulnerabilities/CVE-2022-22817/48597", "specs": [ "<0.4.1" ], @@ -11679,9 +11665,9 @@ }, { "advisory": "Autogluon 0.4.1 updates its dependency 'pillow' minimum requirement to v9.0.1 to include security fixes.", - "cve": "CVE-2022-22817", - "id": "pyup.io-48597", - "more_info_path": "/vulnerabilities/CVE-2022-22817/48597", + "cve": "CVE-2022-24303", + "id": "pyup.io-48619", + "more_info_path": "/vulnerabilities/CVE-2022-24303/48619", "specs": [ "<0.4.1" ], @@ -11871,16 +11857,6 @@ } ], "autonicer": [ - { - "advisory": "Autonicer 1.2.0 removes its dependency 'py' to avoid a potential vulnerability.", - "cve": "CVE-2022-42969", - "id": "pyup.io-52773", - "more_info_path": "/vulnerabilities/CVE-2022-42969/52773", - "specs": [ - "<1.2.0" - ], - "v": "<1.2.0" - }, { "advisory": "Autonicer 1.2.1 updates its dependency 'certifi' to v2022.12.7 to include a security fix.", "cve": "CVE-2022-23491", @@ -11895,9 +11871,9 @@ "av": [ { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2020-27841", - "id": "pyup.io-45831", - "more_info_path": "/vulnerabilities/CVE-2020-27841/45831", + "cve": "CVE-2020-27814", + "id": "pyup.io-45826", + "more_info_path": "/vulnerabilities/CVE-2020-27814/45826", "specs": [ "<9.0.1" ], @@ -11905,9 +11881,9 @@ }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2020-27814", - "id": "pyup.io-45826", - "more_info_path": "/vulnerabilities/CVE-2020-27814/45826", + "cve": "CVE-2020-27824", + "id": "pyup.io-45832", + "more_info_path": "/vulnerabilities/CVE-2020-27824/45832", "specs": [ "<9.0.1" ], @@ -11915,9 +11891,9 @@ }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2020-15389", - "id": "pyup.io-45828", - "more_info_path": "/vulnerabilities/CVE-2020-15389/45828", + "cve": "CVE-2020-27843", + "id": "pyup.io-45829", + "more_info_path": "/vulnerabilities/CVE-2020-27843/45829", "specs": [ "<9.0.1" ], @@ -11925,9 +11901,9 @@ }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2020-27842", - "id": "pyup.io-45834", - "more_info_path": "/vulnerabilities/CVE-2020-27842/45834", + "cve": "CVE-2020-27823", + "id": "pyup.io-45825", + "more_info_path": "/vulnerabilities/CVE-2020-27823/45825", "specs": [ "<9.0.1" ], @@ -11935,9 +11911,19 @@ }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2020-27843", - "id": "pyup.io-45829", - "more_info_path": "/vulnerabilities/CVE-2020-27843/45829", + "cve": "CVE-2020-27845", + "id": "pyup.io-45833", + "more_info_path": "/vulnerabilities/CVE-2020-27845/45833", + "specs": [ + "<9.0.1" + ], + "v": "<9.0.1" + }, + { + "advisory": "Av 9.0.1 updates wheel components to include security fixes [gnutls].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", + "cve": "CVE-2021-20232", + "id": "pyup.io-45836", + "more_info_path": "/vulnerabilities/CVE-2021-20232/45836", "specs": [ "<9.0.1" ], @@ -11945,9 +11931,9 @@ }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2020-27824", - "id": "pyup.io-45832", - "more_info_path": "/vulnerabilities/CVE-2020-27824/45832", + "cve": "CVE-2020-27841", + "id": "pyup.io-45831", + "more_info_path": "/vulnerabilities/CVE-2020-27841/45831", "specs": [ "<9.0.1" ], @@ -11955,9 +11941,19 @@ }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2020-6851", - "id": "pyup.io-45827", - "more_info_path": "/vulnerabilities/CVE-2020-6851/45827", + "cve": "CVE-2020-15389", + "id": "pyup.io-45828", + "more_info_path": "/vulnerabilities/CVE-2020-15389/45828", + "specs": [ + "<9.0.1" + ], + "v": "<9.0.1" + }, + { + "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", + "cve": "CVE-2020-27842", + "id": "pyup.io-45834", + "more_info_path": "/vulnerabilities/CVE-2020-27842/45834", "specs": [ "<9.0.1" ], @@ -11975,9 +11971,9 @@ }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2019-12973", - "id": "pyup.io-45830", - "more_info_path": "/vulnerabilities/CVE-2019-12973/45830", + "cve": "CVE-2020-6851", + "id": "pyup.io-45827", + "more_info_path": "/vulnerabilities/CVE-2020-6851/45827", "specs": [ "<9.0.1" ], @@ -11985,9 +11981,9 @@ }, { "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2020-27844", - "id": "pyup.io-45824", - "more_info_path": "/vulnerabilities/CVE-2020-27844/45824", + "cve": "CVE-2019-12973", + "id": "pyup.io-45830", + "more_info_path": "/vulnerabilities/CVE-2019-12973/45830", "specs": [ "<9.0.1" ], @@ -12004,20 +12000,20 @@ "v": "<9.0.1" }, { - "advisory": "Av 9.0.1 updates wheel components to include security fixes [wavpack].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2020-35738", - "id": "pyup.io-45838", - "more_info_path": "/vulnerabilities/CVE-2020-35738/45838", + "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", + "cve": "CVE-2020-27844", + "id": "pyup.io-45824", + "more_info_path": "/vulnerabilities/CVE-2020-27844/45824", "specs": [ "<9.0.1" ], "v": "<9.0.1" }, { - "advisory": "Av 9.0.1 updates wheel components to include security fixes [gnutls].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2021-20232", - "id": "pyup.io-45836", - "more_info_path": "/vulnerabilities/CVE-2021-20232/45836", + "advisory": "Av 9.0.1 updates wheel components to include security fixes [wavpack].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", + "cve": "CVE-2020-35738", + "id": "pyup.io-45838", + "more_info_path": "/vulnerabilities/CVE-2020-35738/45838", "specs": [ "<9.0.1" ], @@ -12034,24 +12030,14 @@ "v": "<9.0.1" }, { - "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2020-27845", - "id": "pyup.io-45833", - "more_info_path": "/vulnerabilities/CVE-2020-27845/45833", - "specs": [ - "<9.0.1" - ], - "v": "<9.0.1" - }, - { - "advisory": "Av 9.0.1 updates wheel components to include security fixes [openjpeg].\r\nhttps://github.com/PyAV-Org/PyAV/issues/901", - "cve": "CVE-2020-27823", - "id": "pyup.io-45825", - "more_info_path": "/vulnerabilities/CVE-2020-27823/45825", + "advisory": "Av 9.1.0 updates 'FFmpeg' binary wheels to fix security vulnerabilities.\r\nhttps://github.com/PyAV-Org/PyAV/commit/9cbe441d637be15d5b4b57211a7df3958c3c0a02", + "cve": "CVE-2018-10392", + "id": "pyup.io-47802", + "more_info_path": "/vulnerabilities/CVE-2018-10392/47802", "specs": [ - "<9.0.1" + "<9.1.0" ], - "v": "<9.0.1" + "v": "<9.1.0" }, { "advisory": "Av 9.1.0 updates 'FFmpeg' binary wheels to fix security vulnerabilities.\r\nhttps://github.com/PyAV-Org/PyAV/commit/9cbe441d637be15d5b4b57211a7df3958c3c0a02", @@ -12082,16 +12068,6 @@ "<9.1.0" ], "v": "<9.1.0" - }, - { - "advisory": "Av 9.1.0 updates 'FFmpeg' binary wheels to fix security vulnerabilities.\r\nhttps://github.com/PyAV-Org/PyAV/commit/9cbe441d637be15d5b4b57211a7df3958c3c0a02", - "cve": "CVE-2018-10392", - "id": "pyup.io-47802", - "more_info_path": "/vulnerabilities/CVE-2018-10392/47802", - "specs": [ - "<9.1.0" - ], - "v": "<9.1.0" } ], "avocado-framework": [ @@ -13067,20 +13043,20 @@ "v": "<0.4.1" }, { - "advisory": "Baybe 0.8.2 has updated its onnx dependency to version 1.16.0 or newer to address the security issue CVE-2024-27319.", + "advisory": "Baybe 0.8.2 has updated its onnx dependency to version 1.16.0 or newer to address the security issue CVE-2024-27318.", "cve": "CVE-2024-27318", - "id": "pyup.io-66984", - "more_info_path": "/vulnerabilities/CVE-2024-27318/66984", + "id": "pyup.io-66978", + "more_info_path": "/vulnerabilities/CVE-2024-27318/66978", "specs": [ "<0.8.2" ], "v": "<0.8.2" }, { - "advisory": "Baybe 0.8.2 has updated its onnx dependency to version 1.16.0 or newer to address the security issue CVE-2024-27318.", + "advisory": "Baybe 0.8.2 has updated its onnx dependency to version 1.16.0 or newer to address the security issue CVE-2024-27319.", "cve": "CVE-2024-27318", - "id": "pyup.io-66978", - "more_info_path": "/vulnerabilities/CVE-2024-27318/66978", + "id": "pyup.io-66984", + "more_info_path": "/vulnerabilities/CVE-2024-27318/66984", "specs": [ "<0.8.2" ], @@ -13129,20 +13105,20 @@ "v": "<0.5.5" }, { - "advisory": "Bayesian-testing 0.5.5 updates its dependency 'certifi' to version '2023.07.22' to include a fix for a vulnerability.\r\nhttps://github.com/Matt52/bayesian-testing/commit/1e05416c8670426b3bc8e4386da998deaa66833e", - "cve": "CVE-2023-37920", - "id": "pyup.io-60517", - "more_info_path": "/vulnerabilities/CVE-2023-37920/60517", + "advisory": "Bayesian-testing 0.5.5 updates its dependency 'pygments' to version '2.16.1' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/Matt52/bayesian-testing/commit/1e05416c8670426b3bc8e4386da998deaa66833e", + "cve": "CVE-2022-40896", + "id": "pyup.io-60523", + "more_info_path": "/vulnerabilities/CVE-2022-40896/60523", "specs": [ "<0.5.5" ], "v": "<0.5.5" }, { - "advisory": "Bayesian-testing 0.5.5 updates its dependency 'pygments' to version '2.16.1' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/Matt52/bayesian-testing/commit/1e05416c8670426b3bc8e4386da998deaa66833e", - "cve": "CVE-2022-40896", - "id": "pyup.io-60523", - "more_info_path": "/vulnerabilities/CVE-2022-40896/60523", + "advisory": "Bayesian-testing 0.5.5 updates its dependency 'certifi' to version '2023.07.22' to include a fix for a vulnerability.\r\nhttps://github.com/Matt52/bayesian-testing/commit/1e05416c8670426b3bc8e4386da998deaa66833e", + "cve": "CVE-2023-37920", + "id": "pyup.io-60517", + "more_info_path": "/vulnerabilities/CVE-2023-37920/60517", "specs": [ "<0.5.5" ], @@ -13157,6 +13133,16 @@ "<0.5.6" ], "v": "<0.5.6" + }, + { + "advisory": "Bayesian-testing version 0.6.2 updates its `idna` dependency from version 3.6 to 3.7 due to CVE-2024-3651.", + "cve": "CVE-2024-3651", + "id": "pyup.io-71044", + "more_info_path": "/vulnerabilities/CVE-2024-3651/71044", + "specs": [ + "<0.6.2" + ], + "v": "<0.6.2" } ], "bbcode": [ @@ -13207,6 +13193,16 @@ } ], "beaker": [ + { + "advisory": "Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefore an attacker can conduct a prototype-pollution attack against the Electron internal messaging API.", + "cve": "CVE-2020-12079", + "id": "pyup.io-70760", + "more_info_path": "/vulnerabilities/CVE-2020-12079/70760", + "specs": [ + "<0.8.9" + ], + "v": "<0.8.9" + }, { "advisory": "Beaker 0.9.4 removes directory escaping characters properly from the session ID when un-signed sessions are used.\r\nhttps://github.com/bbangert/beaker/commit/ad45a77d199c46ddedf5d1aa54780b95d4bd3279", "cve": "PVE-2021-25635", @@ -13385,9 +13381,9 @@ }, { "advisory": "Bento-lib 6.0.1 updates its dependency 'redis' to v4.5.4 to include security fixes.", - "cve": "CVE-2023-28859", - "id": "pyup.io-54854", - "more_info_path": "/vulnerabilities/CVE-2023-28859/54854", + "cve": "CVE-2023-28858", + "id": "pyup.io-54855", + "more_info_path": "/vulnerabilities/CVE-2023-28858/54855", "specs": [ "<6.0.1" ], @@ -13395,9 +13391,9 @@ }, { "advisory": "Bento-lib 6.0.1 updates its dependency 'redis' to v4.5.4 to include security fixes.", - "cve": "CVE-2023-28858", - "id": "pyup.io-54855", - "more_info_path": "/vulnerabilities/CVE-2023-28858/54855", + "cve": "CVE-2023-28859", + "id": "pyup.io-54854", + "more_info_path": "/vulnerabilities/CVE-2023-28859/54854", "specs": [ "<6.0.1" ], @@ -13450,20 +13446,20 @@ ], "betty": [ { - "advisory": "Betty 0.3.0a1 addresses a race condition that can occur during the CPU-intensive site generation process. This update introduces safeguards to prevent the copying or serialization of App instances, which could potentially lead to data inconsistencies or other unexpected behavior.\r\nhttps://github.com/bartfeenstra/betty/pull/798/commits/660d4ecdd97f2e5c00cb18945f38cf1c871bdc1e", - "cve": "PVE-2023-63062", - "id": "pyup.io-63062", - "more_info_path": "/vulnerabilities/PVE-2023-63062/63062", + "advisory": "Betty 0.3.0a1 addresses a race condition in the locale API. It aims to ensure thread safety by avoiding shared state and using context managers to handle resources.\r\nhttps://github.com/bartfeenstra/betty/pull/958/commits/05434a10c0c886d1afad0b61b119de13b0d2959b", + "cve": "PVE-2023-63093", + "id": "pyup.io-63093", + "more_info_path": "/vulnerabilities/PVE-2023-63093/63093", "specs": [ "<0.3.0a1" ], "v": "<0.3.0a1" }, { - "advisory": "Betty 0.3.0a1 addresses a race condition in the locale API. It aims to ensure thread safety by avoiding shared state and using context managers to handle resources.\r\nhttps://github.com/bartfeenstra/betty/pull/958/commits/05434a10c0c886d1afad0b61b119de13b0d2959b", - "cve": "PVE-2023-63093", - "id": "pyup.io-63093", - "more_info_path": "/vulnerabilities/PVE-2023-63093/63093", + "advisory": "Betty 0.3.0a1 addresses a race condition that can occur during the CPU-intensive site generation process. This update introduces safeguards to prevent the copying or serialization of App instances, which could potentially lead to data inconsistencies or other unexpected behavior.\r\nhttps://github.com/bartfeenstra/betty/pull/798/commits/660d4ecdd97f2e5c00cb18945f38cf1c871bdc1e", + "cve": "PVE-2023-63062", + "id": "pyup.io-63062", + "more_info_path": "/vulnerabilities/PVE-2023-63062/63062", "specs": [ "<0.3.0a1" ], @@ -13732,20 +13728,20 @@ ], "bigflow": [ { - "advisory": "Bigflow 1.6.0 enables vault endpoint TLS certificate verification by default to avoid MITM attacks.", - "cve": "PVE-2023-53443", - "id": "pyup.io-53443", - "more_info_path": "/vulnerabilities/PVE-2023-53443/53443", + "advisory": "Allegro Tech BigFlow <1.6 is vulnerable to Missing SSL Certificate Validation.", + "cve": "CVE-2023-25392", + "id": "pyup.io-62893", + "more_info_path": "/vulnerabilities/CVE-2023-25392/62893", "specs": [ "<1.6.0" ], "v": "<1.6.0" }, { - "advisory": "Allegro Tech BigFlow <1.6 is vulnerable to Missing SSL Certificate Validation.", - "cve": "CVE-2023-25392", - "id": "pyup.io-62893", - "more_info_path": "/vulnerabilities/CVE-2023-25392/62893", + "advisory": "Bigflow 1.6.0 enables vault endpoint TLS certificate verification by default to avoid MITM attacks.", + "cve": "PVE-2023-53443", + "id": "pyup.io-53443", + "more_info_path": "/vulnerabilities/PVE-2023-53443/53443", "specs": [ "<1.6.0" ], @@ -13753,6 +13749,16 @@ } ], "bikeshed": [ + { + "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23422:\r\nWhen an untrusted source file containing Inline Tag Command metadata is processed or when an arbitrary OS command is executed, the command output would be included in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd", + "cve": "CVE-2021-23422", + "id": "pyup.io-41179", + "more_info_path": "/vulnerabilities/CVE-2021-23422/41179", + "specs": [ + "<3.0.0" + ], + "v": "<3.0.0" + }, { "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23423:\r\nWhen an untrusted source file containing include, include-code or include-raw block is processed, the contents of arbitrary files could be disclosed in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd", "cve": "CVE-2021-23423", @@ -13762,16 +13768,50 @@ "<3.0.0" ], "v": "<3.0.0" + } + ], + "bin-collect": [ + { + "advisory": "The bin-collect package in PyPI before v0.1 included a code execution backdoor inserted by a third party.", + "cve": "CVE-2022-34500", + "id": "pyup.io-70768", + "more_info_path": "/vulnerabilities/CVE-2022-34500/70768", + "specs": [ + "<0.1" + ], + "v": "<0.1" }, { - "advisory": "Bikeshed version 3.0.0 includes a fix for CVE-2021-23422:\r\nWhen an untrusted source file containing Inline Tag Command metadata is processed or when an arbitrary OS command is executed, the command output would be included in the HTML output.\r\nhttps://github.com/tabatkins/bikeshed/commit/b2f668fca204260b1cad28d5078e93471cb6b2dd", - "cve": "CVE-2021-23422", - "id": "pyup.io-41179", - "more_info_path": "/vulnerabilities/CVE-2021-23422/41179", + "advisory": "The bin-collection package in PyPI before v0.1 included a code execution backdoor inserted by a third party.", + "cve": "CVE-2022-34501", + "id": "pyup.io-70770", + "more_info_path": "/vulnerabilities/CVE-2022-34501/70770", "specs": [ - "<3.0.0" + "<0.1" ], - "v": "<3.0.0" + "v": "<0.1" + } + ], + "bin-collection": [ + { + "advisory": "The bin-collect package in PyPI before v0.1 included a code execution backdoor inserted by a third party.", + "cve": "CVE-2022-34500", + "id": "pyup.io-70769", + "more_info_path": "/vulnerabilities/CVE-2022-34500/70769", + "specs": [ + "<0.1" + ], + "v": "<0.1" + }, + { + "advisory": "The bin-collection package in PyPI before v0.1 included a code execution backdoor inserted by a third party.", + "cve": "CVE-2022-34501", + "id": "pyup.io-70771", + "more_info_path": "/vulnerabilities/CVE-2022-34501/70771", + "specs": [ + "<0.1" + ], + "v": "<0.1" } ], "bincrafters-envy": [ @@ -13936,10 +13976,10 @@ "v": "<3.4.3" }, { - "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Timing Attack vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2022-4304", - "id": "pyup.io-59612", - "more_info_path": "/vulnerabilities/CVE-2022-4304/59612", + "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", + "cve": "CVE-2022-4450", + "id": "pyup.io-59615", + "more_info_path": "/vulnerabilities/CVE-2022-4450/59615", "specs": [ "<5.3.1" ], @@ -13947,9 +13987,9 @@ }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-0217", - "id": "pyup.io-59609", - "more_info_path": "/vulnerabilities/CVE-2023-0217/59609", + "cve": "CVE-2023-0216", + "id": "pyup.io-59613", + "more_info_path": "/vulnerabilities/CVE-2023-0216/59613", "specs": [ "<5.3.1" ], @@ -13957,9 +13997,9 @@ }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2022-4450", - "id": "pyup.io-59615", - "more_info_path": "/vulnerabilities/CVE-2022-4450/59615", + "cve": "CVE-2022-4203", + "id": "pyup.io-59614", + "more_info_path": "/vulnerabilities/CVE-2022-4203/59614", "specs": [ "<5.3.1" ], @@ -13977,19 +14017,29 @@ }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2022-3996", - "id": "pyup.io-59617", - "more_info_path": "/vulnerabilities/CVE-2022-3996/59617", + "cve": "CVE-2023-2650", + "id": "pyup.io-59533", + "more_info_path": "/vulnerabilities/CVE-2023-2650/59533", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { - "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-0216", - "id": "pyup.io-59613", - "more_info_path": "/vulnerabilities/CVE-2023-0216/59613", + "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Type Confusion vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", + "cve": "CVE-2023-0286", + "id": "pyup.io-59611", + "more_info_path": "/vulnerabilities/CVE-2023-0286/59611", + "specs": [ + "<5.3.1" + ], + "v": "<5.3.1" + }, + { + "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Timing Attack vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", + "cve": "CVE-2022-4304", + "id": "pyup.io-59612", + "more_info_path": "/vulnerabilities/CVE-2022-4304/59612", "specs": [ "<5.3.1" ], @@ -13997,9 +14047,19 @@ }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2022-4203", - "id": "pyup.io-59614", - "more_info_path": "/vulnerabilities/CVE-2022-4203/59614", + "cve": "CVE-2023-0217", + "id": "pyup.io-59609", + "more_info_path": "/vulnerabilities/CVE-2023-0217/59609", + "specs": [ + "<5.3.1" + ], + "v": "<5.3.1" + }, + { + "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Use After Free vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", + "cve": "CVE-2023-0215", + "id": "pyup.io-59610", + "more_info_path": "/vulnerabilities/CVE-2023-0215/59610", "specs": [ "<5.3.1" ], @@ -14017,33 +14077,43 @@ }, { "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Denial of Service vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-2650", - "id": "pyup.io-59533", - "more_info_path": "/vulnerabilities/CVE-2023-2650/59533", + "cve": "CVE-2022-3996", + "id": "pyup.io-59617", + "more_info_path": "/vulnerabilities/CVE-2022-3996/59617", "specs": [ "<5.3.1" ], "v": "<5.3.1" }, { - "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Type Confusion vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-0286", - "id": "pyup.io-59611", - "more_info_path": "/vulnerabilities/CVE-2023-0286/59611", + "advisory": "Bittensor version 6.12.0 updates FastAPI to versions 0.99.1 and 0.110.1 to address security issues highlighted in CVE-2024-24762.", + "cve": "CVE-2024-24762", + "id": "pyup.io-70789", + "more_info_path": "/vulnerabilities/CVE-2024-24762/70789", "specs": [ - "<5.3.1" + "<6.12.0" ], - "v": "<5.3.1" + "v": "<6.12.0" }, { - "advisory": "Bittensor 5.3.1 updates its dependency 'cryptography' to version '41.0.0' to fix a Use After Free vulnerability.\r\nhttps://github.com/opentensor/bittensor/commit/91d13b0fa711621cbf823708d4368b1b387e42c4", - "cve": "CVE-2023-0215", - "id": "pyup.io-59610", - "more_info_path": "/vulnerabilities/CVE-2023-0215/59610", + "advisory": "Bittensor version 6.12.0 updates its cryptography library to versions 42.0.0 and 42.0.5 to address the security vulnerabilities outlined in CVE-2024-26130.", + "cve": "CVE-2023-5363", + "id": "pyup.io-70793", + "more_info_path": "/vulnerabilities/CVE-2023-5363/70793", "specs": [ - "<5.3.1" + "<6.12.0" ], - "v": "<5.3.1" + "v": "<6.12.0" + }, + { + "advisory": "Bittensor version 6.12.0 updates its `certifi` package to versions 2023.7.22 and 2024.2.2 to address the security issues identified in CVE-2023-37920.", + "cve": "CVE-2023-37920", + "id": "pyup.io-70794", + "more_info_path": "/vulnerabilities/CVE-2023-37920/70794", + "specs": [ + "<6.12.0" + ], + "v": "<6.12.0" }, { "advisory": "Bittensor 6.4.4 upgrades its aiohttp dependency from version 3.8.5 to 3.9.0 in response to the CVE-2023-49081.\r\nhttps://github.com/opentensor/bittensor/pull/1597/commits/dc7ab6307e465a2dc110677319c58580067d13fc", @@ -14386,20 +14456,20 @@ ], "blint": [ { - "advisory": "BLint is powered by LIEF. BLint 1.0.35 and versions below uses LIEF as dependency, which has a CVE on its versions below 0.13.0. \r\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-38496\r\nhttps://deps.dev/pypi/blint/1.0.35/dependencies", - "cve": "CVE-2022-38496", - "id": "pyup.io-62768", - "more_info_path": "/vulnerabilities/CVE-2022-38496/62768", + "advisory": "BLint is powered by LIEF. BLint 1.0.35 and versions below uses LIEF as dependency which has a CVE on its versions below 0.13.0. \r\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-43171\r\nhttps://github.com/lief-project/LIEF/issues/782", + "cve": "CVE-2022-43171", + "id": "pyup.io-62771", + "more_info_path": "/vulnerabilities/CVE-2022-43171/62771", "specs": [ "<=1.0.35" ], "v": "<=1.0.35" }, { - "advisory": "BLint is powered by LIEF. BLint 1.0.35 and versions below uses LIEF as dependency which has a CVE on its versions below 0.13.0. \r\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-43171\r\nhttps://github.com/lief-project/LIEF/issues/782", - "cve": "CVE-2022-43171", - "id": "pyup.io-62771", - "more_info_path": "/vulnerabilities/CVE-2022-43171/62771", + "advisory": "BLint is powered by LIEF. BLint 1.0.35 and versions below uses LIEF as dependency, which has a CVE on its versions below 0.13.0. \r\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-38496\r\nhttps://deps.dev/pypi/blint/1.0.35/dependencies", + "cve": "CVE-2022-38496", + "id": "pyup.io-62768", + "more_info_path": "/vulnerabilities/CVE-2022-38496/62768", "specs": [ "<=1.0.35" ], @@ -14540,20 +14610,20 @@ "v": "<1.2.0" }, { - "advisory": "Bokeh 1.2.0 updates its NPM dependency 'jquery' to v3.4.0 to include security fixes.", - "cve": "CVE-2019-11358", - "id": "pyup.io-45293", - "more_info_path": "/vulnerabilities/CVE-2019-11358/45293", + "advisory": "Bokeh 1.2.0 updates its NPM dependency 'js-yaml' to v3.13.1 to include a security fix.", + "cve": "PVE-2022-45295", + "id": "pyup.io-45295", + "more_info_path": "/vulnerabilities/PVE-2022-45295/45295", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { - "advisory": "Bokeh 1.2.0 updates its NPM dependency 'js-yaml' to v3.13.1 to include a security fix.", - "cve": "PVE-2022-45295", - "id": "pyup.io-45295", - "more_info_path": "/vulnerabilities/PVE-2022-45295/45295", + "advisory": "Bokeh 1.2.0 updates its NPM dependency 'jquery' to v3.4.0 to include security fixes.", + "cve": "CVE-2019-11358", + "id": "pyup.io-45293", + "more_info_path": "/vulnerabilities/CVE-2019-11358/45293", "specs": [ "<1.2.0" ], @@ -14571,9 +14641,9 @@ }, { "advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.", - "cve": "CVE-2021-41182", - "id": "pyup.io-42772", - "more_info_path": "/vulnerabilities/CVE-2021-41182/42772", + "cve": "CVE-2021-41184", + "id": "pyup.io-42815", + "more_info_path": "/vulnerabilities/CVE-2021-41184/42815", "specs": [ "<2.4.2" ], @@ -14591,9 +14661,9 @@ }, { "advisory": "Bokeh 2.4.2 updates its dependency 'jquery-ui' to v1.13.0 to include security fixes.", - "cve": "CVE-2021-41184", - "id": "pyup.io-42815", - "more_info_path": "/vulnerabilities/CVE-2021-41184/42815", + "cve": "CVE-2021-41182", + "id": "pyup.io-42772", + "more_info_path": "/vulnerabilities/CVE-2021-41182/42772", "specs": [ "<2.4.2" ], @@ -16089,16 +16159,6 @@ ], "v": "<2.0.0" }, - { - "advisory": "Cashocs version 2.1.0 updates its fonttools dependency from version 4.38.0 to 4.43.0 to address the security issue identified as CVE-2023-45139.\r\nhttps://github.com/sblauth/cashocs/pull/372/commits/c15b23e743b3046b8afae8b6a0967044f163c8ce", - "cve": "CVE-2023-45139", - "id": "pyup.io-64980", - "more_info_path": "/vulnerabilities/CVE-2023-45139/64980", - "specs": [ - "<2.1.0" - ], - "v": "<2.1.0" - }, { "advisory": "Cashocs version 2.1.0 updates its Numpy dependency to 1.22.2 from the earlier version 1.21.3. This upgrade is in response to addressing the security vulnerability designated as CVE-2021-34141.\r\nhttps://github.com/sblauth/cashocs/pull/345", "cve": "CVE-2021-34141", @@ -16128,24 +16188,34 @@ "<2.1.0" ], "v": "<2.1.0" + }, + { + "advisory": "Cashocs version 2.1.0 updates its fonttools dependency from version 4.38.0 to 4.43.0 to address the security issue identified as CVE-2023-45139.\r\nhttps://github.com/sblauth/cashocs/pull/372/commits/c15b23e743b3046b8afae8b6a0967044f163c8ce", + "cve": "CVE-2023-45139", + "id": "pyup.io-64980", + "more_info_path": "/vulnerabilities/CVE-2023-45139/64980", + "specs": [ + "<2.1.0" + ], + "v": "<2.1.0" } ], "cassandra-medusa": [ { - "advisory": "Cassandra-medusa version 0.20.0 upgrades its Pycryptodome dependency to 3.19.1 from the previous version 3.19.0, aiming to address the security concerns outlined in CVE-2023-52323.", - "cve": "CVE-2023-52323", - "id": "pyup.io-67422", - "more_info_path": "/vulnerabilities/CVE-2023-52323/67422", + "advisory": "Cassandra-medusa version 0.20.0 has upgraded its Cryptography dependency to version 42.0.2 from 35.0, in response to CVE-2023-6129.", + "cve": "CVE-2023-6129", + "id": "pyup.io-67139", + "more_info_path": "/vulnerabilities/CVE-2023-6129/67139", "specs": [ "<0.20.0" ], "v": "<0.20.0" }, { - "advisory": "Cassandra-medusa version 0.20.0 has upgraded its Cryptography dependency to version 42.0.2 from 35.0, in response to CVE-2023-6129.", - "cve": "CVE-2023-6129", - "id": "pyup.io-67139", - "more_info_path": "/vulnerabilities/CVE-2023-6129/67139", + "advisory": "Cassandra-medusa version 0.20.0 upgrades its Pycryptodome dependency to 3.19.1 from the previous version 3.19.0, aiming to address the security concerns outlined in CVE-2023-52323.", + "cve": "CVE-2023-52323", + "id": "pyup.io-67422", + "more_info_path": "/vulnerabilities/CVE-2023-52323/67422", "specs": [ "<0.20.0" ], @@ -16606,20 +16676,20 @@ "v": "<0.0.83" }, { - "advisory": "Cdk-ecr-deployment 2.0.7 updates its GO dependency 'containerd' to v1.5.9 to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/74e8412f370f4ab00be5b5a1f509c2615a874a46", - "cve": "CVE-2021-43816", - "id": "pyup.io-44474", - "more_info_path": "/vulnerabilities/CVE-2021-43816/44474", + "advisory": "Cdk-ecr-deployment 2.0.7 updates its GO dependency 'opencontainers/runc' to v1.0.3 to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/74e8412f370f4ab00be5b5a1f509c2615a874a46", + "cve": "CVE-2021-43784", + "id": "pyup.io-54973", + "more_info_path": "/vulnerabilities/CVE-2021-43784/54973", "specs": [ "<2.0.7" ], "v": "<2.0.7" }, { - "advisory": "Cdk-ecr-deployment 2.0.7 updates its GO dependency 'opencontainers/runc' to v1.0.3 to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/74e8412f370f4ab00be5b5a1f509c2615a874a46", - "cve": "CVE-2021-43784", - "id": "pyup.io-54973", - "more_info_path": "/vulnerabilities/CVE-2021-43784/54973", + "advisory": "Cdk-ecr-deployment 2.0.7 updates its GO dependency 'containerd' to v1.5.9 to include a security fix.\r\nhttps://github.com/cdklabs/cdk-ecr-deployment/commit/74e8412f370f4ab00be5b5a1f509c2615a874a46", + "cve": "CVE-2021-43816", + "id": "pyup.io-44474", + "more_info_path": "/vulnerabilities/CVE-2021-43816/44474", "specs": [ "<2.0.7" ], @@ -16670,6 +16740,18 @@ "v": "==0.4.0" } ], + "cdsetool": [ + { + "advisory": "Cdsetool 0.2.10 updates its `requests` dependency requirement from `<2.32.0,>=2.28.1` to `>=2.28.1,<2.33.0` due to the CVE-2024-35195.", + "cve": "CVE-2024-35195", + "id": "pyup.io-71099", + "more_info_path": "/vulnerabilities/CVE-2024-35195/71099", + "specs": [ + "<0.2.10" + ], + "v": "<0.2.10" + } + ], "cedar-backup3": [ { "advisory": "Cedar-backup3 version 1.10 fixes a shell-interpolation bug.", @@ -16862,6 +16944,18 @@ "v": "<0.16.0" } ], + "censusdis": [ + { + "advisory": "Censusdis version 1.1.7 updates its requests dependency from ^2.28.1 to ^2.32.0 to address the security vulnerability identified as CVE-2024-35195.", + "cve": "CVE-2024-35195", + "id": "pyup.io-71132", + "more_info_path": "/vulnerabilities/CVE-2024-35195/71132", + "specs": [ + "<1.1.7" + ], + "v": "<1.1.7" + } + ], "centrifuge": [ { "advisory": "centrifuge 0.3.8 includes a security fix! Please, upgrade to this version or disable access to `/dumps` location.", @@ -17334,20 +17428,20 @@ ], "chanjo-report": [ { - "advisory": "Chanjo-report 2.4.0 uses sudo insecurely, potentially allowing a local attacker to escalate privileges.\r\nhttps://github.com/robinandeer/chanjo-report/commit/bbb6ba9855b08c563764639d55bbcc0915c1dc55", - "cve": "PVE-2022-45287", - "id": "pyup.io-45287", - "more_info_path": "/vulnerabilities/PVE-2022-45287/45287", + "advisory": "Chanjo-report 2.4.0 removes a link to the \"index\" page from the report (security).", + "cve": "PVE-2021-25648", + "id": "pyup.io-25648", + "more_info_path": "/vulnerabilities/PVE-2021-25648/25648", "specs": [ "<2.4.0" ], "v": "<2.4.0" }, { - "advisory": "Chanjo-report 2.4.0 removes a link to the \"index\" page from the report (security).", - "cve": "PVE-2021-25648", - "id": "pyup.io-25648", - "more_info_path": "/vulnerabilities/PVE-2021-25648/25648", + "advisory": "Chanjo-report 2.4.0 uses sudo insecurely, potentially allowing a local attacker to escalate privileges.\r\nhttps://github.com/robinandeer/chanjo-report/commit/bbb6ba9855b08c563764639d55bbcc0915c1dc55", + "cve": "PVE-2022-45287", + "id": "pyup.io-45287", + "more_info_path": "/vulnerabilities/PVE-2022-45287/45287", "specs": [ "<2.4.0" ], @@ -21379,9 +21473,9 @@ }, { "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", - "cve": "CVE-2023-2135", - "id": "pyup.io-64106", - "more_info_path": "/vulnerabilities/CVE-2023-2135/64106", + "cve": "CVE-2023-2136", + "id": "pyup.io-64107", + "more_info_path": "/vulnerabilities/CVE-2023-2136/64107", "specs": [ "<1.8.1rc4" ], @@ -21389,9 +21483,9 @@ }, { "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", - "cve": "CVE-2023-2133", - "id": "pyup.io-64104", - "more_info_path": "/vulnerabilities/CVE-2023-2133/64104", + "cve": "CVE-2023-2135", + "id": "pyup.io-64106", + "more_info_path": "/vulnerabilities/CVE-2023-2135/64106", "specs": [ "<1.8.1rc4" ], @@ -21399,9 +21493,9 @@ }, { "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", - "cve": "CVE-2023-2134", - "id": "pyup.io-64105", - "more_info_path": "/vulnerabilities/CVE-2023-2134/64105", + "cve": "CVE-2023-2133", + "id": "pyup.io-64104", + "more_info_path": "/vulnerabilities/CVE-2023-2133/64104", "specs": [ "<1.8.1rc4" ], @@ -21419,9 +21513,9 @@ }, { "advisory": "Chia-blockchain 1.8.1rc4 updates its NPM dependency 'Electron' to 22.3.7 to include security fixes.", - "cve": "CVE-2023-2136", - "id": "pyup.io-64107", - "more_info_path": "/vulnerabilities/CVE-2023-2136/64107", + "cve": "CVE-2023-2134", + "id": "pyup.io-64105", + "more_info_path": "/vulnerabilities/CVE-2023-2134/64105", "specs": [ "<1.8.1rc4" ], @@ -21439,9 +21533,9 @@ }, { "advisory": "Chia-blockchain 2.0.0rc4 updates its NPM dependency 'Electron' to 25.4.0 to include security fixes.\r\nhttps://github.com/Chia-Network/chia-blockchain-gui/pull/1976", - "cve": "CVE-2023-3730", - "id": "pyup.io-64109", - "more_info_path": "/vulnerabilities/CVE-2023-3730/64109", + "cve": "CVE-2023-3728", + "id": "pyup.io-64108", + "more_info_path": "/vulnerabilities/CVE-2023-3728/64108", "specs": [ "<2.0.0rc4" ], @@ -21449,9 +21543,9 @@ }, { "advisory": "Chia-blockchain 2.0.0rc4 updates its NPM dependency 'Electron' to 25.4.0 to include security fixes.\r\nhttps://github.com/Chia-Network/chia-blockchain-gui/pull/1976", - "cve": "CVE-2023-3728", - "id": "pyup.io-64108", - "more_info_path": "/vulnerabilities/CVE-2023-3728/64108", + "cve": "CVE-2023-3730", + "id": "pyup.io-64109", + "more_info_path": "/vulnerabilities/CVE-2023-3730/64109", "specs": [ "<2.0.0rc4" ], @@ -22499,9 +22593,9 @@ "id": "pyup.io-53999", "more_info_path": "/vulnerabilities/CVE-2018-12679/53999", "specs": [ - ">=0,<=1.0.1" + "<=1.0.1" ], - "v": ">=0,<=1.0.1" + "v": "<=1.0.1" } ], "cobbler": [ @@ -23826,20 +23920,20 @@ "v": "<1.3.0" }, { - "advisory": "Confluent-kafka 1.4.0 fixes a security issue in the SASL SCRAM protocol handler: If 'sasl.username' and 'sasl.password' contained characters that needed escaping, a buffer overflow and heap corruption would occur. This was protected, but too late, by an assertion.", - "cve": "PVE-2022-48601", - "id": "pyup.io-48601", - "more_info_path": "/vulnerabilities/PVE-2022-48601/48601", + "advisory": "Confluent-kafka 1.4.0 fixes a security issue in the SASL SCRAM protocol handler the client nonce, which is expected to be a random string, was a static string.", + "cve": "PVE-2021-38165", + "id": "pyup.io-38165", + "more_info_path": "/vulnerabilities/PVE-2021-38165/38165", "specs": [ "<1.4.0" ], "v": "<1.4.0" }, { - "advisory": "Confluent-kafka 1.4.0 fixes a security issue in the SASL SCRAM protocol handler the client nonce, which is expected to be a random string, was a static string.", - "cve": "PVE-2021-38165", - "id": "pyup.io-38165", - "more_info_path": "/vulnerabilities/PVE-2021-38165/38165", + "advisory": "Confluent-kafka 1.4.0 fixes a security issue in the SASL SCRAM protocol handler: If 'sasl.username' and 'sasl.password' contained characters that needed escaping, a buffer overflow and heap corruption would occur. This was protected, but too late, by an assertion.", + "cve": "PVE-2022-48601", + "id": "pyup.io-48601", + "more_info_path": "/vulnerabilities/PVE-2022-48601/48601", "specs": [ "<1.4.0" ], @@ -24074,6 +24168,16 @@ "<1.2.0" ], "v": "<1.2.0" + }, + { + "advisory": "Plaintext Password vulnerability in AddAdmin.py in cms-dev/cms v1.4.rc1, allows attackers to gain sensitive information via audit logs.", + "cve": "CVE-2020-24804", + "id": "pyup.io-70899", + "more_info_path": "/vulnerabilities/CVE-2020-24804/70899", + "specs": [ + "<=1.4.rc1" + ], + "v": "<=1.4.rc1" } ], "cookie-manager": [ @@ -24154,20 +24258,20 @@ ], "copy-spotter": [ { - "advisory": "Copy-spotter version 0.0.1 updates the Black library from version 23.11.0 to 24.3.0 to address the security vulnerabilities identified in CVE-2024-21503.", - "cve": "CVE-2024-21503", - "id": "pyup.io-68062", - "more_info_path": "/vulnerabilities/CVE-2024-21503/68062", + "advisory": "Copy-spotter version 0.0.1 has upgraded its nltk dependency from 3.6.3 to 3.6.6 to address the security issue identified in CVE-2021-3842.", + "cve": "CVE-2021-3842", + "id": "pyup.io-68082", + "more_info_path": "/vulnerabilities/CVE-2021-3842/68082", "specs": [ "<0.0.1" ], "v": "<0.0.1" }, { - "advisory": "Copy-spotter version 0.0.1 has upgraded its nltk dependency from 3.6.3 to 3.6.6 to address the security issue identified in CVE-2021-3842.", - "cve": "CVE-2021-3842", - "id": "pyup.io-68082", - "more_info_path": "/vulnerabilities/CVE-2021-3842/68082", + "advisory": "Copy-spotter version 0.0.1 updates the Black library from version 23.11.0 to 24.3.0 to address the security vulnerabilities identified in CVE-2024-21503.", + "cve": "CVE-2024-21503", + "id": "pyup.io-68062", + "more_info_path": "/vulnerabilities/CVE-2024-21503/68062", "specs": [ "<0.0.1" ], @@ -24236,20 +24340,20 @@ "v": "<1.2.8" }, { - "advisory": "Copyparty 1.8.2 includes a fix for a Path Traversal vulnerability: An attacker may use the /.cpr endpoint to have full access to the server filesystem.\r\nhttps://github.com/9001/copyparty/commit/043e3c7dd683113e2b1c15cacb9c8e68f76513ff\r\nhttps://github.com/9001/copyparty/security/advisories/GHSA-pxfv-7rr3-2qjg", - "cve": "CVE-2023-37474", - "id": "pyup.io-59466", - "more_info_path": "/vulnerabilities/CVE-2023-37474/59466", + "advisory": "Copyparty 1.8.2 includes a fix for a Race Condition vulnerability. Impact is on availability.\r\nhttps://github.com/9001/copyparty/commit/77f1e5144455eb946db7368792ea11c934f0f6da\r\nhttps://github.com/9001/copyparty/commit/8f59afb1593a75b8ce8c91ceee304097a07aea6e", + "cve": "PVE-2023-59475", + "id": "pyup.io-59475", + "more_info_path": "/vulnerabilities/PVE-2023-59475/59475", "specs": [ "<1.8.2" ], "v": "<1.8.2" }, { - "advisory": "Copyparty 1.8.2 includes a fix for a Race Condition vulnerability. Impact is on availability.\r\nhttps://github.com/9001/copyparty/commit/77f1e5144455eb946db7368792ea11c934f0f6da\r\nhttps://github.com/9001/copyparty/commit/8f59afb1593a75b8ce8c91ceee304097a07aea6e", - "cve": "PVE-2023-59475", - "id": "pyup.io-59475", - "more_info_path": "/vulnerabilities/PVE-2023-59475/59475", + "advisory": "Copyparty 1.8.2 includes a fix for a Path Traversal vulnerability: An attacker may use the /.cpr endpoint to have full access to the server filesystem.\r\nhttps://github.com/9001/copyparty/commit/043e3c7dd683113e2b1c15cacb9c8e68f76513ff\r\nhttps://github.com/9001/copyparty/security/advisories/GHSA-pxfv-7rr3-2qjg", + "cve": "CVE-2023-37474", + "id": "pyup.io-59466", + "more_info_path": "/vulnerabilities/CVE-2023-37474/59466", "specs": [ "<1.8.2" ], @@ -24287,6 +24391,26 @@ } ], "cornflow": [ + { + "advisory": "Cornflow version 1.0.11 updates its Werkzeug dependency to version 3.0.3 or lower (previously <=2.3.8) to address the security vulnerability identified as CVE-2024-34069.", + "cve": "CVE-2024-34069", + "id": "pyup.io-71012", + "more_info_path": "/vulnerabilities/CVE-2024-34069/71012", + "specs": [ + "<1.0.11" + ], + "v": "<1.0.11" + }, + { + "advisory": "Cornflow version 1.0.11 updates its `flask-cors` dependency from version 3.0.10 or lower to version 4.0.1 or lower in response to CVE-2024-1681.", + "cve": "CVE-2024-1681", + "id": "pyup.io-71025", + "more_info_path": "/vulnerabilities/CVE-2024-1681/71025", + "specs": [ + "<1.0.11" + ], + "v": "<1.0.11" + }, { "advisory": "Cornflow 1.0.5 updates its dependency 'flask' to v2.3.2 to include a security fix.", "cve": "CVE-2023-30861", @@ -24430,8 +24554,8 @@ { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", "cve": "CVE-2012-6708", - "id": "pyup.io-49057", - "more_info_path": "/vulnerabilities/CVE-2012-6708/49057", + "id": "pyup.io-49056", + "more_info_path": "/vulnerabilities/CVE-2012-6708/49056", "specs": [ "<0.13.0" ], @@ -24439,19 +24563,9 @@ }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", - "cve": "CVE-2019-11358", - "id": "pyup.io-49061", - "more_info_path": "/vulnerabilities/CVE-2019-11358/49061", - "specs": [ - "<0.13.0" - ], - "v": "<0.13.0" - }, - { - "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", - "cve": "CVE-2019-8331", - "id": "pyup.io-49063", - "more_info_path": "/vulnerabilities/CVE-2019-8331/49063", + "cve": "CVE-2020-7656", + "id": "pyup.io-49062", + "more_info_path": "/vulnerabilities/CVE-2020-7656/49062", "specs": [ "<0.13.0" ], @@ -24459,9 +24573,9 @@ }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", - "cve": "CVE-2012-6708", - "id": "pyup.io-49056", - "more_info_path": "/vulnerabilities/CVE-2012-6708/49056", + "cve": "CVE-2011-4969", + "id": "pyup.io-39529", + "more_info_path": "/vulnerabilities/CVE-2011-4969/39529", "specs": [ "<0.13.0" ], @@ -24469,19 +24583,19 @@ }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", - "cve": "CVE-2015-9251", - "id": "pyup.io-49059", - "more_info_path": "/vulnerabilities/CVE-2015-9251/49059", + "cve": "CVE-2019-11358", + "id": "pyup.io-49061", + "more_info_path": "/vulnerabilities/CVE-2019-11358/49061", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { - "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", - "cve": "CVE-2018-14042", - "id": "pyup.io-49067", - "more_info_path": "/vulnerabilities/CVE-2018-14042/49067", + "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", + "cve": "CVE-2012-6708", + "id": "pyup.io-49057", + "more_info_path": "/vulnerabilities/CVE-2012-6708/49057", "specs": [ "<0.13.0" ], @@ -24489,9 +24603,9 @@ }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", - "cve": "CVE-2018-14040", - "id": "pyup.io-49066", - "more_info_path": "/vulnerabilities/CVE-2018-14040/49066", + "cve": "CVE-2019-8331", + "id": "pyup.io-49063", + "more_info_path": "/vulnerabilities/CVE-2019-8331/49063", "specs": [ "<0.13.0" ], @@ -24509,19 +24623,19 @@ }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", - "cve": "CVE-2020-7656", - "id": "pyup.io-49062", - "more_info_path": "/vulnerabilities/CVE-2020-7656/49062", + "cve": "CVE-2015-9251", + "id": "pyup.io-49058", + "more_info_path": "/vulnerabilities/CVE-2015-9251/49058", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { - "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", - "cve": "CVE-2011-4969", - "id": "pyup.io-39529", - "more_info_path": "/vulnerabilities/CVE-2011-4969/39529", + "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", + "cve": "CVE-2018-20677", + "id": "pyup.io-49064", + "more_info_path": "/vulnerabilities/CVE-2018-20677/49064", "specs": [ "<0.13.0" ], @@ -24550,8 +24664,8 @@ { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'jquery' to v3.5.1 to include security fixes.", "cve": "CVE-2015-9251", - "id": "pyup.io-49058", - "more_info_path": "/vulnerabilities/CVE-2015-9251/49058", + "id": "pyup.io-49059", + "more_info_path": "/vulnerabilities/CVE-2015-9251/49059", "specs": [ "<0.13.0" ], @@ -24559,9 +24673,19 @@ }, { "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", - "cve": "CVE-2018-20677", - "id": "pyup.io-49064", - "more_info_path": "/vulnerabilities/CVE-2018-20677/49064", + "cve": "CVE-2018-14040", + "id": "pyup.io-49066", + "more_info_path": "/vulnerabilities/CVE-2018-14040/49066", + "specs": [ + "<0.13.0" + ], + "v": "<0.13.0" + }, + { + "advisory": "Crate-docs-theme 0.13.0 updates its NPM dependency 'bootstrap' to v4.5.3 to include security fixes.", + "cve": "CVE-2018-14042", + "id": "pyup.io-49067", + "more_info_path": "/vulnerabilities/CVE-2018-14042/49067", "specs": [ "<0.13.0" ], @@ -24755,20 +24879,20 @@ "v": "<1.7.2" }, { - "advisory": "Cryptoadvance.specter version 2.0.2 has updated its Electron dependency from version 22.1.0 to 22.3.21 to address security concerns outlined in CVE-2023-39956.", - "cve": "CVE-2023-39956", - "id": "pyup.io-67912", - "more_info_path": "/vulnerabilities/CVE-2023-39956/67912", + "advisory": "Cryptoadvance.specter version 2.0.2 addresses a security issue where the \"next\" parameter during the login process on Specter desktop could be manipulated to redirect users to an unauthorized domain after login. This vulnerability posed a phishing risk, as attackers could easily direct users to malicious sites by altering the \"next\" parameter in the URL. The update rectifies this issue to prevent potential phishing attacks.", + "cve": "PVE-2024-67911", + "id": "pyup.io-67911", + "more_info_path": "/vulnerabilities/PVE-2024-67911/67911", "specs": [ "<2.0.2" ], "v": "<2.0.2" }, { - "advisory": "Cryptoadvance.specter version 2.0.2 addresses a security issue where the \"next\" parameter during the login process on Specter desktop could be manipulated to redirect users to an unauthorized domain after login. This vulnerability posed a phishing risk, as attackers could easily direct users to malicious sites by altering the \"next\" parameter in the URL. The update rectifies this issue to prevent potential phishing attacks.", - "cve": "PVE-2024-67911", - "id": "pyup.io-67911", - "more_info_path": "/vulnerabilities/PVE-2024-67911/67911", + "advisory": "Cryptoadvance.specter version 2.0.2 has updated its Electron dependency from version 22.1.0 to 22.3.21 to address security concerns outlined in CVE-2023-39956.", + "cve": "CVE-2023-39956", + "id": "pyup.io-67912", + "more_info_path": "/vulnerabilities/CVE-2023-39956/67912", "specs": [ "<2.0.2" ], @@ -24854,9 +24978,9 @@ }, { "advisory": "Cryptography 2.1.3 updates Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0g, that includes security fixes.", - "cve": "CVE-2017-3735", - "id": "pyup.io-50724", - "more_info_path": "/vulnerabilities/CVE-2017-3735/50724", + "cve": "CVE-2017-3736", + "id": "pyup.io-50725", + "more_info_path": "/vulnerabilities/CVE-2017-3736/50725", "specs": [ "<2.1.3" ], @@ -24864,9 +24988,9 @@ }, { "advisory": "Cryptography 2.1.3 updates Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0g, that includes security fixes.", - "cve": "CVE-2017-3736", - "id": "pyup.io-50725", - "more_info_path": "/vulnerabilities/CVE-2017-3736/50725", + "cve": "CVE-2017-3735", + "id": "pyup.io-50724", + "more_info_path": "/vulnerabilities/CVE-2017-3735/50724", "specs": [ "<2.1.3" ], @@ -24903,10 +25027,10 @@ "v": "<39.0.1" }, { - "advisory": "Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl.\r\nhttps://github.com/pyca/cryptography/issues/7940", - "cve": "CVE-2022-3996", - "id": "pyup.io-53298", - "more_info_path": "/vulnerabilities/CVE-2022-3996/53298", + "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", + "cve": "CVE-2023-0217", + "id": "pyup.io-53306", + "more_info_path": "/vulnerabilities/CVE-2023-0217/53306", "specs": [ "<39.0.1" ], @@ -24924,9 +25048,9 @@ }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", - "cve": "CVE-2023-0217", - "id": "pyup.io-53306", - "more_info_path": "/vulnerabilities/CVE-2023-0217/53306", + "cve": "CVE-2023-0286", + "id": "pyup.io-53304", + "more_info_path": "/vulnerabilities/CVE-2023-0286/53304", "specs": [ "<39.0.1" ], @@ -24944,9 +25068,9 @@ }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", - "cve": "CVE-2023-0401", - "id": "pyup.io-53307", - "more_info_path": "/vulnerabilities/CVE-2023-0401/53307", + "cve": "CVE-2023-0215", + "id": "pyup.io-53305", + "more_info_path": "/vulnerabilities/CVE-2023-0215/53305", "specs": [ "<39.0.1" ], @@ -24954,9 +25078,9 @@ }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", - "cve": "CVE-2023-0286", - "id": "pyup.io-53304", - "more_info_path": "/vulnerabilities/CVE-2023-0286/53304", + "cve": "CVE-2022-4203", + "id": "pyup.io-53301", + "more_info_path": "/vulnerabilities/CVE-2022-4203/53301", "specs": [ "<39.0.1" ], @@ -24964,19 +25088,19 @@ }, { "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", - "cve": "CVE-2022-4203", - "id": "pyup.io-53301", - "more_info_path": "/vulnerabilities/CVE-2022-4203/53301", + "cve": "CVE-2023-0401", + "id": "pyup.io-53307", + "more_info_path": "/vulnerabilities/CVE-2023-0401/53307", "specs": [ "<39.0.1" ], "v": "<39.0.1" }, { - "advisory": "Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.\r\nhttps://github.com/pyca/cryptography/issues/8229", - "cve": "CVE-2023-0215", - "id": "pyup.io-53305", - "more_info_path": "/vulnerabilities/CVE-2023-0215/53305", + "advisory": "Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl.\r\nhttps://github.com/pyca/cryptography/issues/7940", + "cve": "CVE-2022-3996", + "id": "pyup.io-53298", + "more_info_path": "/vulnerabilities/CVE-2022-3996/53298", "specs": [ "<39.0.1" ], @@ -25023,20 +25147,20 @@ "v": "<41.0.5" }, { - "advisory": "A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782.", - "cve": "CVE-2023-50782", - "id": "pyup.io-65278", - "more_info_path": "/vulnerabilities/CVE-2023-50782/65278", + "advisory": "Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters.", + "cve": "CVE-2023-5678", + "id": "pyup.io-65510", + "more_info_path": "/vulnerabilities/CVE-2023-5678/65510", "specs": [ "<42.0.0" ], "v": "<42.0.0" }, { - "advisory": "Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters.", - "cve": "CVE-2023-5678", - "id": "pyup.io-65510", - "more_info_path": "/vulnerabilities/CVE-2023-5678/65510", + "advisory": "A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782.", + "cve": "CVE-2023-50782", + "id": "pyup.io-65278", + "more_info_path": "/vulnerabilities/CVE-2023-50782/65278", "specs": [ "<42.0.0" ], @@ -25083,20 +25207,20 @@ "v": ">=0.8,<41.0.3" }, { - "advisory": "Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2\r\nhttps://www.openssl.org/news/secadv/20230719.txt", - "cve": "CVE-2023-3446", - "id": "pyup.io-60225", - "more_info_path": "/vulnerabilities/CVE-2023-3446/60225", + "advisory": "Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries.\r\nhttps://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2\r\nhttps://www.openssl.org/news/secadv/20230714.txt", + "cve": "CVE-2023-2975", + "id": "pyup.io-60224", + "more_info_path": "/vulnerabilities/CVE-2023-2975/60224", "specs": [ ">=0.8,<41.0.3" ], "v": ">=0.8,<41.0.3" }, { - "advisory": "Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries.\r\nhttps://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2\r\nhttps://www.openssl.org/news/secadv/20230714.txt", - "cve": "CVE-2023-2975", - "id": "pyup.io-60224", - "more_info_path": "/vulnerabilities/CVE-2023-2975/60224", + "advisory": "Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2\r\nhttps://www.openssl.org/news/secadv/20230719.txt", + "cve": "CVE-2023-3446", + "id": "pyup.io-60225", + "more_info_path": "/vulnerabilities/CVE-2023-3446/60225", "specs": [ ">=0.8,<41.0.3" ], @@ -25133,20 +25257,20 @@ "v": ">=3.1,<41.0.6" }, { - "advisory": "CVE-2023-6237 addresses a vulnerability in RSA public key verification where checking a large, incorrect RSA key with EVP_PKEY_public_check() could take an excessive amount of time. This is due to no size limit on the RSA public key and an unnecessarily high number of Miller-Rabin rounds for modulus non-primality checks. The fix sets a maximum key size of 16384 bits and reduces Miller-Rabin rounds to 5, enhancing security and performance by preventing the RSA_R_MODULUS_TOO_LARGE error.", - "cve": "CVE-2023-6237", - "id": "pyup.io-66777", - "more_info_path": "/vulnerabilities/CVE-2023-6237/66777", + "advisory": "Versions of Cryptograph starting from 35.0.0 are susceptible to a security flaw in the POLY1305 MAC algorithm on PowerPC CPUs, which allows an attacker to disrupt the application's state. This disruption might result in false calculations or cause a denial of service. The vulnerability's exploitation hinges on the attacker's ability to alter the algorithm's application and the dependency of the software on non-volatile XMM registers.\r\nhttps://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", + "cve": "CVE-2023-6129", + "id": "pyup.io-65212", + "more_info_path": "/vulnerabilities/CVE-2023-6129/65212", "specs": [ ">=35.0.0,<42.0.2" ], "v": ">=35.0.0,<42.0.2" }, { - "advisory": "Versions of Cryptograph starting from 35.0.0 are susceptible to a security flaw in the POLY1305 MAC algorithm on PowerPC CPUs, which allows an attacker to disrupt the application's state. This disruption might result in false calculations or cause a denial of service. The vulnerability's exploitation hinges on the attacker's ability to alter the algorithm's application and the dependency of the software on non-volatile XMM registers.\r\nhttps://github.com/pyca/cryptography/commit/89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9", - "cve": "CVE-2023-6129", - "id": "pyup.io-65212", - "more_info_path": "/vulnerabilities/CVE-2023-6129/65212", + "advisory": "CVE-2023-6237 addresses a vulnerability in RSA public key verification where checking a large, incorrect RSA key with EVP_PKEY_public_check() could take an excessive amount of time. This is due to no size limit on the RSA public key and an unnecessarily high number of Miller-Rabin rounds for modulus non-primality checks. The fix sets a maximum key size of 16384 bits and reduces Miller-Rabin rounds to 5, enhancing security and performance by preventing the RSA_R_MODULUS_TOO_LARGE error.", + "cve": "CVE-2023-6237", + "id": "pyup.io-66777", + "more_info_path": "/vulnerabilities/CVE-2023-6237/66777", "specs": [ ">=35.0.0,<42.0.2" ], @@ -25154,9 +25278,9 @@ }, { "advisory": "Cryptography versions from 37.0.0 and before 38.0.2 include a statically linked copy of OpenSSL that has known vulnerabilities.\r\nhttps://github.com/pyca/cryptography/security/advisories/GHSA-39hc-v87j-747x", - "cve": "CVE-2022-3786", - "id": "pyup.io-52173", - "more_info_path": "/vulnerabilities/CVE-2022-3786/52173", + "cve": "CVE-2022-3602", + "id": "pyup.io-52174", + "more_info_path": "/vulnerabilities/CVE-2022-3602/52174", "specs": [ ">=37.0.0,<38.0.3" ], @@ -25164,9 +25288,9 @@ }, { "advisory": "Cryptography versions from 37.0.0 and before 38.0.2 include a statically linked copy of OpenSSL that has known vulnerabilities.\r\nhttps://github.com/pyca/cryptography/security/advisories/GHSA-39hc-v87j-747x", - "cve": "CVE-2022-3602", - "id": "pyup.io-52174", - "more_info_path": "/vulnerabilities/CVE-2022-3602/52174", + "cve": "CVE-2022-3786", + "id": "pyup.io-52173", + "more_info_path": "/vulnerabilities/CVE-2022-3786/52173", "specs": [ ">=37.0.0,<38.0.3" ], @@ -25414,6 +25538,30 @@ "v": "<0.14.0" } ], + "cvat-cli": [ + { + "advisory": "CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue.", + "cve": "CVE-2022-31188", + "id": "pyup.io-70772", + "more_info_path": "/vulnerabilities/CVE-2022-31188/70772", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + } + ], + "cvat-sdk": [ + { + "advisory": "CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue.", + "cve": "CVE-2022-31188", + "id": "pyup.io-70773", + "more_info_path": "/vulnerabilities/CVE-2022-31188/70773", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + } + ], "cve-bin-tool": [ { "advisory": "Cve-bin-tool version 3.3rc3 updates its Pillow dependency to version 10.0.1 from 9.5.0 to address the security vulnerability outlined in CVE-2023-44271.", @@ -25486,20 +25634,20 @@ ], "cycode": [ { - "advisory": "Cycode 0.2.0 updates its dependency 'gitpython' to v3.1.30 to include a security fix.", - "cve": "CVE-2022-24439", - "id": "pyup.io-53553", - "more_info_path": "/vulnerabilities/CVE-2022-24439/53553", + "advisory": "Cycode 0.2.0 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", + "cve": "CVE-2022-40897", + "id": "pyup.io-53554", + "more_info_path": "/vulnerabilities/CVE-2022-40897/53554", "specs": [ "<0.2.0" ], "v": "<0.2.0" }, { - "advisory": "Cycode 0.2.0 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", - "cve": "CVE-2022-40897", - "id": "pyup.io-53554", - "more_info_path": "/vulnerabilities/CVE-2022-40897/53554", + "advisory": "Cycode 0.2.0 updates its dependency 'gitpython' to v3.1.30 to include a security fix.", + "cve": "CVE-2022-24439", + "id": "pyup.io-53553", + "more_info_path": "/vulnerabilities/CVE-2022-24439/53553", "specs": [ "<0.2.0" ], @@ -26213,9 +26361,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2018-25032", - "id": "pyup.io-52166", - "more_info_path": "/vulnerabilities/CVE-2018-25032/52166", + "cve": "CVE-2021-3997", + "id": "pyup.io-52170", + "more_info_path": "/vulnerabilities/CVE-2021-3997/52170", "specs": [ "<1.1.4" ], @@ -26223,9 +26371,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-3999", - "id": "pyup.io-52160", - "more_info_path": "/vulnerabilities/CVE-2021-3999/52160", + "cve": "CVE-2022-1586", + "id": "pyup.io-52158", + "more_info_path": "/vulnerabilities/CVE-2022-1586/52158", "specs": [ "<1.1.4" ], @@ -26233,9 +26381,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-1292", - "id": "pyup.io-52154", - "more_info_path": "/vulnerabilities/CVE-2022-1292/52154", + "cve": "CVE-2022-1587", + "id": "pyup.io-52157", + "more_info_path": "/vulnerabilities/CVE-2022-1587/52157", "specs": [ "<1.1.4" ], @@ -26243,9 +26391,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-46828", - "id": "pyup.io-52164", - "more_info_path": "/vulnerabilities/CVE-2021-46828/52164", + "cve": "CVE-2022-1271", + "id": "pyup.io-52159", + "more_info_path": "/vulnerabilities/CVE-2022-1271/52159", "specs": [ "<1.1.4" ], @@ -26253,9 +26401,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-33574", - "id": "pyup.io-52153", - "more_info_path": "/vulnerabilities/CVE-2021-33574/52153", + "cve": "CVE-2022-0778", + "id": "pyup.io-52165", + "more_info_path": "/vulnerabilities/CVE-2022-0778/52165", "specs": [ "<1.1.4" ], @@ -26263,9 +26411,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-37434", - "id": "pyup.io-52156", - "more_info_path": "/vulnerabilities/CVE-2022-37434/52156", + "cve": "CVE-2021-33574", + "id": "pyup.io-52153", + "more_info_path": "/vulnerabilities/CVE-2021-33574/52153", "specs": [ "<1.1.4" ], @@ -26273,9 +26421,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-1586", - "id": "pyup.io-52158", - "more_info_path": "/vulnerabilities/CVE-2022-1586/52158", + "cve": "CVE-2022-23219", + "id": "pyup.io-52151", + "more_info_path": "/vulnerabilities/CVE-2022-23219/52151", "specs": [ "<1.1.4" ], @@ -26283,9 +26431,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-2509", - "id": "pyup.io-52163", - "more_info_path": "/vulnerabilities/CVE-2022-2509/52163", + "cve": "CVE-2022-34903", + "id": "pyup.io-52167", + "more_info_path": "/vulnerabilities/CVE-2022-34903/52167", "specs": [ "<1.1.4" ], @@ -26293,9 +26441,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-34903", - "id": "pyup.io-52167", - "more_info_path": "/vulnerabilities/CVE-2022-34903/52167", + "cve": "CVE-2021-46828", + "id": "pyup.io-52164", + "more_info_path": "/vulnerabilities/CVE-2021-46828/52164", "specs": [ "<1.1.4" ], @@ -26303,9 +26451,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-0778", - "id": "pyup.io-52165", - "more_info_path": "/vulnerabilities/CVE-2022-0778/52165", + "cve": "CVE-2018-25032", + "id": "pyup.io-52166", + "more_info_path": "/vulnerabilities/CVE-2018-25032/52166", "specs": [ "<1.1.4" ], @@ -26313,9 +26461,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-1664", - "id": "pyup.io-52146", - "more_info_path": "/vulnerabilities/CVE-2022-1664/52146", + "cve": "CVE-2022-23218", + "id": "pyup.io-52152", + "more_info_path": "/vulnerabilities/CVE-2022-23218/52152", "specs": [ "<1.1.4" ], @@ -26323,9 +26471,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-40674", - "id": "pyup.io-52150", - "more_info_path": "/vulnerabilities/CVE-2022-40674/52150", + "cve": "CVE-2022-2509", + "id": "pyup.io-52163", + "more_info_path": "/vulnerabilities/CVE-2022-2509/52163", "specs": [ "<1.1.4" ], @@ -26333,9 +26481,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-3997", - "id": "pyup.io-52170", - "more_info_path": "/vulnerabilities/CVE-2021-3997/52170", + "cve": "CVE-2022-1664", + "id": "pyup.io-52146", + "more_info_path": "/vulnerabilities/CVE-2022-1664/52146", "specs": [ "<1.1.4" ], @@ -26343,9 +26491,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-4209", - "id": "pyup.io-52168", - "more_info_path": "/vulnerabilities/CVE-2021-4209/52168", + "cve": "CVE-2022-37434", + "id": "pyup.io-52156", + "more_info_path": "/vulnerabilities/CVE-2022-37434/52156", "specs": [ "<1.1.4" ], @@ -26353,9 +26501,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-23219", - "id": "pyup.io-52151", - "more_info_path": "/vulnerabilities/CVE-2022-23219/52151", + "cve": "CVE-2022-1292", + "id": "pyup.io-52154", + "more_info_path": "/vulnerabilities/CVE-2022-1292/52154", "specs": [ "<1.1.4" ], @@ -26363,9 +26511,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-1587", - "id": "pyup.io-52157", - "more_info_path": "/vulnerabilities/CVE-2022-1587/52157", + "cve": "CVE-2021-4160", + "id": "pyup.io-52169", + "more_info_path": "/vulnerabilities/CVE-2021-4160/52169", "specs": [ "<1.1.4" ], @@ -26373,9 +26521,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-1271", - "id": "pyup.io-52159", - "more_info_path": "/vulnerabilities/CVE-2022-1271/52159", + "cve": "CVE-2021-3999", + "id": "pyup.io-52160", + "more_info_path": "/vulnerabilities/CVE-2021-3999/52160", "specs": [ "<1.1.4" ], @@ -26383,9 +26531,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2021-4160", - "id": "pyup.io-52169", - "more_info_path": "/vulnerabilities/CVE-2021-4160/52169", + "cve": "CVE-2021-4209", + "id": "pyup.io-52168", + "more_info_path": "/vulnerabilities/CVE-2021-4209/52168", "specs": [ "<1.1.4" ], @@ -26393,9 +26541,9 @@ }, { "advisory": "Dagster-cloud 1.1.4 updates 'dagster/dagster-cloud-agent' Docker image\u2019s base to 'python:3.8.15-slim' to include security fixes.", - "cve": "CVE-2022-23218", - "id": "pyup.io-52152", - "more_info_path": "/vulnerabilities/CVE-2022-23218/52152", + "cve": "CVE-2022-40674", + "id": "pyup.io-52150", + "more_info_path": "/vulnerabilities/CVE-2022-40674/52150", "specs": [ "<1.1.4" ], @@ -26520,9 +26668,9 @@ "dapla-toolbelt-pseudo": [ { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", - "cve": "CVE-2022-4304", - "id": "pyup.io-53734", - "more_info_path": "/vulnerabilities/CVE-2022-4304/53734", + "cve": "CVE-2022-4203", + "id": "pyup.io-53736", + "more_info_path": "/vulnerabilities/CVE-2022-4203/53736", "specs": [ "<0.2.1" ], @@ -26530,9 +26678,9 @@ }, { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", - "cve": "CVE-2023-0401", - "id": "pyup.io-53714", - "more_info_path": "/vulnerabilities/CVE-2023-0401/53714", + "cve": "CVE-2023-0286", + "id": "pyup.io-53733", + "more_info_path": "/vulnerabilities/CVE-2023-0286/53733", "specs": [ "<0.2.1" ], @@ -26540,9 +26688,9 @@ }, { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", - "cve": "CVE-2022-4203", - "id": "pyup.io-53736", - "more_info_path": "/vulnerabilities/CVE-2022-4203/53736", + "cve": "CVE-2022-4450", + "id": "pyup.io-53735", + "more_info_path": "/vulnerabilities/CVE-2022-4450/53735", "specs": [ "<0.2.1" ], @@ -26550,9 +26698,9 @@ }, { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", - "cve": "CVE-2023-0217", - "id": "pyup.io-53732", - "more_info_path": "/vulnerabilities/CVE-2023-0217/53732", + "cve": "CVE-2023-0401", + "id": "pyup.io-53714", + "more_info_path": "/vulnerabilities/CVE-2023-0401/53714", "specs": [ "<0.2.1" ], @@ -26560,9 +26708,9 @@ }, { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", - "cve": "CVE-2023-0286", - "id": "pyup.io-53733", - "more_info_path": "/vulnerabilities/CVE-2023-0286/53733", + "cve": "CVE-2023-0217", + "id": "pyup.io-53732", + "more_info_path": "/vulnerabilities/CVE-2023-0217/53732", "specs": [ "<0.2.1" ], @@ -26570,9 +26718,9 @@ }, { "advisory": "Dapla-toolbelt-pseudo 0.2.1 updates its dependency 'cryptography' to v39.0.1 to include security fixes.", - "cve": "CVE-2022-4450", - "id": "pyup.io-53735", - "more_info_path": "/vulnerabilities/CVE-2022-4450/53735", + "cve": "CVE-2022-4304", + "id": "pyup.io-53734", + "more_info_path": "/vulnerabilities/CVE-2022-4304/53734", "specs": [ "<0.2.1" ], @@ -26699,6 +26847,16 @@ ], "v": "<0.1.1" }, + { + "advisory": "Dash-extensions 0.1.8 updates its NPM dependency \"mermaid\" requirement to \"^9.2.2\" to include a security fix.", + "cve": "CVE-2022-31108", + "id": "pyup.io-52354", + "more_info_path": "/vulnerabilities/CVE-2022-31108/52354", + "specs": [ + "<0.1.8" + ], + "v": "<0.1.8" + }, { "advisory": "Dash-extensions 0.1.8 updates its dependency 'cryptography' to v 38.0.3 to include security fixes.", "cve": "CVE-2022-3602", @@ -26709,6 +26867,16 @@ ], "v": "<0.1.8" }, + { + "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'loader-utils' to v3.2.1 to include security fixes.", + "cve": "CVE-2022-37601", + "id": "pyup.io-52351", + "more_info_path": "/vulnerabilities/CVE-2022-37601/52351", + "specs": [ + "<0.1.8" + ], + "v": "<0.1.8" + }, { "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'loader-utils' to v3.2.1 to include security fixes.", "cve": "CVE-2022-37603", @@ -26731,9 +26899,9 @@ }, { "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'loader-utils' to v3.2.1 to include security fixes.", - "cve": "CVE-2022-37601", - "id": "pyup.io-52351", - "more_info_path": "/vulnerabilities/CVE-2022-37601/52351", + "cve": "CVE-2022-37599", + "id": "pyup.io-52352", + "more_info_path": "/vulnerabilities/CVE-2022-37599/52352", "specs": [ "<0.1.8" ], @@ -26750,24 +26918,14 @@ "v": "<0.1.8" }, { - "advisory": "Dash-extensions 0.1.8 updates its NPM dependency \"mermaid\" requirement to \"^9.2.2\" to include a security fix.", - "cve": "CVE-2022-31108", - "id": "pyup.io-52354", - "more_info_path": "/vulnerabilities/CVE-2022-31108/52354", - "specs": [ - "<0.1.8" - ], - "v": "<0.1.8" - }, - { - "advisory": "Dash-extensions 0.1.8 updates its NPM dependency 'loader-utils' to v3.2.1 to include security fixes.", - "cve": "CVE-2022-37599", - "id": "pyup.io-52352", - "more_info_path": "/vulnerabilities/CVE-2022-37599/52352", + "advisory": "Dash-extensions 0.1.9 updates its dependency 'certifi' to v2022.12.7 to include a security fix.", + "cve": "CVE-2022-23491", + "id": "pyup.io-52623", + "more_info_path": "/vulnerabilities/CVE-2022-23491/52623", "specs": [ - "<0.1.8" + "<0.1.9" ], - "v": "<0.1.8" + "v": "<0.1.9" }, { "advisory": "Dash-extensions 0.1.9 updates its dependency 'certifi' to v2022.12.7 to include a security fix.", @@ -26788,16 +26946,6 @@ "<0.1.9" ], "v": "<0.1.9" - }, - { - "advisory": "Dash-extensions 0.1.9 updates its dependency 'certifi' to v2022.12.7 to include a security fix.", - "cve": "CVE-2022-23491", - "id": "pyup.io-52623", - "more_info_path": "/vulnerabilities/CVE-2022-23491/52623", - "specs": [ - "<0.1.9" - ], - "v": "<0.1.9" } ], "dash-io": [ @@ -27031,6 +27179,26 @@ } ], "datahub": [ + { + "advisory": "DataHub is an open-source metadata platform. DataHub Frontend's sessions are configured using Play Framework's default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever. DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.", + "cve": "CVE-2023-47628", + "id": "pyup.io-70896", + "more_info_path": "/vulnerabilities/CVE-2023-47628/70896", + "specs": [ + "<0.12.1" + ], + "v": "<0.12.1" + }, + { + "advisory": "DataHub is an open-source metadata platform. In affected versions sign-up through an invite link does not properly restrict users from signing up as privileged accounts. If a user is given an email sign-up link they can potentially create an admin account given certain preconditions. If the default datahub user has been removed, then the user can sign up for an account that leverages the default policies giving admin privileges to the datahub user. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.", + "cve": "CVE-2023-47629", + "id": "pyup.io-70897", + "more_info_path": "/vulnerabilities/CVE-2023-47629/70897", + "specs": [ + "<0.12.1" + ], + "v": "<0.12.1" + }, { "advisory": "DataHub's AuthServiceClient, specifically versions prior to 0.8.45, creates JSON strings using format strings containing user-controlled data. This method enables potential attackers to manipulate these JSON strings and forward them to the backend, leading to potential misuse and authentication bypasses. Such misuse could result in the generation of system accounts, potentially leading to full system compromise. This vulnerability was identified and reported by the GitHub Security lab and is being tracked under GHSL-2022-080.\r\nhttps://github.com/datahub-project/datahub/security/advisories/GHSA-6rpf-5cfg-h8f3", "cve": "CVE-2023-25560", @@ -27410,166 +27578,6 @@ ], "v": "<1.5.0" }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23566", - "id": "pyup.io-50372", - "more_info_path": "/vulnerabilities/CVE-2022-23566/50372", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23567", - "id": "pyup.io-50373", - "more_info_path": "/vulnerabilities/CVE-2022-23567/50373", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23569", - "id": "pyup.io-50375", - "more_info_path": "/vulnerabilities/CVE-2022-23569/50375", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23572", - "id": "pyup.io-50378", - "more_info_path": "/vulnerabilities/CVE-2022-23572/50378", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23584", - "id": "pyup.io-50390", - "more_info_path": "/vulnerabilities/CVE-2022-23584/50390", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23594", - "id": "pyup.io-50398", - "more_info_path": "/vulnerabilities/CVE-2022-23594/50398", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23595", - "id": "pyup.io-50399", - "more_info_path": "/vulnerabilities/CVE-2022-23595/50399", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-29193", - "id": "pyup.io-50410", - "more_info_path": "/vulnerabilities/CVE-2022-29193/50410", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-29211", - "id": "pyup.io-50427", - "more_info_path": "/vulnerabilities/CVE-2022-29211/50427", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23574", - "id": "pyup.io-50380", - "more_info_path": "/vulnerabilities/CVE-2022-23574/50380", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23562", - "id": "pyup.io-50368", - "more_info_path": "/vulnerabilities/CVE-2022-23562/50368", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23591", - "id": "pyup.io-50397", - "more_info_path": "/vulnerabilities/CVE-2022-23591/50397", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23575", - "id": "pyup.io-50381", - "more_info_path": "/vulnerabilities/CVE-2022-23575/50381", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-29216", - "id": "pyup.io-50430", - "more_info_path": "/vulnerabilities/CVE-2022-29216/50430", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23588", - "id": "pyup.io-50394", - "more_info_path": "/vulnerabilities/CVE-2022-23588/50394", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23579", - "id": "pyup.io-50385", - "more_info_path": "/vulnerabilities/CVE-2022-23579/50385", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23561", @@ -27590,26 +27598,6 @@ ], "v": "<1.5.0" }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-29192", - "id": "pyup.io-50409", - "more_info_path": "/vulnerabilities/CVE-2022-29192/50409", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23580", - "id": "pyup.io-50386", - "more_info_path": "/vulnerabilities/CVE-2022-23580/50386", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-27780", @@ -27642,9 +27630,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-21726", - "id": "pyup.io-50346", - "more_info_path": "/vulnerabilities/CVE-2022-21726/50346", + "cve": "CVE-2022-21728", + "id": "pyup.io-50348", + "more_info_path": "/vulnerabilities/CVE-2022-21728/50348", "specs": [ "<1.5.0" ], @@ -27652,9 +27640,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-21728", - "id": "pyup.io-50348", - "more_info_path": "/vulnerabilities/CVE-2022-21728/50348", + "cve": "CVE-2022-23568", + "id": "pyup.io-50374", + "more_info_path": "/vulnerabilities/CVE-2022-23568/50374", "specs": [ "<1.5.0" ], @@ -27662,9 +27650,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23568", - "id": "pyup.io-50374", - "more_info_path": "/vulnerabilities/CVE-2022-23568/50374", + "cve": "CVE-2022-21738", + "id": "pyup.io-50358", + "more_info_path": "/vulnerabilities/CVE-2022-21738/50358", "specs": [ "<1.5.0" ], @@ -27672,9 +27660,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-27774", - "id": "pyup.io-50400", - "more_info_path": "/vulnerabilities/CVE-2022-27774/50400", + "cve": "CVE-2022-21735", + "id": "pyup.io-50355", + "more_info_path": "/vulnerabilities/CVE-2022-21735/50355", "specs": [ "<1.5.0" ], @@ -27682,9 +27670,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-29212", - "id": "pyup.io-50428", - "more_info_path": "/vulnerabilities/CVE-2022-29212/50428", + "cve": "CVE-2022-21736", + "id": "pyup.io-50356", + "more_info_path": "/vulnerabilities/CVE-2022-21736/50356", "specs": [ "<1.5.0" ], @@ -27692,9 +27680,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-29213", - "id": "pyup.io-50429", - "more_info_path": "/vulnerabilities/CVE-2022-29213/50429", + "cve": "CVE-2022-21730", + "id": "pyup.io-50350", + "more_info_path": "/vulnerabilities/CVE-2022-21730/50350", "specs": [ "<1.5.0" ], @@ -27702,9 +27690,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-21738", - "id": "pyup.io-50358", - "more_info_path": "/vulnerabilities/CVE-2022-21738/50358", + "cve": "CVE-2022-21731", + "id": "pyup.io-50351", + "more_info_path": "/vulnerabilities/CVE-2022-21731/50351", "specs": [ "<1.5.0" ], @@ -27712,9 +27700,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-29201", - "id": "pyup.io-50418", - "more_info_path": "/vulnerabilities/CVE-2022-29201/50418", + "cve": "CVE-2022-21740", + "id": "pyup.io-50360", + "more_info_path": "/vulnerabilities/CVE-2022-21740/50360", "specs": [ "<1.5.0" ], @@ -27722,9 +27710,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-21729", - "id": "pyup.io-50349", - "more_info_path": "/vulnerabilities/CVE-2022-21729/50349", + "cve": "CVE-2022-23566", + "id": "pyup.io-50372", + "more_info_path": "/vulnerabilities/CVE-2022-23566/50372", "specs": [ "<1.5.0" ], @@ -27732,9 +27720,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-21735", - "id": "pyup.io-50355", - "more_info_path": "/vulnerabilities/CVE-2022-21735/50355", + "cve": "CVE-2022-23572", + "id": "pyup.io-50378", + "more_info_path": "/vulnerabilities/CVE-2022-23572/50378", "specs": [ "<1.5.0" ], @@ -27742,9 +27730,219 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-21736", - "id": "pyup.io-50356", - "more_info_path": "/vulnerabilities/CVE-2022-21736/50356", + "cve": "CVE-2022-23567", + "id": "pyup.io-50373", + "more_info_path": "/vulnerabilities/CVE-2022-23567/50373", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-23584", + "id": "pyup.io-50390", + "more_info_path": "/vulnerabilities/CVE-2022-23584/50390", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-23569", + "id": "pyup.io-50375", + "more_info_path": "/vulnerabilities/CVE-2022-23569/50375", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-23594", + "id": "pyup.io-50398", + "more_info_path": "/vulnerabilities/CVE-2022-23594/50398", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-23595", + "id": "pyup.io-50399", + "more_info_path": "/vulnerabilities/CVE-2022-23595/50399", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-29193", + "id": "pyup.io-50410", + "more_info_path": "/vulnerabilities/CVE-2022-29193/50410", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-29211", + "id": "pyup.io-50427", + "more_info_path": "/vulnerabilities/CVE-2022-29211/50427", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-23574", + "id": "pyup.io-50380", + "more_info_path": "/vulnerabilities/CVE-2022-23574/50380", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-23562", + "id": "pyup.io-50368", + "more_info_path": "/vulnerabilities/CVE-2022-23562/50368", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-23591", + "id": "pyup.io-50397", + "more_info_path": "/vulnerabilities/CVE-2022-23591/50397", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-23588", + "id": "pyup.io-50394", + "more_info_path": "/vulnerabilities/CVE-2022-23588/50394", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-23575", + "id": "pyup.io-50381", + "more_info_path": "/vulnerabilities/CVE-2022-23575/50381", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-29216", + "id": "pyup.io-50430", + "more_info_path": "/vulnerabilities/CVE-2022-29216/50430", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-23579", + "id": "pyup.io-50385", + "more_info_path": "/vulnerabilities/CVE-2022-23579/50385", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-29192", + "id": "pyup.io-50409", + "more_info_path": "/vulnerabilities/CVE-2022-29192/50409", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-23580", + "id": "pyup.io-50386", + "more_info_path": "/vulnerabilities/CVE-2022-23580/50386", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-21726", + "id": "pyup.io-50346", + "more_info_path": "/vulnerabilities/CVE-2022-21726/50346", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-27774", + "id": "pyup.io-50400", + "more_info_path": "/vulnerabilities/CVE-2022-27774/50400", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-29212", + "id": "pyup.io-50428", + "more_info_path": "/vulnerabilities/CVE-2022-29212/50428", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-29213", + "id": "pyup.io-50429", + "more_info_path": "/vulnerabilities/CVE-2022-29213/50429", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-29201", + "id": "pyup.io-50418", + "more_info_path": "/vulnerabilities/CVE-2022-29201/50418", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-21729", + "id": "pyup.io-50349", + "more_info_path": "/vulnerabilities/CVE-2022-21729/50349", "specs": [ "<1.5.0" ], @@ -27852,19 +28050,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-21730", - "id": "pyup.io-50350", - "more_info_path": "/vulnerabilities/CVE-2022-21730/50350", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-21731", - "id": "pyup.io-50351", - "more_info_path": "/vulnerabilities/CVE-2022-21731/50351", + "cve": "CVE-2022-21732", + "id": "pyup.io-50352", + "more_info_path": "/vulnerabilities/CVE-2022-21732/50352", "specs": [ "<1.5.0" ], @@ -27880,16 +28068,6 @@ ], "v": "<1.5.0" }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-21732", - "id": "pyup.io-50352", - "more_info_path": "/vulnerabilities/CVE-2022-21732/50352", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21734", @@ -27910,16 +28088,6 @@ ], "v": "<1.5.0" }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-21740", - "id": "pyup.io-50360", - "more_info_path": "/vulnerabilities/CVE-2022-21740/50360", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-21741", @@ -27992,9 +28160,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23585", - "id": "pyup.io-50391", - "more_info_path": "/vulnerabilities/CVE-2022-23585/50391", + "cve": "CVE-2022-23586", + "id": "pyup.io-50392", + "more_info_path": "/vulnerabilities/CVE-2022-23586/50392", "specs": [ "<1.5.0" ], @@ -28002,9 +28170,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23586", - "id": "pyup.io-50392", - "more_info_path": "/vulnerabilities/CVE-2022-23586/50392", + "cve": "CVE-2022-23585", + "id": "pyup.io-50391", + "more_info_path": "/vulnerabilities/CVE-2022-23585/50391", "specs": [ "<1.5.0" ], @@ -28102,9 +28270,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-23563", - "id": "pyup.io-50369", - "more_info_path": "/vulnerabilities/CVE-2022-23563/50369", + "cve": "CVE-2022-29208", + "id": "pyup.io-50425", + "more_info_path": "/vulnerabilities/CVE-2022-29208/50425", "specs": [ "<1.5.0" ], @@ -28112,9 +28280,9 @@ }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-29208", - "id": "pyup.io-50425", - "more_info_path": "/vulnerabilities/CVE-2022-29208/50425", + "cve": "CVE-2022-23563", + "id": "pyup.io-50369", + "more_info_path": "/vulnerabilities/CVE-2022-23563/50369", "specs": [ "<1.5.0" ], @@ -28190,6 +28358,16 @@ ], "v": "<1.5.0" }, + { + "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", + "cve": "CVE-2022-21725", + "id": "pyup.io-50345", + "more_info_path": "/vulnerabilities/CVE-2022-21725/50345", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-29207", @@ -28220,16 +28398,6 @@ ], "v": "<1.5.0" }, - { - "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", - "cve": "CVE-2022-21725", - "id": "pyup.io-50345", - "more_info_path": "/vulnerabilities/CVE-2022-21725/50345", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, { "advisory": "Datum 1.5.0 updates its dependency 'TensorFlow' to v2.8.1 to include security fixes.", "cve": "CVE-2022-23557", @@ -28305,10 +28473,10 @@ "v": "<1.2.9" }, { - "advisory": "Dawgie 1.3.0 and 1.2.13 adds HTML sanitization to prevent injection attacks.\r\nhttps://github.com/al-niessner/DAWGIE/pull/93/commits/c4a4a2ffd88ea80a7c68a57c10d159c1e429e169", - "cve": "PVE-2022-50444", - "id": "pyup.io-50444", - "more_info_path": "/vulnerabilities/PVE-2022-50444/50444", + "advisory": "Dawgie 1.3.0 and 1.2.13 include a fix for an open redirect vulnerability.\r\nhttps://github.com/al-niessner/DAWGIE/issues/146", + "cve": "PVE-2022-50443", + "id": "pyup.io-50443", + "more_info_path": "/vulnerabilities/PVE-2022-50443/50443", "specs": [ ">=1.3.0rc0,<1.3.0", "<1.2.13" @@ -28316,10 +28484,10 @@ "v": ">=1.3.0rc0,<1.3.0,<1.2.13" }, { - "advisory": "Dawgie 1.3.0 and 1.2.13 include a fix for an open redirect vulnerability.\r\nhttps://github.com/al-niessner/DAWGIE/issues/146", - "cve": "PVE-2022-50443", - "id": "pyup.io-50443", - "more_info_path": "/vulnerabilities/PVE-2022-50443/50443", + "advisory": "Dawgie 1.3.0 and 1.2.13 adds HTML sanitization to prevent injection attacks.\r\nhttps://github.com/al-niessner/DAWGIE/pull/93/commits/c4a4a2ffd88ea80a7c68a57c10d159c1e429e169", + "cve": "PVE-2022-50444", + "id": "pyup.io-50444", + "more_info_path": "/vulnerabilities/PVE-2022-50444/50444", "specs": [ ">=1.3.0rc0,<1.3.0", "<1.2.13" @@ -28329,7 +28497,7 @@ ], "dazzler": [ { - "advisory": "The Dazzler version 0.10.0 dependency AIOHTTP 3.8.1 might return a result indicating \"ValueError: Invalid IPv6 URL\". This situation has the potential to result in a Denial of Service (DoS). \r\nAlias: GHSA-rwqr-c348-m5wr", + "advisory": "** DISPUTED ** The Dazzler version 0.10.0 dependency AIOHTTP 3.8.1 might return a result indicating \"ValueError: Invalid IPv6 URL\". This situation has the potential to result in a Denial of Service (DoS). \r\nAlias: GHSA-rwqr-c348-m5wr", "cve": "CVE-2022-33124", "id": "pyup.io-62759", "more_info_path": "/vulnerabilities/CVE-2022-33124/62759", @@ -31794,6 +31962,16 @@ ], "v": "<0.8" }, + { + "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", + "cve": "CVE-2019-13960", + "id": "pyup.io-48671", + "more_info_path": "/vulnerabilities/CVE-2019-13960/48671", + "specs": [ + "<0.8" + ], + "v": "<0.8" + }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2020-5215", @@ -31924,16 +32102,6 @@ ], "v": "<0.8" }, - { - "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", - "cve": "CVE-2019-13960", - "id": "pyup.io-48671", - "more_info_path": "/vulnerabilities/CVE-2019-13960/48671", - "specs": [ - "<0.8" - ], - "v": "<0.8" - }, { "advisory": "Deepcell 0.8 updates its dependency 'TensorFlow' to v2.3.1 to include security fixes.", "cve": "CVE-2018-17190", @@ -32639,20 +32807,20 @@ "v": "<3.0.0" }, { - "advisory": "Descarteslabs version 3.0.2 has updated its minimum required version of the requests library to 2.31.0, previously set at 2.28.1 or higher. This upgrade addresses the security issue identified as CVE-2023-32681.\r\nhttps://github.com/descarteslabs/descarteslabs-python/commit/bc51d674b7245c708e49080f3819d66ecc88fab5", - "cve": "CVE-2023-32681", - "id": "pyup.io-65092", - "more_info_path": "/vulnerabilities/CVE-2023-32681/65092", + "advisory": "Descarteslabs version 3.0.2 has upgraded its pyarrow dependency to require a minimum of version 14.0.1, moving from the earlier stipulation of version 13.0.0 or newer. This update is in response to addressing security concerns highlighted by CVE-2019-12410.\r\nhttps://github.com/descarteslabs/descarteslabs-python/commit/bc51d674b7245c708e49080f3819d66ecc88fab5", + "cve": "CVE-2019-12410", + "id": "pyup.io-65085", + "more_info_path": "/vulnerabilities/CVE-2019-12410/65085", "specs": [ "<3.0.2" ], "v": "<3.0.2" }, { - "advisory": "Descarteslabs version 3.0.2 has upgraded its pyarrow dependency to require a minimum of version 14.0.1, moving from the earlier stipulation of version 13.0.0 or newer. This update is in response to addressing security concerns highlighted by CVE-2019-12410.\r\nhttps://github.com/descarteslabs/descarteslabs-python/commit/bc51d674b7245c708e49080f3819d66ecc88fab5", - "cve": "CVE-2019-12410", - "id": "pyup.io-65085", - "more_info_path": "/vulnerabilities/CVE-2019-12410/65085", + "advisory": "Descarteslabs version 3.0.2 has updated its minimum required version of the requests library to 2.31.0, previously set at 2.28.1 or higher. This upgrade addresses the security issue identified as CVE-2023-32681.\r\nhttps://github.com/descarteslabs/descarteslabs-python/commit/bc51d674b7245c708e49080f3819d66ecc88fab5", + "cve": "CVE-2023-32681", + "id": "pyup.io-65092", + "more_info_path": "/vulnerabilities/CVE-2023-32681/65092", "specs": [ "<3.0.2" ], @@ -32715,6 +32883,18 @@ "v": "<0.0.4" } ], + "detect-secrets": [ + { + "advisory": "Detect-secrets version 1.2.0 introduces a fix to prevent catastrophic backtracking associated with the indirect reference heuristic. This update modifies the regex pattern to improve efficiency and prevent performance issues, especially under conditions that could previously lead to denial-of-service scenarios due to excessive resource consumption.", + "cve": "PVE-2024-70854", + "id": "pyup.io-70854", + "more_info_path": "/vulnerabilities/PVE-2024-70854/70854", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + } + ], "determined": [ { "advisory": "Determined 0.12.12rc0 updates its NPM dependency 'lodash' to v4.17.19 to include a security fix.", @@ -32768,9 +32948,9 @@ }, { "advisory": "Determined 0.17.0rc0 switches from debian:10.3-slim to ubuntu:20.04 and unattended-upgrades, to fix security issues.\r\nhttps://github.com/determined-ai/determined/pull/2914", - "cve": "CVE-2018-12886", - "id": "pyup.io-42148", - "more_info_path": "/vulnerabilities/CVE-2018-12886/42148", + "cve": "CVE-2019-17543", + "id": "pyup.io-45577", + "more_info_path": "/vulnerabilities/CVE-2019-17543/45577", "specs": [ "<0.17.0rc0" ], @@ -32778,9 +32958,9 @@ }, { "advisory": "Determined 0.17.0rc0 switches from debian:10.3-slim to ubuntu:20.04 and unattended-upgrades, to fix security issues.\r\nhttps://github.com/determined-ai/determined/pull/2914", - "cve": "CVE-2019-17543", - "id": "pyup.io-45577", - "more_info_path": "/vulnerabilities/CVE-2019-17543/45577", + "cve": "CVE-2018-12886", + "id": "pyup.io-42148", + "more_info_path": "/vulnerabilities/CVE-2018-12886/42148", "specs": [ "<0.17.0rc0" ], @@ -32788,9 +32968,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41203", - "id": "pyup.io-43316", - "more_info_path": "/vulnerabilities/CVE-2021-41203/43316", + "cve": "CVE-2021-41207", + "id": "pyup.io-43339", + "more_info_path": "/vulnerabilities/CVE-2021-41207/43339", "specs": [ "<0.17.4rc0" ], @@ -32798,9 +32978,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41207", - "id": "pyup.io-43339", - "more_info_path": "/vulnerabilities/CVE-2021-41207/43339", + "cve": "CVE-2021-41217", + "id": "pyup.io-43318", + "more_info_path": "/vulnerabilities/CVE-2021-41217/43318", "specs": [ "<0.17.4rc0" ], @@ -32808,9 +32988,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41226", - "id": "pyup.io-43322", - "more_info_path": "/vulnerabilities/CVE-2021-41226/43322", + "cve": "CVE-2021-41210", + "id": "pyup.io-43338", + "more_info_path": "/vulnerabilities/CVE-2021-41210/43338", "specs": [ "<0.17.4rc0" ], @@ -32818,9 +32998,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41215", - "id": "pyup.io-43333", - "more_info_path": "/vulnerabilities/CVE-2021-41215/43333", + "cve": "CVE-2021-41203", + "id": "pyup.io-43316", + "more_info_path": "/vulnerabilities/CVE-2021-41203/43316", "specs": [ "<0.17.4rc0" ], @@ -32828,9 +33008,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41212", - "id": "pyup.io-43337", - "more_info_path": "/vulnerabilities/CVE-2021-41212/43337", + "cve": "CVE-2021-41200", + "id": "pyup.io-43317", + "more_info_path": "/vulnerabilities/CVE-2021-41200/43317", "specs": [ "<0.17.4rc0" ], @@ -32838,9 +33018,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41217", - "id": "pyup.io-43318", - "more_info_path": "/vulnerabilities/CVE-2021-41217/43318", + "cve": "CVE-2021-41199", + "id": "pyup.io-42944", + "more_info_path": "/vulnerabilities/CVE-2021-41199/42944", "specs": [ "<0.17.4rc0" ], @@ -32848,9 +33028,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41202", - "id": "pyup.io-43340", - "more_info_path": "/vulnerabilities/CVE-2021-41202/43340", + "cve": "CVE-2021-41218", + "id": "pyup.io-43331", + "more_info_path": "/vulnerabilities/CVE-2021-41218/43331", "specs": [ "<0.17.4rc0" ], @@ -32858,9 +33038,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41221", - "id": "pyup.io-43324", - "more_info_path": "/vulnerabilities/CVE-2021-41221/43324", + "cve": "CVE-2021-41202", + "id": "pyup.io-43340", + "more_info_path": "/vulnerabilities/CVE-2021-41202/43340", "specs": [ "<0.17.4rc0" ], @@ -32868,9 +33048,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41200", - "id": "pyup.io-43317", - "more_info_path": "/vulnerabilities/CVE-2021-41200/43317", + "cve": "CVE-2021-41222", + "id": "pyup.io-43329", + "more_info_path": "/vulnerabilities/CVE-2021-41222/43329", "specs": [ "<0.17.4rc0" ], @@ -32878,9 +33058,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41199", - "id": "pyup.io-42944", - "more_info_path": "/vulnerabilities/CVE-2021-41199/42944", + "cve": "CVE-2021-41221", + "id": "pyup.io-43324", + "more_info_path": "/vulnerabilities/CVE-2021-41221/43324", "specs": [ "<0.17.4rc0" ], @@ -32888,9 +33068,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41206", - "id": "pyup.io-43335", - "more_info_path": "/vulnerabilities/CVE-2021-41206/43335", + "cve": "CVE-2021-41226", + "id": "pyup.io-43322", + "more_info_path": "/vulnerabilities/CVE-2021-41226/43322", "specs": [ "<0.17.4rc0" ], @@ -32898,9 +33078,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41228", - "id": "pyup.io-43328", - "more_info_path": "/vulnerabilities/CVE-2021-41228/43328", + "cve": "CVE-2021-41224", + "id": "pyup.io-43330", + "more_info_path": "/vulnerabilities/CVE-2021-41224/43330", "specs": [ "<0.17.4rc0" ], @@ -32918,9 +33098,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41210", - "id": "pyup.io-43338", - "more_info_path": "/vulnerabilities/CVE-2021-41210/43338", + "cve": "CVE-2021-41212", + "id": "pyup.io-43337", + "more_info_path": "/vulnerabilities/CVE-2021-41212/43337", "specs": [ "<0.17.4rc0" ], @@ -32928,9 +33108,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41218", - "id": "pyup.io-43331", - "more_info_path": "/vulnerabilities/CVE-2021-41218/43331", + "cve": "CVE-2021-41195", + "id": "pyup.io-43343", + "more_info_path": "/vulnerabilities/CVE-2021-41195/43343", "specs": [ "<0.17.4rc0" ], @@ -32938,9 +33118,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41214", - "id": "pyup.io-43319", - "more_info_path": "/vulnerabilities/CVE-2021-41214/43319", + "cve": "CVE-2021-41197", + "id": "pyup.io-43342", + "more_info_path": "/vulnerabilities/CVE-2021-41197/43342", "specs": [ "<0.17.4rc0" ], @@ -32948,9 +33128,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41195", - "id": "pyup.io-43343", - "more_info_path": "/vulnerabilities/CVE-2021-41195/43343", + "cve": "CVE-2021-41196", + "id": "pyup.io-43315", + "more_info_path": "/vulnerabilities/CVE-2021-41196/43315", "specs": [ "<0.17.4rc0" ], @@ -32958,9 +33138,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41196", - "id": "pyup.io-43315", - "more_info_path": "/vulnerabilities/CVE-2021-41196/43315", + "cve": "CVE-2021-41216", + "id": "pyup.io-43332", + "more_info_path": "/vulnerabilities/CVE-2021-41216/43332", "specs": [ "<0.17.4rc0" ], @@ -32968,9 +33148,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41209", - "id": "pyup.io-43325", - "more_info_path": "/vulnerabilities/CVE-2021-41209/43325", + "cve": "CVE-2021-41206", + "id": "pyup.io-43335", + "more_info_path": "/vulnerabilities/CVE-2021-41206/43335", "specs": [ "<0.17.4rc0" ], @@ -32978,9 +33158,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41216", - "id": "pyup.io-43332", - "more_info_path": "/vulnerabilities/CVE-2021-41216/43332", + "cve": "CVE-2021-41227", + "id": "pyup.io-43323", + "more_info_path": "/vulnerabilities/CVE-2021-41227/43323", "specs": [ "<0.17.4rc0" ], @@ -32988,9 +33168,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41208", - "id": "pyup.io-43334", - "more_info_path": "/vulnerabilities/CVE-2021-41208/43334", + "cve": "CVE-2021-41204", + "id": "pyup.io-43327", + "more_info_path": "/vulnerabilities/CVE-2021-41204/43327", "specs": [ "<0.17.4rc0" ], @@ -32998,9 +33178,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41225", - "id": "pyup.io-43321", - "more_info_path": "/vulnerabilities/CVE-2021-41225/43321", + "cve": "CVE-2021-41201", + "id": "pyup.io-43341", + "more_info_path": "/vulnerabilities/CVE-2021-41201/43341", "specs": [ "<0.17.4rc0" ], @@ -33008,9 +33188,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41204", - "id": "pyup.io-43327", - "more_info_path": "/vulnerabilities/CVE-2021-41204/43327", + "cve": "CVE-2021-41205", + "id": "pyup.io-43336", + "more_info_path": "/vulnerabilities/CVE-2021-41205/43336", "specs": [ "<0.17.4rc0" ], @@ -33018,9 +33198,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41219", - "id": "pyup.io-43320", - "more_info_path": "/vulnerabilities/CVE-2021-41219/43320", + "cve": "CVE-2021-41213", + "id": "pyup.io-43326", + "more_info_path": "/vulnerabilities/CVE-2021-41213/43326", "specs": [ "<0.17.4rc0" ], @@ -33028,9 +33208,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41224", - "id": "pyup.io-43330", - "more_info_path": "/vulnerabilities/CVE-2021-41224/43330", + "cve": "CVE-2021-41214", + "id": "pyup.io-43319", + "more_info_path": "/vulnerabilities/CVE-2021-41214/43319", "specs": [ "<0.17.4rc0" ], @@ -33038,9 +33218,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41201", - "id": "pyup.io-43341", - "more_info_path": "/vulnerabilities/CVE-2021-41201/43341", + "cve": "CVE-2021-41208", + "id": "pyup.io-43334", + "more_info_path": "/vulnerabilities/CVE-2021-41208/43334", "specs": [ "<0.17.4rc0" ], @@ -33048,9 +33228,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41205", - "id": "pyup.io-43336", - "more_info_path": "/vulnerabilities/CVE-2021-41205/43336", + "cve": "CVE-2021-41225", + "id": "pyup.io-43321", + "more_info_path": "/vulnerabilities/CVE-2021-41225/43321", "specs": [ "<0.17.4rc0" ], @@ -33058,9 +33238,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41222", - "id": "pyup.io-43329", - "more_info_path": "/vulnerabilities/CVE-2021-41222/43329", + "cve": "CVE-2021-41219", + "id": "pyup.io-43320", + "more_info_path": "/vulnerabilities/CVE-2021-41219/43320", "specs": [ "<0.17.4rc0" ], @@ -33068,9 +33248,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41227", - "id": "pyup.io-43323", - "more_info_path": "/vulnerabilities/CVE-2021-41227/43323", + "cve": "CVE-2021-41228", + "id": "pyup.io-43328", + "more_info_path": "/vulnerabilities/CVE-2021-41228/43328", "specs": [ "<0.17.4rc0" ], @@ -33078,9 +33258,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41213", - "id": "pyup.io-43326", - "more_info_path": "/vulnerabilities/CVE-2021-41213/43326", + "cve": "CVE-2021-41209", + "id": "pyup.io-43325", + "more_info_path": "/vulnerabilities/CVE-2021-41209/43325", "specs": [ "<0.17.4rc0" ], @@ -33088,9 +33268,9 @@ }, { "advisory": "Determined 0.17.4rc0 includes images updates (to Tensorflow v2.4.4, v2.5.2 and v2.6.2) to include security fixes.", - "cve": "CVE-2021-41197", - "id": "pyup.io-43342", - "more_info_path": "/vulnerabilities/CVE-2021-41197/43342", + "cve": "CVE-2021-41215", + "id": "pyup.io-43333", + "more_info_path": "/vulnerabilities/CVE-2021-41215/43333", "specs": [ "<0.17.4rc0" ], @@ -33108,9 +33288,9 @@ }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", - "cve": "CVE-2019-14234", - "id": "pyup.io-54970", - "more_info_path": "/vulnerabilities/CVE-2019-14234/54970", + "cve": "CVE-2019-19844", + "id": "pyup.io-54966", + "more_info_path": "/vulnerabilities/CVE-2019-19844/54966", "specs": [ "<0.17.6" ], @@ -33118,9 +33298,9 @@ }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", - "cve": "CVE-2019-9512", - "id": "pyup.io-54969", - "more_info_path": "/vulnerabilities/CVE-2019-9512/54969", + "cve": "CVE-2020-7471", + "id": "pyup.io-54968", + "more_info_path": "/vulnerabilities/CVE-2020-7471/54968", "specs": [ "<0.17.6" ], @@ -33128,9 +33308,9 @@ }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", - "cve": "CVE-2019-19844", - "id": "pyup.io-54966", - "more_info_path": "/vulnerabilities/CVE-2019-19844/54966", + "cve": "CVE-2020-10108", + "id": "pyup.io-44642", + "more_info_path": "/vulnerabilities/CVE-2020-10108/44642", "specs": [ "<0.17.6" ], @@ -33138,9 +33318,9 @@ }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", - "cve": "CVE-2020-7471", - "id": "pyup.io-54968", - "more_info_path": "/vulnerabilities/CVE-2020-7471/54968", + "cve": "CVE-2020-10109", + "id": "pyup.io-54967", + "more_info_path": "/vulnerabilities/CVE-2020-10109/54967", "specs": [ "<0.17.6" ], @@ -33148,9 +33328,9 @@ }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", - "cve": "CVE-2020-10109", - "id": "pyup.io-54967", - "more_info_path": "/vulnerabilities/CVE-2020-10109/54967", + "cve": "CVE-2019-14234", + "id": "pyup.io-54970", + "more_info_path": "/vulnerabilities/CVE-2019-14234/54970", "specs": [ "<0.17.6" ], @@ -33158,9 +33338,9 @@ }, { "advisory": "Determined 0.17.6 updates env images to include security fixes.\r\nhttps://github.com/determined-ai/determined/pull/3415/commits/18fc5278cd589089dd753f687ec606499117029d", - "cve": "CVE-2020-10108", - "id": "pyup.io-44642", - "more_info_path": "/vulnerabilities/CVE-2020-10108/44642", + "cve": "CVE-2019-9512", + "id": "pyup.io-54969", + "more_info_path": "/vulnerabilities/CVE-2019-9512/54969", "specs": [ "<0.17.6" ], @@ -33168,9 +33348,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-27778", - "id": "pyup.io-49534", - "more_info_path": "/vulnerabilities/CVE-2022-27778/49534", + "cve": "CVE-2022-29208", + "id": "pyup.io-49555", + "more_info_path": "/vulnerabilities/CVE-2022-29208/49555", "specs": [ "<0.18.2" ], @@ -33178,9 +33358,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29211", - "id": "pyup.io-49557", - "more_info_path": "/vulnerabilities/CVE-2022-29211/49557", + "cve": "CVE-2022-29198", + "id": "pyup.io-49545", + "more_info_path": "/vulnerabilities/CVE-2022-29198/49545", "specs": [ "<0.18.2" ], @@ -33188,9 +33368,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2018-25032", - "id": "pyup.io-49422", - "more_info_path": "/vulnerabilities/CVE-2018-25032/49422", + "cve": "CVE-2022-29191", + "id": "pyup.io-49538", + "more_info_path": "/vulnerabilities/CVE-2022-29191/49538", "specs": [ "<0.18.2" ], @@ -33198,9 +33378,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29208", - "id": "pyup.io-49555", - "more_info_path": "/vulnerabilities/CVE-2022-29208/49555", + "cve": "CVE-2022-29212", + "id": "pyup.io-49558", + "more_info_path": "/vulnerabilities/CVE-2022-29212/49558", "specs": [ "<0.18.2" ], @@ -33208,9 +33388,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29213", - "id": "pyup.io-49559", - "more_info_path": "/vulnerabilities/CVE-2022-29213/49559", + "cve": "CVE-2022-27775", + "id": "pyup.io-49531", + "more_info_path": "/vulnerabilities/CVE-2022-27775/49531", "specs": [ "<0.18.2" ], @@ -33218,9 +33398,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-27775", - "id": "pyup.io-49531", - "more_info_path": "/vulnerabilities/CVE-2022-27775/49531", + "cve": "CVE-2022-29203", + "id": "pyup.io-49550", + "more_info_path": "/vulnerabilities/CVE-2022-29203/49550", "specs": [ "<0.18.2" ], @@ -33228,9 +33408,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29200", - "id": "pyup.io-49547", - "more_info_path": "/vulnerabilities/CVE-2022-29200/49547", + "cve": "CVE-2022-30115", + "id": "pyup.io-49561", + "more_info_path": "/vulnerabilities/CVE-2022-30115/49561", "specs": [ "<0.18.2" ], @@ -33238,9 +33418,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29207", - "id": "pyup.io-49554", - "more_info_path": "/vulnerabilities/CVE-2022-29207/49554", + "cve": "CVE-2022-29194", + "id": "pyup.io-49541", + "more_info_path": "/vulnerabilities/CVE-2022-29194/49541", "specs": [ "<0.18.2" ], @@ -33248,9 +33428,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-30115", - "id": "pyup.io-49561", - "more_info_path": "/vulnerabilities/CVE-2022-30115/49561", + "cve": "CVE-2022-29206", + "id": "pyup.io-49553", + "more_info_path": "/vulnerabilities/CVE-2022-29206/49553", "specs": [ "<0.18.2" ], @@ -33258,9 +33438,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-22576", - "id": "pyup.io-49529", - "more_info_path": "/vulnerabilities/CVE-2022-22576/49529", + "cve": "CVE-2022-27776", + "id": "pyup.io-49532", + "more_info_path": "/vulnerabilities/CVE-2022-27776/49532", "specs": [ "<0.18.2" ], @@ -33268,9 +33448,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29199", - "id": "pyup.io-49546", - "more_info_path": "/vulnerabilities/CVE-2022-29199/49546", + "cve": "CVE-2022-27774", + "id": "pyup.io-49530", + "more_info_path": "/vulnerabilities/CVE-2022-27774/49530", "specs": [ "<0.18.2" ], @@ -33278,9 +33458,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29212", - "id": "pyup.io-49558", - "more_info_path": "/vulnerabilities/CVE-2022-29212/49558", + "cve": "CVE-2022-29199", + "id": "pyup.io-49546", + "more_info_path": "/vulnerabilities/CVE-2022-29199/49546", "specs": [ "<0.18.2" ], @@ -33288,9 +33468,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29209", - "id": "pyup.io-49556", - "more_info_path": "/vulnerabilities/CVE-2022-29209/49556", + "cve": "CVE-2022-29202", + "id": "pyup.io-49549", + "more_info_path": "/vulnerabilities/CVE-2022-29202/49549", "specs": [ "<0.18.2" ], @@ -33298,9 +33478,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29193", - "id": "pyup.io-49540", - "more_info_path": "/vulnerabilities/CVE-2022-29193/49540", + "cve": "CVE-2022-29211", + "id": "pyup.io-49557", + "more_info_path": "/vulnerabilities/CVE-2022-29211/49557", "specs": [ "<0.18.2" ], @@ -33318,9 +33498,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29204", - "id": "pyup.io-49551", - "more_info_path": "/vulnerabilities/CVE-2022-29204/49551", + "cve": "CVE-2022-29200", + "id": "pyup.io-49547", + "more_info_path": "/vulnerabilities/CVE-2022-29200/49547", "specs": [ "<0.18.2" ], @@ -33328,9 +33508,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29195", - "id": "pyup.io-49542", - "more_info_path": "/vulnerabilities/CVE-2022-29195/49542", + "cve": "CVE-2022-29204", + "id": "pyup.io-49551", + "more_info_path": "/vulnerabilities/CVE-2022-29204/49551", "specs": [ "<0.18.2" ], @@ -33338,9 +33518,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29205", - "id": "pyup.io-49552", - "more_info_path": "/vulnerabilities/CVE-2022-29205/49552", + "cve": "CVE-2022-29201", + "id": "pyup.io-49548", + "more_info_path": "/vulnerabilities/CVE-2022-29201/49548", "specs": [ "<0.18.2" ], @@ -33348,9 +33528,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29216", - "id": "pyup.io-49560", - "more_info_path": "/vulnerabilities/CVE-2022-29216/49560", + "cve": "CVE-2022-27779", + "id": "pyup.io-49535", + "more_info_path": "/vulnerabilities/CVE-2022-27779/49535", "specs": [ "<0.18.2" ], @@ -33368,9 +33548,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-27776", - "id": "pyup.io-49532", - "more_info_path": "/vulnerabilities/CVE-2022-27776/49532", + "cve": "CVE-2022-29195", + "id": "pyup.io-49542", + "more_info_path": "/vulnerabilities/CVE-2022-29195/49542", "specs": [ "<0.18.2" ], @@ -33378,9 +33558,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29206", - "id": "pyup.io-49553", - "more_info_path": "/vulnerabilities/CVE-2022-29206/49553", + "cve": "CVE-2022-29205", + "id": "pyup.io-49552", + "more_info_path": "/vulnerabilities/CVE-2022-29205/49552", "specs": [ "<0.18.2" ], @@ -33388,9 +33568,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-27774", - "id": "pyup.io-49530", - "more_info_path": "/vulnerabilities/CVE-2022-27774/49530", + "cve": "CVE-2022-29209", + "id": "pyup.io-49556", + "more_info_path": "/vulnerabilities/CVE-2022-29209/49556", "specs": [ "<0.18.2" ], @@ -33398,9 +33578,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29202", - "id": "pyup.io-49549", - "more_info_path": "/vulnerabilities/CVE-2022-29202/49549", + "cve": "CVE-2022-29193", + "id": "pyup.io-49540", + "more_info_path": "/vulnerabilities/CVE-2022-29193/49540", "specs": [ "<0.18.2" ], @@ -33408,9 +33588,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29191", - "id": "pyup.io-49538", - "more_info_path": "/vulnerabilities/CVE-2022-29191/49538", + "cve": "CVE-2022-29192", + "id": "pyup.io-49539", + "more_info_path": "/vulnerabilities/CVE-2022-29192/49539", "specs": [ "<0.18.2" ], @@ -33418,9 +33598,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29201", - "id": "pyup.io-49548", - "more_info_path": "/vulnerabilities/CVE-2022-29201/49548", + "cve": "CVE-2022-29196", + "id": "pyup.io-49543", + "more_info_path": "/vulnerabilities/CVE-2022-29196/49543", "specs": [ "<0.18.2" ], @@ -33428,9 +33608,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-27779", - "id": "pyup.io-49535", - "more_info_path": "/vulnerabilities/CVE-2022-27779/49535", + "cve": "CVE-2022-27778", + "id": "pyup.io-49534", + "more_info_path": "/vulnerabilities/CVE-2022-27778/49534", "specs": [ "<0.18.2" ], @@ -33438,9 +33618,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-27777", - "id": "pyup.io-49533", - "more_info_path": "/vulnerabilities/CVE-2022-27777/49533", + "cve": "CVE-2022-29207", + "id": "pyup.io-49554", + "more_info_path": "/vulnerabilities/CVE-2022-29207/49554", "specs": [ "<0.18.2" ], @@ -33448,9 +33628,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29198", - "id": "pyup.io-49545", - "more_info_path": "/vulnerabilities/CVE-2022-29198/49545", + "cve": "CVE-2022-29216", + "id": "pyup.io-49560", + "more_info_path": "/vulnerabilities/CVE-2022-29216/49560", "specs": [ "<0.18.2" ], @@ -33458,9 +33638,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29192", - "id": "pyup.io-49539", - "more_info_path": "/vulnerabilities/CVE-2022-29192/49539", + "cve": "CVE-2022-22576", + "id": "pyup.io-49529", + "more_info_path": "/vulnerabilities/CVE-2022-22576/49529", "specs": [ "<0.18.2" ], @@ -33468,9 +33648,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29196", - "id": "pyup.io-49543", - "more_info_path": "/vulnerabilities/CVE-2022-29196/49543", + "cve": "CVE-2022-29197", + "id": "pyup.io-49544", + "more_info_path": "/vulnerabilities/CVE-2022-29197/49544", "specs": [ "<0.18.2" ], @@ -33478,9 +33658,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29197", - "id": "pyup.io-49544", - "more_info_path": "/vulnerabilities/CVE-2022-29197/49544", + "cve": "CVE-2018-25032", + "id": "pyup.io-49422", + "more_info_path": "/vulnerabilities/CVE-2018-25032/49422", "specs": [ "<0.18.2" ], @@ -33488,9 +33668,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29194", - "id": "pyup.io-49541", - "more_info_path": "/vulnerabilities/CVE-2022-29194/49541", + "cve": "CVE-2022-27777", + "id": "pyup.io-49533", + "more_info_path": "/vulnerabilities/CVE-2022-27777/49533", "specs": [ "<0.18.2" ], @@ -33498,9 +33678,9 @@ }, { "advisory": "Determined 0.18.2 updates its dependency 'TensorFlow' supported versions to 2.6.5, 2.7.3 and 2.8.2 to include security fixes.", - "cve": "CVE-2022-29203", - "id": "pyup.io-49550", - "more_info_path": "/vulnerabilities/CVE-2022-29203/49550", + "cve": "CVE-2022-29213", + "id": "pyup.io-49559", + "more_info_path": "/vulnerabilities/CVE-2022-29213/49559", "specs": [ "<0.18.2" ], @@ -33517,10 +33697,20 @@ "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", - "cve": "CVE-2022-0686", - "id": "pyup.io-50980", - "more_info_path": "/vulnerabilities/CVE-2022-0686/50980", + "advisory": "Determined 0.19.3 updates its NPM dependency 'ansi-regex' to v3.0.1 to include a security fix.", + "cve": "CVE-2021-3807", + "id": "pyup.io-50971", + "more_info_path": "/vulnerabilities/CVE-2021-3807/50971", + "specs": [ + "<0.19.3" + ], + "v": "<0.19.3" + }, + { + "advisory": "Determined 0.19.3 updates its NPM dependency 'eventsource' to v1.1.2 to include a security fix.", + "cve": "CVE-2022-1650", + "id": "pyup.io-50973", + "more_info_path": "/vulnerabilities/CVE-2022-1650/50973", "specs": [ "<0.19.3" ], @@ -33537,50 +33727,50 @@ "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'async' to v2.6.4 to include a security fix.", - "cve": "CVE-2021-43138", - "id": "pyup.io-50972", - "more_info_path": "/vulnerabilities/CVE-2021-43138/50972", + "advisory": "Determined 0.19.3 updates its NPM dependency 'follow-redirects' to v1.15.1 to include security fixes.", + "cve": "CVE-2022-0155", + "id": "pyup.io-50975", + "more_info_path": "/vulnerabilities/CVE-2022-0155/50975", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 stops using the NPM package 'trim-newlines', preventing a security issue.", - "cve": "CVE-2021-33623", - "id": "pyup.io-50978", - "more_info_path": "/vulnerabilities/CVE-2021-33623/50978", + "advisory": "Determined 0.19.3 updates its NPM dependency 'follow-redirects' to v1.15.1 to include security fixes.", + "cve": "CVE-2022-0536", + "id": "pyup.io-50974", + "more_info_path": "/vulnerabilities/CVE-2022-0536/50974", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'follow-redirects' to v1.15.1 to include security fixes.", - "cve": "CVE-2022-0155", - "id": "pyup.io-50975", - "more_info_path": "/vulnerabilities/CVE-2022-0155/50975", + "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", + "cve": "CVE-2022-0639", + "id": "pyup.io-50979", + "more_info_path": "/vulnerabilities/CVE-2022-0639/50979", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'eventsource' to v1.1.2 to include a security fix.", - "cve": "CVE-2022-1650", - "id": "pyup.io-50973", - "more_info_path": "/vulnerabilities/CVE-2022-1650/50973", + "advisory": "Determined 0.19.3 updates its NPM dependency 'async' to v2.6.4 to include a security fix.", + "cve": "CVE-2021-43138", + "id": "pyup.io-50972", + "more_info_path": "/vulnerabilities/CVE-2021-43138/50972", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'ansi-regex' to v3.0.1 to include a security fix.", - "cve": "CVE-2021-3807", - "id": "pyup.io-50971", - "more_info_path": "/vulnerabilities/CVE-2021-3807/50971", + "advisory": "Determined 0.19.3 stops using the NPM package 'trim-newlines', preventing a security issue.", + "cve": "CVE-2021-33623", + "id": "pyup.io-50978", + "more_info_path": "/vulnerabilities/CVE-2021-33623/50978", "specs": [ "<0.19.3" ], @@ -33588,19 +33778,19 @@ }, { "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", - "cve": "CVE-2022-0639", - "id": "pyup.io-50979", - "more_info_path": "/vulnerabilities/CVE-2022-0639/50979", + "cve": "CVE-2022-0691", + "id": "pyup.io-50981", + "more_info_path": "/vulnerabilities/CVE-2022-0691/50981", "specs": [ "<0.19.3" ], "v": "<0.19.3" }, { - "advisory": "Determined 0.19.3 updates its NPM dependency 'follow-redirects' to v1.15.1 to include security fixes.", - "cve": "CVE-2022-0536", - "id": "pyup.io-50974", - "more_info_path": "/vulnerabilities/CVE-2022-0536/50974", + "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", + "cve": "CVE-2022-0686", + "id": "pyup.io-50980", + "more_info_path": "/vulnerabilities/CVE-2022-0686/50980", "specs": [ "<0.19.3" ], @@ -33616,16 +33806,6 @@ ], "v": "<0.19.3" }, - { - "advisory": "Determined 0.19.3 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", - "cve": "CVE-2022-0691", - "id": "pyup.io-50981", - "more_info_path": "/vulnerabilities/CVE-2022-0691/50981", - "specs": [ - "<0.19.3" - ], - "v": "<0.19.3" - }, { "advisory": "Determined 0.23.0 includes a fix to prevent session hijacking by implementing secure cookies and eliminating JWT tokens over URLs.\r\nhttps://github.com/determined-ai/determined/pull/6862", "cve": "PVE-2023-58923", @@ -34044,9 +34224,9 @@ }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", - "cve": "CVE-2018-14574", - "id": "pyup.io-50823", - "more_info_path": "/vulnerabilities/CVE-2018-14574/50823", + "cve": "CVE-2019-12308", + "id": "pyup.io-50826", + "more_info_path": "/vulnerabilities/CVE-2019-12308/50826", "specs": [ "<1.1.2" ], @@ -34054,9 +34234,9 @@ }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", - "cve": "CVE-2019-12308", - "id": "pyup.io-50826", - "more_info_path": "/vulnerabilities/CVE-2019-12308/50826", + "cve": "CVE-2019-12781", + "id": "pyup.io-50827", + "more_info_path": "/vulnerabilities/CVE-2019-12781/50827", "specs": [ "<1.1.2" ], @@ -34064,9 +34244,9 @@ }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", - "cve": "CVE-2019-12781", - "id": "pyup.io-50827", - "more_info_path": "/vulnerabilities/CVE-2019-12781/50827", + "cve": "CVE-2019-3498", + "id": "pyup.io-50824", + "more_info_path": "/vulnerabilities/CVE-2019-3498/50824", "specs": [ "<1.1.2" ], @@ -34074,9 +34254,9 @@ }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", - "cve": "CVE-2017-12794", - "id": "pyup.io-50759", - "more_info_path": "/vulnerabilities/CVE-2017-12794/50759", + "cve": "CVE-2019-6975", + "id": "pyup.io-50825", + "more_info_path": "/vulnerabilities/CVE-2019-6975/50825", "specs": [ "<1.1.2" ], @@ -34084,9 +34264,9 @@ }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", - "cve": "CVE-2009-3695", - "id": "pyup.io-50822", - "more_info_path": "/vulnerabilities/CVE-2009-3695/50822", + "cve": "CVE-2018-14574", + "id": "pyup.io-50823", + "more_info_path": "/vulnerabilities/CVE-2018-14574/50823", "specs": [ "<1.1.2" ], @@ -34094,9 +34274,9 @@ }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", - "cve": "CVE-2018-7537", - "id": "pyup.io-50821", - "more_info_path": "/vulnerabilities/CVE-2018-7537/50821", + "cve": "CVE-2017-12794", + "id": "pyup.io-50759", + "more_info_path": "/vulnerabilities/CVE-2017-12794/50759", "specs": [ "<1.1.2" ], @@ -34104,9 +34284,9 @@ }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", - "cve": "CVE-2019-3498", - "id": "pyup.io-50824", - "more_info_path": "/vulnerabilities/CVE-2019-3498/50824", + "cve": "CVE-2009-3695", + "id": "pyup.io-50822", + "more_info_path": "/vulnerabilities/CVE-2009-3695/50822", "specs": [ "<1.1.2" ], @@ -34114,9 +34294,9 @@ }, { "advisory": "Directory-healthcheck 1.1.2 updates its dependency 'Django' to v1.11.22 to include security fixes.", - "cve": "CVE-2019-6975", - "id": "pyup.io-50825", - "more_info_path": "/vulnerabilities/CVE-2019-6975/50825", + "cve": "CVE-2018-7537", + "id": "pyup.io-50821", + "more_info_path": "/vulnerabilities/CVE-2018-7537/50821", "specs": [ "<1.1.2" ], @@ -34448,10 +34628,10 @@ "v": "<1.1.4" }, { - "advisory": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447.", - "cve": "CVE-2011-0696", - "id": "pyup.io-33060", - "more_info_path": "/vulnerabilities/CVE-2011-0696/33060", + "advisory": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.", + "cve": "CVE-2011-0698", + "id": "pyup.io-33062", + "more_info_path": "/vulnerabilities/CVE-2011-0698/33062", "specs": [ "<1.1.4", ">=1.2a1,<1.2.5" @@ -34459,10 +34639,10 @@ "v": "<1.1.4,>=1.2a1,<1.2.5" }, { - "advisory": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.", - "cve": "CVE-2011-0698", - "id": "pyup.io-33062", - "more_info_path": "/vulnerabilities/CVE-2011-0698/33062", + "advisory": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447.", + "cve": "CVE-2011-0696", + "id": "pyup.io-33060", + "more_info_path": "/vulnerabilities/CVE-2011-0696/33060", "specs": [ "<1.1.4", ">=1.2a1,<1.2.5" @@ -34501,17 +34681,6 @@ ], "v": "<1.2.7,>=1.3a1,<1.3.1" }, - { - "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.", - "cve": "CVE-2011-4137", - "id": "pyup.io-33064", - "more_info_path": "/vulnerabilities/CVE-2011-4137/33064", - "specs": [ - "<1.2.7", - ">=1.3a1,<1.3.1" - ], - "v": "<1.2.7,>=1.3a1,<1.3.1" - }, { "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.", "cve": "CVE-2011-4138", @@ -34545,6 +34714,17 @@ ], "v": "<1.2.7,>=1.3a1,<1.3.1" }, + { + "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.", + "cve": "CVE-2011-4137", + "id": "pyup.io-33064", + "more_info_path": "/vulnerabilities/CVE-2011-4137/33064", + "specs": [ + "<1.2.7", + ">=1.3a1,<1.3.1" + ], + "v": "<1.2.7,>=1.3a1,<1.3.1" + }, { "advisory": "The (1) django.http.HttpResponseRedirect and (2) django.http.HttpResponsePermanentRedirect classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a data: URL.", "cve": "CVE-2012-3442", @@ -34557,10 +34737,10 @@ "v": "<1.3.2,>=1.4a1,<1.4.1" }, { - "advisory": "The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.", - "cve": "CVE-2012-3443", - "id": "pyup.io-33068", - "more_info_path": "/vulnerabilities/CVE-2012-3443/33068", + "advisory": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.", + "cve": "CVE-2012-3444", + "id": "pyup.io-33069", + "more_info_path": "/vulnerabilities/CVE-2012-3444/33069", "specs": [ "<1.3.2", ">=1.4a1,<1.4.1" @@ -34568,10 +34748,10 @@ "v": "<1.3.2,>=1.4a1,<1.4.1" }, { - "advisory": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.", - "cve": "CVE-2012-3444", - "id": "pyup.io-33069", - "more_info_path": "/vulnerabilities/CVE-2012-3444/33069", + "advisory": "The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.", + "cve": "CVE-2012-3443", + "id": "pyup.io-33068", + "more_info_path": "/vulnerabilities/CVE-2012-3443/33068", "specs": [ "<1.3.2", ">=1.4a1,<1.4.1" @@ -34628,6 +34808,19 @@ ], "v": "<1.4.13,>=1.5a1,<1.5.8,>=1.6a1,<1.6.5,>=1.7a1,<1.7b4" }, + { + "advisory": "Django 1.4.14, 1.5.9, 1.6.6 and 1.7rc3 include a fix for CVE-2014-0481: The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name.", + "cve": "CVE-2014-0481", + "id": "pyup.io-35514", + "more_info_path": "/vulnerabilities/CVE-2014-0481/35514", + "specs": [ + "<1.4.14", + ">=1.5a1,<1.5.9", + ">=1.6a1,<1.6.6", + ">=1.7a1,<1.7rc3" + ], + "v": "<1.4.14,>=1.5a1,<1.5.9,>=1.6a1,<1.6.6,>=1.7a1,<1.7rc3" + }, { "advisory": "The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.", "cve": "CVE-2014-0480", @@ -34668,17 +34861,16 @@ "v": "<1.4.14,>=1.5a1,<1.5.9,>=1.6a1,<1.6.6,>=1.7a1,<1.7rc3" }, { - "advisory": "Django 1.4.14, 1.5.9, 1.6.6 and 1.7rc3 include a fix for CVE-2014-0481: The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name.", - "cve": "CVE-2014-0481", - "id": "pyup.io-35514", - "more_info_path": "/vulnerabilities/CVE-2014-0481/35514", + "advisory": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.", + "cve": "CVE-2015-0220", + "id": "pyup.io-33071", + "more_info_path": "/vulnerabilities/CVE-2015-0220/33071", "specs": [ - "<1.4.14", - ">=1.5a1,<1.5.9", - ">=1.6a1,<1.6.6", - ">=1.7a1,<1.7rc3" + "<1.4.18", + ">=1.6a1,<1.6.10", + ">=1.7a1,<1.7.3" ], - "v": "<1.4.14,>=1.5a1,<1.5.9,>=1.6a1,<1.6.6,>=1.7a1,<1.7rc3" + "v": "<1.4.18,>=1.6a1,<1.6.10,>=1.7a1,<1.7.3" }, { "advisory": "Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.", @@ -34704,18 +34896,6 @@ ], "v": "<1.4.18,>=1.6a1,<1.6.10,>=1.7a1,<1.7.3" }, - { - "advisory": "The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a \"\\njavascript:\" URL.", - "cve": "CVE-2015-0220", - "id": "pyup.io-33071", - "more_info_path": "/vulnerabilities/CVE-2015-0220/33071", - "specs": [ - "<1.4.18", - ">=1.6a1,<1.6.10", - ">=1.7a1,<1.7.3" - ], - "v": "<1.4.18,>=1.6a1,<1.6.10,>=1.7a1,<1.7.3" - }, { "advisory": "The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \\x08javascript: URL.\r\nhttps://www.djangoproject.com/weblog/2015/mar/18/security-releases", "cve": "CVE-2015-2317", @@ -34893,10 +35073,10 @@ "v": "<2.2.25,>=3.2a1,<3.2.10,>=3.1a1,<3.1.14" }, { - "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45116: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases", - "cve": "CVE-2021-45116", - "id": "pyup.io-44427", - "more_info_path": "/vulnerabilities/CVE-2021-45116/44427", + "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45115: UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/", + "cve": "CVE-2021-45115", + "id": "pyup.io-44423", + "more_info_path": "/vulnerabilities/CVE-2021-45115/44423", "specs": [ "<2.2.26", ">=3.0a1,<3.2.11", @@ -34905,10 +35085,10 @@ "v": "<2.2.26,>=3.0a1,<3.2.11,>=4.0a1,<4.0.1" }, { - "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45115: UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/", - "cve": "CVE-2021-45115", - "id": "pyup.io-44423", - "more_info_path": "/vulnerabilities/CVE-2021-45115/44423", + "advisory": "Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45116: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.\r\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases", + "cve": "CVE-2021-45116", + "id": "pyup.io-44427", + "more_info_path": "/vulnerabilities/CVE-2021-45116/44427", "specs": [ "<2.2.26", ">=3.0a1,<3.2.11", @@ -34953,10 +35133,10 @@ "v": "<2.2.27,>=3.0a1,<3.2.12,>=4.0a1,<4.0.2" }, { - "advisory": "Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.\r\nhttps://www.djangoproject.com/weblog/2022/apr/11/security-releases", - "cve": "CVE-2022-28346", - "id": "pyup.io-48041", - "more_info_path": "/vulnerabilities/CVE-2022-28346/48041", + "advisory": "Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28347: A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.\r\nhttps://www.djangoproject.com/weblog/2022/apr/11/security-releases", + "cve": "CVE-2022-28347", + "id": "pyup.io-48040", + "more_info_path": "/vulnerabilities/CVE-2022-28347/48040", "specs": [ "<2.2.28", ">=3.0a1,<3.2.13", @@ -34965,10 +35145,10 @@ "v": "<2.2.28,>=3.0a1,<3.2.13,>=4.0a1,<4.0.4" }, { - "advisory": "Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28347: A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.\r\nhttps://www.djangoproject.com/weblog/2022/apr/11/security-releases", - "cve": "CVE-2022-28347", - "id": "pyup.io-48040", - "more_info_path": "/vulnerabilities/CVE-2022-28347/48040", + "advisory": "Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.\r\nhttps://www.djangoproject.com/weblog/2022/apr/11/security-releases", + "cve": "CVE-2022-28346", + "id": "pyup.io-48041", + "more_info_path": "/vulnerabilities/CVE-2022-28346/48041", "specs": [ "<2.2.28", ">=3.0a1,<3.2.13", @@ -35219,10 +35399,10 @@ "v": ">=1.11a1,<1.11.22,>=2.2a1,<2.2.3,>=2.1a1,<2.1.10" }, { - "advisory": "Django 1.11.23, 2.1.11 and 2.2.4 include a fix for CVE-2019-14232: If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", - "cve": "CVE-2019-14232", - "id": "pyup.io-37326", - "more_info_path": "/vulnerabilities/CVE-2019-14232/37326", + "advisory": "Django 1.11.23, 2.1.11, and 2.2.4 include a fix for CVE-2019-14233: Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.", + "cve": "CVE-2019-14233", + "id": "pyup.io-39593", + "more_info_path": "/vulnerabilities/CVE-2019-14233/39593", "specs": [ ">=1.11a1,<1.11.23", ">=2.0a1,<2.1.11", @@ -35231,10 +35411,10 @@ "v": ">=1.11a1,<1.11.23,>=2.0a1,<2.1.11,>=2.2a1,<2.2.4" }, { - "advisory": "Django 1.11.23, 2.1.11 and 2.2.4 include a fix for CVE-2019-14234: Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.", - "cve": "CVE-2019-14234", - "id": "pyup.io-39592", - "more_info_path": "/vulnerabilities/CVE-2019-14234/39592", + "advisory": "Django 1.11.23, 2.1.11 and 2.2.4 includes a fix for CVE-2019-14235: If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.", + "cve": "CVE-2019-14235", + "id": "pyup.io-39591", + "more_info_path": "/vulnerabilities/CVE-2019-14235/39591", "specs": [ ">=1.11a1,<1.11.23", ">=2.0a1,<2.1.11", @@ -35243,10 +35423,10 @@ "v": ">=1.11a1,<1.11.23,>=2.0a1,<2.1.11,>=2.2a1,<2.2.4" }, { - "advisory": "Django 1.11.23, 2.1.11 and 2.2.4 includes a fix for CVE-2019-14235: If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.", - "cve": "CVE-2019-14235", - "id": "pyup.io-39591", - "more_info_path": "/vulnerabilities/CVE-2019-14235/39591", + "advisory": "Django 1.11.23, 2.1.11 and 2.2.4 include a fix for CVE-2019-14234: Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.", + "cve": "CVE-2019-14234", + "id": "pyup.io-39592", + "more_info_path": "/vulnerabilities/CVE-2019-14234/39592", "specs": [ ">=1.11a1,<1.11.23", ">=2.0a1,<2.1.11", @@ -35255,10 +35435,10 @@ "v": ">=1.11a1,<1.11.23,>=2.0a1,<2.1.11,>=2.2a1,<2.2.4" }, { - "advisory": "Django 1.11.23, 2.1.11, and 2.2.4 include a fix for CVE-2019-14233: Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.", - "cve": "CVE-2019-14233", - "id": "pyup.io-39593", - "more_info_path": "/vulnerabilities/CVE-2019-14233/39593", + "advisory": "Django 1.11.23, 2.1.11 and 2.2.4 include a fix for CVE-2019-14232: If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", + "cve": "CVE-2019-14232", + "id": "pyup.io-37326", + "more_info_path": "/vulnerabilities/CVE-2019-14232/37326", "specs": [ ">=1.11a1,<1.11.23", ">=2.0a1,<2.1.11", @@ -35910,7 +36090,7 @@ ], "django-ajax-utilities": [ { - "advisory": "Django-ajax-utilities 1.2.9 includes a fix for CVE-2017-20182: This issue affects the function Pagination of the file django_ajax/static/ajax-utilities/js/pagination.js of the component Backslash Handler. The manipulation of the argument URL leads to cross-site scripting. The attack may be initiated remotely. \r\n#NOTE: The data we include in this advisory differs from the publicly available on nvd.nist.gov. The patch commit was issued for version 1.2.9.\r\nhttps://github.com/vikingco/django-ajax-utilities/pull/29/commits/329eb1dd1580ca1f9d4f95bc69939833226515c9", + "advisory": "Django-ajax-utilities 1.2.9 includes a fix for CVE-2017-20182: This issue affects the function Pagination of the file django_ajax/static/ajax-utilities/js/pagination.js of the component Backslash Handler. The manipulation of the argument URL leads to cross-site scripting. The attack may be initiated remotely. \r\n#NOTE: The data we include in this advisory differs from the publicly available on nvd.nist.gov. The patch commit was issued for version 1.2.9.", "cve": "CVE-2017-20182", "id": "pyup.io-53607", "more_info_path": "/vulnerabilities/CVE-2017-20182/53607", @@ -36050,6 +36230,18 @@ "v": ">=0.2,<1.4" } ], + "django-appointment": [ + { + "advisory": "Django-appointment version 3.5.2 includes a crucial security fix by updating the requests library. The update changes the requests dependency requirement from version ~=2.31.0 to ~=2.32.1 across one directory in the pip group.", + "cve": "CVE-2024-35195", + "id": "pyup.io-71086", + "more_info_path": "/vulnerabilities/CVE-2024-35195/71086", + "specs": [ + "<3.5.2" + ], + "v": "<3.5.2" + } + ], "django-appwrite": [ { "advisory": "Django-appwrite 1.3.0 replaces the user ID with JSON Web Tokens (JWT) in communication with the Appwrite server. This change prevents potential risk of attempting to login by generating random IDs.", @@ -36385,6 +36577,16 @@ "<3.5.3" ], "v": "<3.5.3" + }, + { + "advisory": "Django-cms 4.0 includes a security enhancement to prevent JavaScript injection in the admin add plugin URL,", + "cve": "PVE-2024-70718", + "id": "pyup.io-70718", + "more_info_path": "/vulnerabilities/PVE-2024-70718/70718", + "specs": [ + "<4.0" + ], + "v": "<4.0" } ], "django-cms-patched": [ @@ -36606,9 +36808,9 @@ }, { "advisory": "Django-dsfr 0.6.2 updates its dependency 'Django' to v3.2.12 to include security fixes.", - "cve": "CVE-2022-22818", - "id": "pyup.io-45292", - "more_info_path": "/vulnerabilities/CVE-2022-22818/45292", + "cve": "CVE-2021-45115", + "id": "pyup.io-45312", + "more_info_path": "/vulnerabilities/CVE-2021-45115/45312", "specs": [ "<0.6.2" ], @@ -36616,9 +36818,9 @@ }, { "advisory": "Django-dsfr 0.6.2 updates its dependency 'Django' to v3.2.12 to include security fixes.", - "cve": "CVE-2021-45115", - "id": "pyup.io-45312", - "more_info_path": "/vulnerabilities/CVE-2021-45115/45312", + "cve": "CVE-2022-22818", + "id": "pyup.io-45292", + "more_info_path": "/vulnerabilities/CVE-2022-22818/45292", "specs": [ "<0.6.2" ], @@ -36755,20 +36957,20 @@ ], "django-filer": [ { - "advisory": "Django-filer 3.0.0rc1 includes a fix for a XSS vulnerability.\r\nhttps://github.com/django-cms/django-filer/pull/1364", - "cve": "PVE-2023-59208", - "id": "pyup.io-59208", - "more_info_path": "/vulnerabilities/PVE-2023-59208/59208", + "advisory": "Django-filer 3.0.0rc1 includes a fix for a Broken Access Control vulnerability. The staff user without proper permissions cannot browse the filer's folder structure, list files in a folder, add files, and move files and folders by this fix. Also, non-root users only see their own files in unsorted uploads and it shows uncategorized files to the owner or superuser if permissions are active.\r\nhttps://github.com/django-cms/django-filer/pull/1352\r\nhttps://github.com/django-cms/django-filer/commit/43434f7c60320dcfa719742ab84fbe2cfcffb6f1", + "cve": "PVE-2023-59514", + "id": "pyup.io-59514", + "more_info_path": "/vulnerabilities/PVE-2023-59514/59514", "specs": [ "<3.0.0rc1" ], "v": "<3.0.0rc1" }, { - "advisory": "Django-filer 3.0.0rc1 includes a fix for a Broken Access Control vulnerability. The staff user without proper permissions cannot browse the filer's folder structure, list files in a folder, add files, and move files and folders by this fix. Also, non-root users only see their own files in unsorted uploads and it shows uncategorized files to the owner or superuser if permissions are active.\r\nhttps://github.com/django-cms/django-filer/pull/1352\r\nhttps://github.com/django-cms/django-filer/commit/43434f7c60320dcfa719742ab84fbe2cfcffb6f1", - "cve": "PVE-2023-59514", - "id": "pyup.io-59514", - "more_info_path": "/vulnerabilities/PVE-2023-59514/59514", + "advisory": "Django-filer 3.0.0rc1 includes a fix for a XSS vulnerability.\r\nhttps://github.com/django-cms/django-filer/pull/1364", + "cve": "PVE-2023-59208", + "id": "pyup.io-59208", + "more_info_path": "/vulnerabilities/PVE-2023-59208/59208", "specs": [ "<3.0.0rc1" ], @@ -37070,16 +37272,6 @@ ], "v": "<1.0.5" }, - { - "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", - "cve": "CVE-2019-14232", - "id": "pyup.io-43656", - "more_info_path": "/vulnerabilities/CVE-2019-14232/43656", - "specs": [ - "<1.0.5" - ], - "v": "<1.0.5" - }, { "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", "cve": "CVE-2019-19844", @@ -37139,6 +37331,16 @@ "<1.0.5" ], "v": "<1.0.5" + }, + { + "advisory": "Django-howl 1.0.5 updates its dependency 'Django' to v2.2.11 to include security fixes.", + "cve": "CVE-2019-14232", + "id": "pyup.io-43656", + "more_info_path": "/vulnerabilities/CVE-2019-14232/43656", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" } ], "django-html5-appcache": [ @@ -38207,9 +38409,9 @@ }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", - "cve": "CVE-2019-14232", - "id": "pyup.io-43684", - "more_info_path": "/vulnerabilities/CVE-2019-14232/43684", + "cve": "CVE-2019-6975", + "id": "pyup.io-43688", + "more_info_path": "/vulnerabilities/CVE-2019-6975/43688", "specs": [ "<0.9b1" ], @@ -38217,9 +38419,9 @@ }, { "advisory": "Django-newsletter 0.9b1 updates its dependency 'django' to v3.0.2 to include security fixes.", - "cve": "CVE-2019-6975", - "id": "pyup.io-43688", - "more_info_path": "/vulnerabilities/CVE-2019-6975/43688", + "cve": "CVE-2019-14232", + "id": "pyup.io-43684", + "more_info_path": "/vulnerabilities/CVE-2019-14232/43684", "specs": [ "<0.9b1" ], @@ -39045,6 +39247,16 @@ } ], "django-termsandconditions": [ + { + "advisory": "A vulnerability has been found in cyface Terms and Conditions Module up to 2.0.9 and classified as problematic. Affected by this vulnerability is the function returnTo of the file termsandconditions/views.py. The manipulation leads to open redirect. The attack can be launched remotely.", + "cve": "CVE-2022-4589", + "id": "pyup.io-52467", + "more_info_path": "/vulnerabilities/CVE-2022-4589/52467", + "specs": [ + "<2.0.10" + ], + "v": "<2.0.10" + }, { "advisory": "Django-termsandconditions 2.0.10 fixes an open redirect vulnerability.\r\nhttps://github.com/cyface/django-termsandconditions/commit/03396a1c2e0af95e12a45c5faef7e47a4b513e1a", "cve": "PVE-2022-49632", @@ -39065,16 +39277,6 @@ ], "v": "<2.0.10" }, - { - "advisory": "Django-termsandconditions 2.0.10 includes a fix for CVE-2022-4589: A vulnerability has been found in cyface Terms and Conditions Module up to 2.0.9 and classified as problematic. Affected by this vulnerability is the function returnTo of the file termsandconditions/views.py. The manipulation leads to open redirect. The attack can be launched remotely.\r\nhttps://github.com/cyface/django-termsandconditions/commit/03396a1c2e0af95e12a45c5faef7e47a4b513e1a", - "cve": "CVE-2022-4589", - "id": "pyup.io-52467", - "more_info_path": "/vulnerabilities/CVE-2022-4589/52467", - "specs": [ - "<2.0.10" - ], - "v": "<2.0.10" - }, { "advisory": "Django-termsandconditions 2.0.10 updates its dependency 'Django' to v3.2.13 to include security fixes.", "cve": "CVE-2021-45452", @@ -39388,7 +39590,7 @@ "v": "<1.9.2" }, { - "advisory": "** UNSUPPORTED WHEN ASSIGNED ** Django-ucamlookup 1.9.2 includes a fix for CVE-2016-15010: Affected by this vulnerability is an unknown functionality of the component Lookup Handler. The manipulation leads to cross site scripting. The attack can be launched remotely.\r\nhttps://github.com/uisautomation/django-ucamlookup/commit/5e25e4765637ea4b9e0bf5fcd5e9a922abee7eb3", + "advisory": "Django-ucamlookup 1.9.2 includes a fix for CVE-2016-15010: Affected by this vulnerability is an unknown functionality of the component Lookup Handler. The manipulation leads to cross site scripting. The attack can be launched remotely.", "cve": "CVE-2016-15010", "id": "pyup.io-52672", "more_info_path": "/vulnerabilities/CVE-2016-15010/52672", @@ -40371,20 +40573,20 @@ "v": "<1.0.12,>=1.1.0,<1.1.113,>=1.2.0,<1.2.65" }, { - "advisory": "Docassemble version 1.4.97 rectifies a security vulnerability present in versions up to 1.4.96. This flaw allowed for the creation of open redirect URLs.\r\nhttps://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa", - "cve": "PVE-2024-65739", - "id": "pyup.io-65739", - "more_info_path": "/vulnerabilities/PVE-2024-65739/65739", + "advisory": "Docassemble version 1.4.97 addresses a critical security flaw, impacting versions from 1.4.53 to 1.4.96, where file contents within the filesystem could potentially be exposed. Given the high severity of this issue, users are strongly advised to update to the latest version immediately to secure their systems.", + "cve": "PVE-2024-65732", + "id": "pyup.io-65732", + "more_info_path": "/vulnerabilities/PVE-2024-65732/65732", "specs": [ "<1.4.97" ], "v": "<1.4.97" }, { - "advisory": "Docassemble version 1.4.97 addresses a critical security flaw, impacting versions from 1.4.53 to 1.4.96, where file contents within the filesystem could potentially be exposed. Given the high severity of this issue, users are strongly advised to update to the latest version immediately to secure their systems.", - "cve": "PVE-2024-65732", - "id": "pyup.io-65732", - "more_info_path": "/vulnerabilities/PVE-2024-65732/65732", + "advisory": "Docassemble version 1.4.97 rectifies a security vulnerability present in versions up to 1.4.96. This flaw allowed for the creation of open redirect URLs.\r\nhttps://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa", + "cve": "PVE-2024-65739", + "id": "pyup.io-65739", + "more_info_path": "/vulnerabilities/PVE-2024-65739/65739", "specs": [ "<1.4.97" ], @@ -40403,10 +40605,20 @@ ], "docassemble-base": [ { - "advisory": "Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.", - "cve": "CVE-2023-46046", + "advisory": "Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, it is possible to create a URL that acts as an open redirect. The vulnerability has been patched in version 1.4.97 of the master branch.", + "cve": "CVE-2024-27291", + "id": "pyup.io-68484", + "more_info_path": "/vulnerabilities/CVE-2024-27291/68484", + "specs": [ + ">=0,<1.4.97" + ], + "v": ">=0,<1.4.97" + }, + { + "advisory": "** DISPUTED ** Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.", + "cve": "CVE-2024-27292", "id": "pyup.io-68481", - "more_info_path": "/vulnerabilities/CVE-2023-46046/68481", + "more_info_path": "/vulnerabilities/CVE-2024-27292/68481", "specs": [ ">=1.4.53,<1.4.97" ], @@ -40415,30 +40627,84 @@ ], "docassemble-webapp": [ { - "advisory": "Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the master branch.", - "cve": "CVE-2023-45925", + "advisory": "** DISPUTED ** Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, it is possible to create a URL that acts as an open redirect. The vulnerability has been patched in version 1.4.97 of the master branch.", + "cve": "CVE-2024-27291", + "id": "pyup.io-68483", + "more_info_path": "/vulnerabilities/CVE-2024-27291/68483", + "specs": [ + ">=0,<1.4.97" + ], + "v": ">=0,<1.4.97" + }, + { + "advisory": "** DISPUTED ** Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the master branch.", + "cve": "CVE-2024-27290", "id": "pyup.io-68485", - "more_info_path": "/vulnerabilities/CVE-2023-45925/68485", + "more_info_path": "/vulnerabilities/CVE-2024-27290/68485", "specs": [ ">=0,<1.4.97" ], "v": ">=0,<1.4.97" }, + { + "advisory": "** DISPUTED ** Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.", + "cve": "CVE-2024-27292", + "id": "pyup.io-68482", + "more_info_path": "/vulnerabilities/CVE-2024-27292/68482", + "specs": [ + ">=1.4.53,<1.4.97" + ], + "v": ">=1.4.53,<1.4.97" + } + ], + "docassemble.base": [ { "advisory": "Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, it is possible to create a URL that acts as an open redirect. The vulnerability has been patched in version 1.4.97 of the master branch.", - "cve": "CVE-2023-46049", - "id": "pyup.io-68483", - "more_info_path": "/vulnerabilities/CVE-2023-46049/68483", + "cve": "CVE-2024-27291", + "id": "pyup.io-71270", + "more_info_path": "/vulnerabilities/CVE-2024-27291/71270", "specs": [ ">=0,<1.4.97" ], "v": ">=0,<1.4.97" }, { - "advisory": "Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.", - "cve": "CVE-2023-46046", - "id": "pyup.io-68482", - "more_info_path": "/vulnerabilities/CVE-2023-46046/68482", + "advisory": "** DISPUTED ** Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.", + "cve": "CVE-2024-27292", + "id": "pyup.io-71267", + "more_info_path": "/vulnerabilities/CVE-2024-27292/71267", + "specs": [ + ">=1.4.53,<1.4.97" + ], + "v": ">=1.4.53,<1.4.97" + } + ], + "docassemble.webapp": [ + { + "advisory": "** DISPUTED ** Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, it is possible to create a URL that acts as an open redirect. The vulnerability has been patched in version 1.4.97 of the master branch.", + "cve": "CVE-2024-27291", + "id": "pyup.io-71265", + "more_info_path": "/vulnerabilities/CVE-2024-27291/71265", + "specs": [ + ">=0,<1.4.97" + ], + "v": ">=0,<1.4.97" + }, + { + "advisory": "** DISPUTED ** Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the master branch.", + "cve": "CVE-2024-27290", + "id": "pyup.io-71274", + "more_info_path": "/vulnerabilities/CVE-2024-27290/71274", + "specs": [ + ">=0,<1.4.97" + ], + "v": ">=0,<1.4.97" + }, + { + "advisory": "** DISPUTED ** Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.", + "cve": "CVE-2024-27292", + "id": "pyup.io-71266", + "more_info_path": "/vulnerabilities/CVE-2024-27292/71266", "specs": [ ">=1.4.53,<1.4.97" ], @@ -40492,9 +40758,9 @@ "docker": [ { "advisory": "Docker 3.5.1 updates its dependency 'pyOpenSSL' to v18.0.0 to include security fixes.", - "cve": "CVE-2018-1000808", - "id": "pyup.io-36783", - "more_info_path": "/vulnerabilities/CVE-2018-1000808/36783", + "cve": "CVE-2018-1000807", + "id": "pyup.io-49032", + "more_info_path": "/vulnerabilities/CVE-2018-1000807/49032", "specs": [ "<3.5.1" ], @@ -40502,9 +40768,9 @@ }, { "advisory": "Docker 3.5.1 updates its dependency 'pyOpenSSL' to v18.0.0 to include security fixes.", - "cve": "CVE-2018-1000807", - "id": "pyup.io-49032", - "more_info_path": "/vulnerabilities/CVE-2018-1000807/49032", + "cve": "CVE-2018-1000808", + "id": "pyup.io-36783", + "more_info_path": "/vulnerabilities/CVE-2018-1000808/36783", "specs": [ "<3.5.1" ], @@ -40733,6 +40999,28 @@ "v": "<4.5.1" } ], + "doveseed": [ + { + "advisory": "Doveseed version 2.0.4 updates its aiohttp dependency from 3.9.3 to 3.9.4 to address the security vulnerability identified as CVE-2024-30251.", + "cve": "CVE-2024-30251", + "id": "pyup.io-71194", + "more_info_path": "/vulnerabilities/CVE-2024-30251/71194", + "specs": [ + "<2.0.4" + ], + "v": "<2.0.4" + }, + { + "advisory": "Doveseed version 2.0.4 updates its jinja2 dependency from 3.1.3 to 3.1.4 to address the security vulnerability identified as CVE-2024-34064.", + "cve": "CVE-2024-34064", + "id": "pyup.io-71214", + "more_info_path": "/vulnerabilities/CVE-2024-34064/71214", + "specs": [ + "<2.0.4" + ], + "v": "<2.0.4" + } + ], "dovesnap": [ { "advisory": "Dovesnap 1.0.28 updates its dependency on the containerd library from version to address the security vulnerability identified as CVE-2022-23648.", @@ -41453,6 +41741,16 @@ "<2.0.2" ], "v": "<2.0.2" + }, + { + "advisory": "Edumfa 2.0.3 updates its dependency 'werkzeug' to v3.0.3 to include a security fix.", + "cve": "CVE-2024-34069", + "id": "pyup.io-71258", + "more_info_path": "/vulnerabilities/CVE-2024-34069/71258", + "specs": [ + "<2.0.3" + ], + "v": "<2.0.3" } ], "edx-celeryutils": [ @@ -41966,20 +42264,20 @@ ], "embedchain": [ { - "advisory": "The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.", - "cve": "CVE-2024-23731", - "id": "pyup.io-66691", - "more_info_path": "/vulnerabilities/CVE-2024-23731/66691", + "advisory": "The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py.", + "cve": "CVE-2024-23732", + "id": "pyup.io-66692", + "more_info_path": "/vulnerabilities/CVE-2024-23732/66692", "specs": [ "<0.1.57" ], "v": "<0.1.57" }, { - "advisory": "The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py.", - "cve": "CVE-2024-23732", - "id": "pyup.io-66692", - "more_info_path": "/vulnerabilities/CVE-2024-23732/66692", + "advisory": "The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.", + "cve": "CVE-2024-23731", + "id": "pyup.io-66691", + "more_info_path": "/vulnerabilities/CVE-2024-23731/66691", "specs": [ "<0.1.57" ], @@ -42367,9 +42665,9 @@ }, { "advisory": "ESPHome is a system to control your ESP8266/ESP32. A security misconfiguration in the edit configuration file API in the dashboard component of ESPHome version 2023.12.9 (command line installation) allows authenticated remote attackers to read and write arbitrary files under the configuration directory rendering remote code execution possible. This vulnerability is patched in 2024.2.1.", - "cve": "CVE-2023-39306", + "cve": "CVE-2024-27081", "id": "pyup.io-68488", - "more_info_path": "/vulnerabilities/CVE-2023-39306/68488", + "more_info_path": "/vulnerabilities/CVE-2024-27081/68488", "specs": [ ">=2023.12.9,<2024.2.1" ], @@ -42516,20 +42814,20 @@ "v": "<2.15.1" }, { - "advisory": "Ethyca's Fides 2.22.1 patches a high-severity SSRF vulnerability (CVE-2023-46124) affecting versions before 2.22.1. This vulnerability allowed attackers with certain API access to make internal system requests that could lead to data breaches. The update is crucial for users with CONNECTOR_TEMPLATE_REGISTER scope and should be applied immediately to secure systems.\r\nhttps://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4", - "cve": "CVE-2023-46124", - "id": "pyup.io-63347", - "more_info_path": "/vulnerabilities/CVE-2023-46124/63347", + "advisory": "Ethyca-fides 2.22.1 fixes a vulnerability identified as CVE-2023-46125. The issue was found with the GET api/v1/config endpoint. It allowed Admin UI users with roles lower than the owner role, such as the viewer role, to retrieve the configuration information using the API. Even though the configuration data was filtered to suppress most sensitive information, it still contained details about the internals and backend infrastructure like server addresses, ports, and database usernames. \r\nhttps://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89", + "cve": "CVE-2023-46125", + "id": "pyup.io-63521", + "more_info_path": "/vulnerabilities/CVE-2023-46125/63521", "specs": [ "<2.22.1" ], "v": "<2.22.1" }, { - "advisory": "Ethyca-fides 2.22.1 fixes a vulnerability identified as CVE-2023-46125. The issue was found with the GET api/v1/config endpoint. It allowed Admin UI users with roles lower than the owner role, such as the viewer role, to retrieve the configuration information using the API. Even though the configuration data was filtered to suppress most sensitive information, it still contained details about the internals and backend infrastructure like server addresses, ports, and database usernames. \r\nhttps://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89", - "cve": "CVE-2023-46125", - "id": "pyup.io-63521", - "more_info_path": "/vulnerabilities/CVE-2023-46125/63521", + "advisory": "Ethyca's Fides 2.22.1 patches a high-severity SSRF vulnerability (CVE-2023-46124) affecting versions before 2.22.1. This vulnerability allowed attackers with certain API access to make internal system requests that could lead to data breaches. The update is crucial for users with CONNECTOR_TEMPLATE_REGISTER scope and should be applied immediately to secure systems.\r\nhttps://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4", + "cve": "CVE-2023-46124", + "id": "pyup.io-63347", + "more_info_path": "/vulnerabilities/CVE-2023-46124/63347", "specs": [ "<2.22.1" ], @@ -42566,20 +42864,20 @@ "v": "<2.24.0" }, { - "advisory": "Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading.", - "cve": "CVE-2023-37481", - "id": "pyup.io-65027", - "more_info_path": "/vulnerabilities/CVE-2023-37481/65027", + "advisory": "The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.", + "cve": "CVE-2023-37480", + "id": "pyup.io-65025", + "more_info_path": "/vulnerabilities/CVE-2023-37480/65025", "specs": [ ">=2.11.0,<2.16.0" ], "v": ">=2.11.0,<2.16.0" }, { - "advisory": "The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.", - "cve": "CVE-2023-37480", - "id": "pyup.io-65025", - "more_info_path": "/vulnerabilities/CVE-2023-37480/65025", + "advisory": "Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading.", + "cve": "CVE-2023-37481", + "id": "pyup.io-65027", + "more_info_path": "/vulnerabilities/CVE-2023-37481/65027", "specs": [ ">=2.11.0,<2.16.0" ], @@ -43087,9 +43385,9 @@ "exasol-bucketfs": [ { "advisory": "Exasol-bucketfs 0.8.0 updates its dependency 'cryptography' to include security fixes.", - "cve": "CVE-2023-23931", - "id": "pyup.io-53776", - "more_info_path": "/vulnerabilities/CVE-2023-23931/53776", + "cve": "CVE-2023-0286", + "id": "pyup.io-53774", + "more_info_path": "/vulnerabilities/CVE-2023-0286/53774", "specs": [ "<0.8.0" ], @@ -43097,9 +43395,9 @@ }, { "advisory": "Exasol-bucketfs 0.8.0 updates its dependency 'cryptography' to include security fixes.", - "cve": "CVE-2023-0286", - "id": "pyup.io-53774", - "more_info_path": "/vulnerabilities/CVE-2023-0286/53774", + "cve": "CVE-2023-23931", + "id": "pyup.io-53776", + "more_info_path": "/vulnerabilities/CVE-2023-23931/53776", "specs": [ "<0.8.0" ], @@ -43478,18 +43776,6 @@ "v": ">=0,<0.0.2" } ], - "f-ask": [ - { - "advisory": "Certain versions of Flask, part of the Pallets Project, are susceptible to an Improper Input Validation vulnerability. This issue could lead to excessive memory usage, potentially causing a denial of service if attackers supply JSON data in an incorrect encoding.", - "cve": null, - "id": "pyup.io-69621", - "more_info_path": "/vulnerabilities/None/69621", - "specs": [ - ">=0,<0.12.3" - ], - "v": ">=0,<0.12.3" - } - ], "faapi": [ { "advisory": "Faapi 3.1.0 updates its dependency 'lxml' to v4.7.1 to include a security fix.", @@ -43728,6 +44014,18 @@ "v": "<0.19.0" } ], + "falcon-integration-gateway": [ + { + "advisory": "Falcon-integration-gateway version 3.1.12 upgrades its requests dependency from version 2.31.0 to 2.32.0 to address the security vulnerability identified as CVE-2024-35195.", + "cve": "CVE-2024-35195", + "id": "pyup.io-71130", + "more_info_path": "/vulnerabilities/CVE-2024-35195/71130", + "specs": [ + "<3.1.12" + ], + "v": "<3.1.12" + } + ], "falcon-toolkit": [ { "advisory": "Falcon-toolkit 3.0.2 updates its dependency 'certifi' to v2022.12.7 to include a security fix.", @@ -43984,20 +44282,20 @@ "v": "<0.75.2" }, { - "advisory": "Fastapi 0.75.2 updates its NPM dependency 'swagger-ui' to include security fixes.", - "cve": "CVE-2021-46708", - "id": "pyup.io-48161", - "more_info_path": "/vulnerabilities/CVE-2021-46708/48161", + "advisory": "Fastapi 0.75.2 updates its dependency 'ujson' ranges to include a security fix.", + "cve": "CVE-2021-45958", + "id": "pyup.io-48159", + "more_info_path": "/vulnerabilities/CVE-2021-45958/48159", "specs": [ "<0.75.2" ], "v": "<0.75.2" }, { - "advisory": "Fastapi 0.75.2 updates its dependency 'ujson' ranges to include a security fix.", - "cve": "CVE-2021-45958", - "id": "pyup.io-48159", - "more_info_path": "/vulnerabilities/CVE-2021-45958/48159", + "advisory": "Fastapi 0.75.2 updates its NPM dependency 'swagger-ui' to include security fixes.", + "cve": "CVE-2021-46708", + "id": "pyup.io-48161", + "more_info_path": "/vulnerabilities/CVE-2021-46708/48161", "specs": [ "<0.75.2" ], @@ -44034,6 +44332,18 @@ "v": "<=0.109.0" } ], + "fastapi-azure-auth": [ + { + "advisory": "Fastapi-azure-auth version 4.4.0 migrates from python-jose to PyJWT due to the security vulnerability identified as CVE-2024-33663.", + "cve": "CVE-2024-33663", + "id": "pyup.io-71284", + "more_info_path": "/vulnerabilities/CVE-2024-33663/71284", + "specs": [ + "<4.4.0" + ], + "v": "<4.4.0" + } + ], "fastapi-login": [ { "advisory": "Fastapi-login 1.4.0 fixes a security vulnerability found in uvicorn", @@ -44318,6 +44628,18 @@ "v": "<10.1.3" } ], + "fastapi-utils": [ + { + "advisory": "Fastapi-utils version 0.3.1 updates Pydantic to version 2 in response to CVE-2021-29510.", + "cve": "CVE-2021-29510", + "id": "pyup.io-70939", + "more_info_path": "/vulnerabilities/CVE-2021-29510/70939", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + } + ], "fastbots": [ { "advisory": "Fastbots 0.1.5 includes a fix for CVE-2023-48699: Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to RCE. The vulnerability is in the function 'def __locator__(self, locator_name: str)' in 'page.py'.\r\nhttps://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9", @@ -44463,6 +44785,16 @@ } ], "featurebyte": [ + { + "advisory": "Featurebyte 0.3.0 updates its dependency 'starlette' to v0.27.0 to include a security fix.", + "cve": "PVE-2023-58713", + "id": "pyup.io-58915", + "more_info_path": "/vulnerabilities/PVE-2023-58713/58915", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + }, { "advisory": "Featurebyte 0.3.0 updates its dependency 'pymdown-extensions' to include a security fix.", "cve": "CVE-2023-32309", @@ -44474,14 +44806,34 @@ "v": "<0.3.0" }, { - "advisory": "Featurebyte 0.3.0 updates its dependency 'starlette' to v0.27.0 to include a security fix.", - "cve": "PVE-2023-58713", - "id": "pyup.io-58915", - "more_info_path": "/vulnerabilities/PVE-2023-58713/58915", + "advisory": "Featurebyte version 1.0.3 updates its `orjson` dependency from `^3.8.3` to `^3.9.15` to address the security vulnerability identified in CVE-2024-27454. This update ensures that users are protected from the issues present in the older version of `orjson`.", + "cve": "CVE-2024-27454", + "id": "pyup.io-71082", + "more_info_path": "/vulnerabilities/CVE-2024-27454/71082", "specs": [ - "<0.3.0" + "<1.0.3" ], - "v": "<0.3.0" + "v": "<1.0.3" + }, + { + "advisory": "Featurebyte version 1.0.3 updates its `cryptography` dependency from `^41.0.3` to `^42.0.4` to address the security vulnerability identified as CVE-2024-26130. This update ensures that users are protected from issues present in the older version of the `cryptography` library.", + "cve": "CVE-2024-26130", + "id": "pyup.io-71108", + "more_info_path": "/vulnerabilities/CVE-2024-26130/71108", + "specs": [ + "<1.0.3" + ], + "v": "<1.0.3" + }, + { + "advisory": "Featurebyte version 1.0.3 updates its `black` dependency from `^23.3.0` to `^24.3.0` to address the security vulnerability identified in CVE-2024-21503. This update ensures that users are protected from issues present in the older version of `black`.", + "cve": "CVE-2024-21503", + "id": "pyup.io-71107", + "more_info_path": "/vulnerabilities/CVE-2024-21503/71107", + "specs": [ + "<1.0.3" + ], + "v": "<1.0.3" } ], "featureserver": [ @@ -44703,9 +45055,9 @@ }, { "advisory": "Fhir-pyrate 0.2.0b1 updates its dependency \"numpy\" to v1.23.1 to include security fixes.", - "cve": "CVE-2021-34141", - "id": "pyup.io-50784", - "more_info_path": "/vulnerabilities/CVE-2021-34141/50784", + "cve": "CVE-2021-41495", + "id": "pyup.io-50793", + "more_info_path": "/vulnerabilities/CVE-2021-41495/50793", "specs": [ "<0.2.0b1" ], @@ -44723,9 +45075,9 @@ }, { "advisory": "Fhir-pyrate 0.2.0b1 updates its dependency \"numpy\" to v1.23.1 to include security fixes.", - "cve": "CVE-2021-41495", - "id": "pyup.io-50793", - "more_info_path": "/vulnerabilities/CVE-2021-41495/50793", + "cve": "CVE-2021-34141", + "id": "pyup.io-50784", + "more_info_path": "/vulnerabilities/CVE-2021-34141/50784", "specs": [ "<0.2.0b1" ], @@ -45056,20 +45408,20 @@ ], "fittrackee": [ { - "advisory": "Fittrackee 0.5.7 sets autoescape on jinja templates.\r\nhttps://github.com/SamR1/FitTrackee/pull/152", - "cve": "PVE-2022-44973", - "id": "pyup.io-44973", - "more_info_path": "/vulnerabilities/PVE-2022-44973/44973", + "advisory": "Fittrackee 0.5.7 sanitizes input when serving images, map titles and in username.\r\nhttps://github.com/SamR1/FitTrackee/pull/151", + "cve": "PVE-2022-45387", + "id": "pyup.io-45387", + "more_info_path": "/vulnerabilities/PVE-2022-45387/45387", "specs": [ "<0.5.7" ], "v": "<0.5.7" }, { - "advisory": "Fittrackee 0.5.7 sanitizes input when serving images, map titles and in username.\r\nhttps://github.com/SamR1/FitTrackee/pull/151", - "cve": "PVE-2022-45387", - "id": "pyup.io-45387", - "more_info_path": "/vulnerabilities/PVE-2022-45387/45387", + "advisory": "Fittrackee 0.5.7 sets autoescape on jinja templates.\r\nhttps://github.com/SamR1/FitTrackee/pull/152", + "cve": "PVE-2022-44973", + "id": "pyup.io-44973", + "more_info_path": "/vulnerabilities/PVE-2022-44973/44973", "specs": [ "<0.5.7" ], @@ -45086,6 +45438,16 @@ "<0.1.11" ], "v": "<0.1.11" + }, + { + "advisory": "Fl4health version 0.1.15 updates the tqdm library from version 4.66.2 to 4.66.4 following the discovery of a vulnerability identified as CVE-2024-34062, as detected by pip-audit.", + "cve": "CVE-2024-34062", + "id": "pyup.io-70893", + "more_info_path": "/vulnerabilities/CVE-2024-34062/70893", + "specs": [ + "<0.1.15" + ], + "v": "<0.1.15" } ], "flafl": [ @@ -45295,20 +45657,20 @@ "v": "<0.2.0" }, { - "advisory": "flask-appbuilder 0.7.8 adds new, added optional parameter \"label\" and \"category_label\" for menu items, better security and i18n", - "cve": "PVE-2021-37905", - "id": "pyup.io-37905", - "more_info_path": "/vulnerabilities/PVE-2021-37905/37905", + "advisory": "Flask-appbuilder 0.7.8 has better security than previous versions. No details are given.", + "cve": "PVE-2021-37064", + "id": "pyup.io-37064", + "more_info_path": "/vulnerabilities/PVE-2021-37064/37064", "specs": [ "<0.7.8" ], "v": "<0.7.8" }, { - "advisory": "Flask-appbuilder 0.7.8 has better security than previous versions. No details are given.", - "cve": "PVE-2021-37064", - "id": "pyup.io-37064", - "more_info_path": "/vulnerabilities/PVE-2021-37064/37064", + "advisory": "flask-appbuilder 0.7.8 adds new, added optional parameter \"label\" and \"category_label\" for menu items, better security and i18n", + "cve": "PVE-2021-37905", + "id": "pyup.io-37905", + "more_info_path": "/vulnerabilities/PVE-2021-37905/37905", "specs": [ "<0.7.8" ], @@ -45425,10 +45787,10 @@ "v": "<4.3.0" }, { - "advisory": "Flask-AppBuilder is an application development framework, built on top of Flask. When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, it allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the OpenID 2.0 authorization protocol. Upgrade to Flask-AppBuilder 4.3.11 to fix the vulnerability.", - "cve": "CVE-2023-46047", + "advisory": "** DISPUTED ** Flask-AppBuilder is an application development framework, built on top of Flask. When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, it allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the OpenID 2.0 authorization protocol. Upgrade to Flask-AppBuilder 4.3.11 to fix the vulnerability.", + "cve": "CVE-2024-25128", "id": "pyup.io-68493", - "more_info_path": "/vulnerabilities/CVE-2023-46047/68493", + "more_info_path": "/vulnerabilities/CVE-2024-25128/68493", "specs": [ "<4.3.11" ], @@ -45499,6 +45861,26 @@ "<3.0.9" ], "v": "<3.0.9" + }, + { + "advisory": "Flask-cors 4.0.1 addresses the CVE-2024-1681: corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.", + "cve": "CVE-2024-1681", + "id": "pyup.io-70813", + "more_info_path": "/vulnerabilities/CVE-2024-1681/70813", + "specs": [ + "<4.0.1" + ], + "v": "<4.0.1" + }, + { + "advisory": "corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs. See CVE-2024-1681.", + "cve": "CVE-2024-1681", + "id": "pyup.io-70624", + "more_info_path": "/vulnerabilities/CVE-2024-1681/70624", + "specs": [ + ">0" + ], + "v": ">0" } ], "flask-exceptions": [ @@ -46124,26 +46506,6 @@ ], "v": "<1.2.0" }, - { - "advisory": "** DISPUTED ** Flower 0.9.3 has XSS via the name parameter in an @app.task call. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren\u2019t user facing configuration options. They are internal backend config options and person having rights to change them already has full access.", - "cve": "CVE-2019-16925", - "id": "pyup.io-70511", - "more_info_path": "/vulnerabilities/CVE-2019-16925/70511", - "specs": [ - "<=0.9.3" - ], - "v": "<=0.9.3" - }, - { - "advisory": "** DISPUTED ** Flower 0.9.3 has XSS via a crafted worker name. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren\u2019t user facing configuration options. They are internal backend config options and person having rights to change them already has full access.", - "cve": "CVE-2019-16926", - "id": "pyup.io-70512", - "more_info_path": "/vulnerabilities/CVE-2019-16926/70512", - "specs": [ - "<=0.9.3" - ], - "v": "<=0.9.3" - }, { "advisory": "Flower before 0.9.2 has a XSS on tasks page because data is not properly escaped.", "cve": "PVE-2023-55193", @@ -46207,10 +46569,10 @@ "v": "<1.1.0" }, { - "advisory": "Flytekit 1.2.0 updates its dependency 'cookiecutter' to v2.1.1 to include a security fix.", - "cve": "CVE-2022-24065", - "id": "pyup.io-51331", - "more_info_path": "/vulnerabilities/CVE-2022-24065/51331", + "advisory": "Flytekit 1.2.0 updates its dependency 'pyspark' to v3.3.0 to include a security fix.", + "cve": "CVE-2022-33891", + "id": "pyup.io-51332", + "more_info_path": "/vulnerabilities/CVE-2022-33891/51332", "specs": [ "<1.2.0" ], @@ -46227,20 +46589,20 @@ "v": "<1.2.0" }, { - "advisory": "Flytekit 1.2.0 updates its dependency 'pyspark' to v3.3.0 to include a security fix.", - "cve": "CVE-2022-33891", - "id": "pyup.io-51332", - "more_info_path": "/vulnerabilities/CVE-2022-33891/51332", + "advisory": "Flytekit 1.2.0 updates its dependency 'notebook' to v6.4.12 to include a security fix.", + "cve": "CVE-2022-29238", + "id": "pyup.io-51330", + "more_info_path": "/vulnerabilities/CVE-2022-29238/51330", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { - "advisory": "Flytekit 1.2.0 updates its dependency 'protobuf' to v3.20.2 to include a security fix.", - "cve": "CVE-2022-1941", - "id": "pyup.io-51334", - "more_info_path": "/vulnerabilities/CVE-2022-1941/51334", + "advisory": "Flytekit 1.2.0 updates its dependency 'mistune' to v2.0.3 to include a security fix.", + "cve": "CVE-2022-34749", + "id": "pyup.io-51329", + "more_info_path": "/vulnerabilities/CVE-2022-34749/51329", "specs": [ "<1.2.0" ], @@ -46257,20 +46619,20 @@ "v": "<1.2.0" }, { - "advisory": "Flytekit 1.2.0 updates its dependency 'notebook' to v6.4.12 to include a security fix.", - "cve": "CVE-2022-29238", - "id": "pyup.io-51330", - "more_info_path": "/vulnerabilities/CVE-2022-29238/51330", + "advisory": "Flytekit 1.2.0 updates its dependency 'protobuf' to v3.20.2 to include a security fix.", + "cve": "CVE-2022-1941", + "id": "pyup.io-51334", + "more_info_path": "/vulnerabilities/CVE-2022-1941/51334", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { - "advisory": "Flytekit 1.2.0 updates its dependency 'mistune' to v2.0.3 to include a security fix.", - "cve": "CVE-2022-34749", - "id": "pyup.io-51329", - "more_info_path": "/vulnerabilities/CVE-2022-34749/51329", + "advisory": "Flytekit 1.2.0 updates its dependency 'cookiecutter' to v2.1.1 to include a security fix.", + "cve": "CVE-2022-24065", + "id": "pyup.io-51331", + "more_info_path": "/vulnerabilities/CVE-2022-24065/51331", "specs": [ "<1.2.0" ], @@ -46289,6 +46651,18 @@ "v": "<0.4.0" } ], + "fmi-weather-client": [ + { + "advisory": "Fmi-weather-client version 0.3.0 upgrades its requests dependency from version 2.31.0 to 2.32.2 to address the security vulnerability identified as CVE-2024-35195.", + "cve": "CVE-2024-35195", + "id": "pyup.io-71131", + "more_info_path": "/vulnerabilities/CVE-2024-35195/71131", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], "fnapy": [ { "advisory": "Fnapy 1.1.7 updates its dependency 'requests' to include a security fix.", @@ -46431,6 +46805,18 @@ "v": "<3.13.5" } ], + "fosslight-prechecker": [ + { + "advisory": "Fosslight-prechecker version 3.0.26 fixes a vulnerability related to a potential security issue where unauthorized access to sensitive information could occur. This vulnerability involved the inadvertent exposure of internal configuration details, which could be exploited by an attacker to gain access to sensitive data. The update ensures that such information is properly secured and not accessible without proper authorization.", + "cve": "PVE-2024-71075", + "id": "pyup.io-71075", + "more_info_path": "/vulnerabilities/PVE-2024-71075/71075", + "specs": [ + "<3.0.26" + ], + "v": "<3.0.26" + } + ], "fosslight-scanner": [ { "advisory": "Fosslight-scanner 1.7.16 includes a fix for a Command Injection vulnerability.\r\nhttps://github.com/fosslight/fosslight_scanner/pull/69", @@ -46504,16 +46890,6 @@ } ], "fractal-server": [ - { - "advisory": "Fractal-server 1.3.0a3 updates its dependency 'requests' to version '2.31.0' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/723", - "cve": "CVE-2023-32681", - "id": "pyup.io-59000", - "more_info_path": "/vulnerabilities/CVE-2023-32681/59000", - "specs": [ - "<1.3.0a3" - ], - "v": "<1.3.0a3" - }, { "advisory": "Fractal-server 1.3.0a3 updates its dependency 'cryptography' to version '41.0.1' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/739/commits/ec5bbd57acabf5a1fc357cfb96c21e059c619475", "cve": "CVE-2023-2650", @@ -46543,6 +46919,16 @@ "<1.3.0a3" ], "v": "<1.3.0a3" + }, + { + "advisory": "Fractal-server 1.3.0a3 updates its dependency 'requests' to version '2.31.0' to include a security fix.\r\nhttps://github.com/fractal-analytics-platform/fractal-server/pull/723", + "cve": "CVE-2023-32681", + "id": "pyup.io-59000", + "more_info_path": "/vulnerabilities/CVE-2023-32681/59000", + "specs": [ + "<1.3.0a3" + ], + "v": "<1.3.0a3" } ], "frapp": [ @@ -46754,6 +47140,16 @@ ], "v": "<=3.0.0" }, + { + "advisory": "The get_user_grouplist function in the extdom plug-in in FreeIPA before 4.1.4 does not properly reallocate memory when processing user accounts, which allows remote attackers to cause a denial of service (crash) via a group list request for a user that belongs to a large number of groups.", + "cve": "CVE-2015-1827", + "id": "pyup.io-70761", + "more_info_path": "/vulnerabilities/CVE-2015-1827/70761", + "specs": [ + "<=4.1.3" + ], + "v": "<=4.1.3" + }, { "advisory": "FreeIPA 4.4.0 allows remote attackers to request an arbitrary SAN name for services.", "cve": "CVE-2016-5414", @@ -47228,6 +47624,38 @@ "v": "<=0.18.2" } ], + "galaxy-app": [ + { + "advisory": "The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability in Many templates used in the Galaxy server did not properly sanitize user's input, which would allow for cross-site scripting (XSS) attacks. In this form of attack, a malicious person can create a URL which, when opened by a Galaxy user or administrator, would allow the malicious user to execute arbitrary Javascript. that can result in Arbitrary JavaScript code execution. This attack appear to be exploitable via The victim must interact with component on page witch contains injected JavaScript code.. This vulnerability appears to have been fixed in v14.10.1, v15.01.", + "cve": "CVE-2018-1000516", + "id": "pyup.io-70780", + "more_info_path": "/vulnerabilities/CVE-2018-1000516/70780", + "specs": [ + "<14.10.1" + ], + "v": "<14.10.1" + }, + { + "advisory": "Galaxy is an open-source platform for FAIR data analysis. Prior to version 22.05, Galaxy is vulnerable to server-side request forgery, which allows a malicious to issue arbitrary HTTP/HTTPS requests from the application server to internal hosts and read their responses. Version 22.05 contains a patch for this issue.", + "cve": "CVE-2023-42812", + "id": "pyup.io-70787", + "more_info_path": "/vulnerabilities/CVE-2023-42812/70787", + "specs": [ + "<22.05" + ], + "v": "<22.05" + }, + { + "advisory": "Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware. This issue has been patched in commit `e5e6bda4f` and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability.", + "cve": "CVE-2022-23470", + "id": "pyup.io-70779", + "more_info_path": "/vulnerabilities/CVE-2022-23470/70779", + "specs": [ + ">=22.01,<=22.05" + ], + "v": ">=22.01,<=22.05" + } + ], "galaxy-importer": [ { "advisory": "Galaxy-importer 0.2.15 updates 'bleach' dependency to v3.3.0 to fix a 'XSS mutation' vulnerability.", @@ -47448,20 +47876,20 @@ "v": "<3.1.0" }, { - "advisory": "Gdal 3.4.0 requires versions of libgdal 3.4.0 or greater, that include a fix for a potential race condition vulnerability in MSG driver.\r\nhttps://github.com/OSGeo/gdal/pull/4153", - "cve": "PVE-2023-61143", - "id": "pyup.io-61143", - "more_info_path": "/vulnerabilities/PVE-2023-61143/61143", + "advisory": "Gdal 3.4.0 includes a fix for its C dependency 'netcdf': A stack read overflow vulnerability.\r\nhttps://github.com/OSGeo/gdal/commit/eec259c7c73f8bc200ff41efc8e6771472b48f86\r\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39189", + "cve": "CVE-2019-25050", + "id": "pyup.io-42369", + "more_info_path": "/vulnerabilities/CVE-2019-25050/42369", "specs": [ "<3.4.0" ], "v": "<3.4.0" }, { - "advisory": "Gdal 3.4.0 includes a fix for its C dependency 'netcdf': A stack read overflow vulnerability.\r\nhttps://github.com/OSGeo/gdal/commit/eec259c7c73f8bc200ff41efc8e6771472b48f86\r\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39189", - "cve": "CVE-2019-25050", - "id": "pyup.io-42369", - "more_info_path": "/vulnerabilities/CVE-2019-25050/42369", + "advisory": "Gdal 3.4.0 requires versions of libgdal 3.4.0 or greater, that include a fix for a potential race condition vulnerability in MSG driver.\r\nhttps://github.com/OSGeo/gdal/pull/4153", + "cve": "PVE-2023-61143", + "id": "pyup.io-61143", + "more_info_path": "/vulnerabilities/PVE-2023-61143/61143", "specs": [ "<3.4.0" ], @@ -47506,6 +47934,16 @@ ">=0,<3.1.0" ], "v": ">=0,<3.1.0" + }, + { + "advisory": "GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).", + "cve": "CVE-2021-45943", + "id": "pyup.io-70734", + "more_info_path": "/vulnerabilities/CVE-2021-45943/70734", + "specs": [ + ">=3.3.0,<3.4.1" + ], + "v": ">=3.3.0,<3.4.1" } ], "gdbgui": [ @@ -47648,6 +48086,16 @@ } ], "geonode": [ + { + "advisory": "Geonode 2.10 updates 'urllib3' to v1.24.2 to include security fixes.", + "cve": "CVE-2019-11324", + "id": "pyup.io-42968", + "more_info_path": "/vulnerabilities/CVE-2019-11324/42968", + "specs": [ + "<2.10" + ], + "v": "<2.10" + }, { "advisory": "Geonode 2.10 updates 'urllib3' to v1.24.2 to include security fixes.", "cve": "CVE-2018-20060", @@ -47659,10 +48107,10 @@ "v": "<2.10" }, { - "advisory": "Geonode 2.10 updates 'urllib3' to v1.24.2 to include security fixes.", - "cve": "CVE-2019-11324", - "id": "pyup.io-42968", - "more_info_path": "/vulnerabilities/CVE-2019-11324/42968", + "advisory": "Geonode 2.10 updates 'django' to v1.11.22 to include a security fix.", + "cve": "CVE-2019-12781", + "id": "pyup.io-37877", + "more_info_path": "/vulnerabilities/CVE-2019-12781/37877", "specs": [ "<2.10" ], @@ -47688,16 +48136,6 @@ ], "v": "<2.10" }, - { - "advisory": "Geonode 2.10 updates 'django' to v1.11.22 to include a security fix.", - "cve": "CVE-2019-12781", - "id": "pyup.io-37877", - "more_info_path": "/vulnerabilities/CVE-2019-12781/37877", - "specs": [ - "<2.10" - ], - "v": "<2.10" - }, { "advisory": "Geonode 2.8.1 includes a fix for a cross-site scripting vulnerability.\r\nhttps://github.com/GeoNode/geonode/issues/3951", "cve": "PVE-2021-38558", @@ -47957,9 +48395,9 @@ "ggshield": [ { "advisory": "Ggshield 1.18.0 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/GitGuardian/ggshield/commit/3c67771a4d66accede14fa23dfce9ea51571e082", - "cve": "CVE-2023-3817", - "id": "pyup.io-60443", - "more_info_path": "/vulnerabilities/CVE-2023-3817/60443", + "cve": "CVE-2023-2975", + "id": "pyup.io-60486", + "more_info_path": "/vulnerabilities/CVE-2023-2975/60486", "specs": [ "<1.18.0" ], @@ -47967,9 +48405,9 @@ }, { "advisory": "Ggshield 1.18.0 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/GitGuardian/ggshield/commit/3c67771a4d66accede14fa23dfce9ea51571e082", - "cve": "CVE-2023-2975", - "id": "pyup.io-60486", - "more_info_path": "/vulnerabilities/CVE-2023-2975/60486", + "cve": "CVE-2023-3817", + "id": "pyup.io-60443", + "more_info_path": "/vulnerabilities/CVE-2023-3817/60443", "specs": [ "<1.18.0" ], @@ -48285,16 +48723,6 @@ } ], "github-changelog-md": [ - { - "advisory": "Github-changelog-md version 0.8.1 has updated its jinja2 dependency from 3.1.2 to 3.1.3 to address the security issue identified as CVE-2024-22195.\r\nhttps://github.com/seapagan/github-changelog-md/commit/cccc57445478b949679782ffc6b8ac6f7710af0a", - "cve": "CVE-2024-22195", - "id": "pyup.io-65067", - "more_info_path": "/vulnerabilities/CVE-2024-22195/65067", - "specs": [ - "<0.8.1" - ], - "v": "<0.8.1" - }, { "advisory": "Github-changelog-md version 0.8.1 has updated its GitPython dependency from 3.1.40 to 3.1.41 to address the security issue identified as CVE-2024-22190.\r\nhttps://github.com/seapagan/github-changelog-md/commit/cccc57445478b949679782ffc6b8ac6f7710af0a", "cve": "CVE-2024-22190", @@ -48314,6 +48742,16 @@ "<0.8.1" ], "v": "<0.8.1" + }, + { + "advisory": "Github-changelog-md version 0.8.1 has updated its jinja2 dependency from 3.1.2 to 3.1.3 to address the security issue identified as CVE-2024-22195.\r\nhttps://github.com/seapagan/github-changelog-md/commit/cccc57445478b949679782ffc6b8ac6f7710af0a", + "cve": "CVE-2024-22195", + "id": "pyup.io-65067", + "more_info_path": "/vulnerabilities/CVE-2024-22195/65067", + "specs": [ + "<0.8.1" + ], + "v": "<0.8.1" } ], "github-rate-limits-exporter": [ @@ -48331,9 +48769,9 @@ "githubkit": [ { "advisory": "Githubkit 0.9.4 updates its dependency 'cryptography' to v38.0.3 to include security fixes.", - "cve": "CVE-2022-3786", - "id": "pyup.io-52470", - "more_info_path": "/vulnerabilities/CVE-2022-3786/52470", + "cve": "CVE-2022-3602", + "id": "pyup.io-52515", + "more_info_path": "/vulnerabilities/CVE-2022-3602/52515", "specs": [ "<0.9.4" ], @@ -48341,9 +48779,9 @@ }, { "advisory": "Githubkit 0.9.4 updates its dependency 'cryptography' to v38.0.3 to include security fixes.", - "cve": "CVE-2022-3602", - "id": "pyup.io-52515", - "more_info_path": "/vulnerabilities/CVE-2022-3602/52515", + "cve": "CVE-2022-3786", + "id": "pyup.io-52470", + "more_info_path": "/vulnerabilities/CVE-2022-3786/52470", "specs": [ "<0.9.4" ], @@ -48362,6 +48800,28 @@ "v": "<1.4.1" } ], + "gitlabci-checker": [ + { + "advisory": "Gitlabci-checker 0.1.2 updates the `werkzeug` package from version 2.2.2 to 2.2.3 in response to CVE-2023-23934. This upgrade addresses specific vulnerabilities identified in the earlier version of `werkzeug`.", + "cve": "CVE-2023-23934", + "id": "pyup.io-70866", + "more_info_path": "/vulnerabilities/CVE-2023-23934/70866", + "specs": [ + "<0.1.2" + ], + "v": "<0.1.2" + }, + { + "advisory": "Gitlabci-checker 0.1.2 updates the `werkzeug` package from version 2.2.2 to 2.2.3 in response to CVE-2023-25577. This upgrade addresses specific vulnerabilities identified in the earlier version of `werkzeug`.", + "cve": "CVE-2023-25577", + "id": "pyup.io-70862", + "more_info_path": "/vulnerabilities/CVE-2023-25577/70862", + "specs": [ + "<0.1.2" + ], + "v": "<0.1.2" + } + ], "gitlabform": [ { "advisory": "Gitlabform 2.0.5 fixes potential security issue by enabling autoescaping when loading the 'Jinja' templates.", @@ -48461,20 +48921,20 @@ "v": "<11.0.1,==12.0.0" }, { - "advisory": "The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.", - "cve": "CVE-2013-1840", - "id": "pyup.io-67955", - "more_info_path": "/vulnerabilities/CVE-2013-1840/67955", + "advisory": "An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.", + "cve": "CVE-2017-7200", + "id": "pyup.io-67541", + "more_info_path": "/vulnerabilities/CVE-2017-7200/67541", "specs": [ "<13.0.0" ], "v": "<13.0.0" }, { - "advisory": "An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.", - "cve": "CVE-2017-7200", - "id": "pyup.io-67541", - "more_info_path": "/vulnerabilities/CVE-2017-7200/67541", + "advisory": "The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.", + "cve": "CVE-2013-1840", + "id": "pyup.io-67955", + "more_info_path": "/vulnerabilities/CVE-2013-1840/67955", "specs": [ "<13.0.0" ], @@ -48651,10 +49111,10 @@ "v": ">=2010,<2015.1.3,>=11.0.0.0rc1,<11.0.2" }, { - "advisory": "The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request, a different vulnerability than CVE-2012-5482.", - "cve": "CVE-2012-4573", - "id": "pyup.io-68003", - "more_info_path": "/vulnerabilities/CVE-2012-4573/68003", + "advisory": "store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive information by reading the error messages.", + "cve": "CVE-2013-0212", + "id": "pyup.io-68005", + "more_info_path": "/vulnerabilities/CVE-2013-0212/68005", "specs": [ ">=2012.2,<2013.2.4" ], @@ -48671,10 +49131,10 @@ "v": ">=2012.2,<2013.2.4" }, { - "advisory": "store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive information by reading the error messages.", - "cve": "CVE-2013-0212", - "id": "pyup.io-68005", - "more_info_path": "/vulnerabilities/CVE-2013-0212/68005", + "advisory": "The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request, a different vulnerability than CVE-2012-5482.", + "cve": "CVE-2012-4573", + "id": "pyup.io-68003", + "more_info_path": "/vulnerabilities/CVE-2012-4573/68003", "specs": [ ">=2012.2,<2013.2.4" ], @@ -49245,6 +49705,16 @@ ], "v": "<0.67.0" }, + { + "advisory": "Gordo 1.12.0 updates its dependency \"numpy\" to v1.21.0 to include a security fix.", + "cve": "CVE-2021-33430", + "id": "pyup.io-51152", + "more_info_path": "/vulnerabilities/CVE-2021-33430/51152", + "specs": [ + "<1.12.0" + ], + "v": "<1.12.0" + }, { "advisory": "Gordo 1.12.0 updates its dependency \"TensorFlow\" requirement to \"~=2.7.0\" to include security fixes.", "cve": "CVE-2022-21725", @@ -49775,16 +50245,6 @@ ], "v": "<1.12.0" }, - { - "advisory": "Gordo 1.12.0 updates its dependency \"numpy\" to v1.21.0 to include a security fix.", - "cve": "CVE-2021-33430", - "id": "pyup.io-51152", - "more_info_path": "/vulnerabilities/CVE-2021-33430/51152", - "specs": [ - "<1.12.0" - ], - "v": "<1.12.0" - }, { "advisory": "Gordo 5.1.2 updates its dependency 'cryptography' to version '41.0.0' to include a security fix.\r\nhttps://github.com/equinor/gordo/pull/1324/commits/3e02a6e184236c6406fb6faa1dda440baa2af68a", "cve": "CVE-2023-2650", @@ -49917,9 +50377,9 @@ "gphotos-sync": [ { "advisory": "Gphotos-sync 2.9 updates its dependency 'urllib3' to v1.25.3 to include security fixes.", - "cve": "CVE-2019-11324", - "id": "pyup.io-37829", - "more_info_path": "/vulnerabilities/CVE-2019-11324/37829", + "cve": "CVE-2019-11236", + "id": "pyup.io-44967", + "more_info_path": "/vulnerabilities/CVE-2019-11236/44967", "specs": [ "<2.9" ], @@ -49927,9 +50387,9 @@ }, { "advisory": "Gphotos-sync 2.9 updates its dependency 'urllib3' to v1.25.3 to include security fixes.", - "cve": "CVE-2019-11236", - "id": "pyup.io-44967", - "more_info_path": "/vulnerabilities/CVE-2019-11236/44967", + "cve": "CVE-2019-11324", + "id": "pyup.io-37829", + "more_info_path": "/vulnerabilities/CVE-2019-11324/37829", "specs": [ "<2.9" ], @@ -50784,9 +51244,9 @@ "h2o": [ { "advisory": "H2o 3.34.0.7 updates its dependency 'log4j' to v2.17.0 to fix critical and severe vulnerabilities.\r\nhttps://github.com/h2oai/h2o-3/commit/85dc8a3fdbfef002919d15764b1ad99b3c39f851", - "cve": "CVE-2021-45046", - "id": "pyup.io-43398", - "more_info_path": "/vulnerabilities/CVE-2021-45046/43398", + "cve": "CVE-2021-44228", + "id": "pyup.io-43397", + "more_info_path": "/vulnerabilities/CVE-2021-44228/43397", "specs": [ "<3.34.0.7" ], @@ -50794,9 +51254,9 @@ }, { "advisory": "H2o 3.34.0.7 updates its dependency 'log4j' to v2.17.0 to fix critical and severe vulnerabilities.\r\nhttps://github.com/h2oai/h2o-3/commit/85dc8a3fdbfef002919d15764b1ad99b3c39f851", - "cve": "CVE-2021-45105", - "id": "pyup.io-43439", - "more_info_path": "/vulnerabilities/CVE-2021-45105/43439", + "cve": "CVE-2021-45046", + "id": "pyup.io-43398", + "more_info_path": "/vulnerabilities/CVE-2021-45046/43398", "specs": [ "<3.34.0.7" ], @@ -50804,9 +51264,9 @@ }, { "advisory": "H2o 3.34.0.7 updates its dependency 'log4j' to v2.17.0 to fix critical and severe vulnerabilities.\r\nhttps://github.com/h2oai/h2o-3/commit/85dc8a3fdbfef002919d15764b1ad99b3c39f851", - "cve": "CVE-2021-44228", - "id": "pyup.io-43397", - "more_info_path": "/vulnerabilities/CVE-2021-44228/43397", + "cve": "CVE-2021-45105", + "id": "pyup.io-43439", + "more_info_path": "/vulnerabilities/CVE-2021-45105/43439", "specs": [ "<3.34.0.7" ], @@ -50832,16 +51292,6 @@ ], "v": "<3.36.1.3" }, - { - "advisory": "H2o 3.36.1.4 updates its dependency AWS Java SDK to '1.12.127' to fix CVE-2021-22573.\r\nhttps://github.com/h2oai/h2o-3/pull/6263", - "cve": "CVE-2021-22573", - "id": "pyup.io-59340", - "more_info_path": "/vulnerabilities/CVE-2021-22573/59340", - "specs": [ - "<3.36.1.4" - ], - "v": "<3.36.1.4" - }, { "advisory": "H2o 3.36.1.4 updates its dependency 'jetty' to '9.4.48.v20220622' to fix CVE-2019-10172.\r\nhttps://github.com/h2oai/h2o-3/pull/6263", "cve": "CVE-2019-10172", @@ -50853,14 +51303,14 @@ "v": "<3.36.1.4" }, { - "advisory": "H2o 3.38.0.2 updates its dependency 'commons-text' to '1.10.0' to fix CVE-2022-42889.\r\nhttps://github.com/h2oai/h2o-3/pull/6389", - "cve": "CVE-2022-42889", - "id": "pyup.io-59339", - "more_info_path": "/vulnerabilities/CVE-2022-42889/59339", + "advisory": "H2o 3.36.1.4 updates its dependency AWS Java SDK to '1.12.127' to fix CVE-2021-22573.\r\nhttps://github.com/h2oai/h2o-3/pull/6263", + "cve": "CVE-2021-22573", + "id": "pyup.io-59340", + "more_info_path": "/vulnerabilities/CVE-2021-22573/59340", "specs": [ - "<3.38.0.2" + "<3.36.1.4" ], - "v": "<3.38.0.2" + "v": "<3.36.1.4" }, { "advisory": "H2o 3.38.0.2 updates its dependency 'jackson-databind' to '2.13.4.2' to fix CVE-2022-42003.\r\nhttps://github.com/h2oai/h2o-3/pull/6389", @@ -50872,6 +51322,16 @@ ], "v": "<3.38.0.2" }, + { + "advisory": "H2o 3.38.0.2 updates its dependency 'commons-text' to '1.10.0' to fix CVE-2022-42889.\r\nhttps://github.com/h2oai/h2o-3/pull/6389", + "cve": "CVE-2022-42889", + "id": "pyup.io-59339", + "more_info_path": "/vulnerabilities/CVE-2022-42889/59339", + "specs": [ + "<3.38.0.2" + ], + "v": "<3.38.0.2" + }, { "advisory": "H2o 3.38.0.4 updates its dependency 'google-cloud-storage' to '2.13.1' to fix CVE-2022-3509.\r\nhttps://github.com/h2oai/h2o-3/pull/6459", "cve": "CVE-2022-3509", @@ -50903,80 +51363,80 @@ "v": "<3.40.0.4" }, { - "advisory": "H2o 3.42.0.1 updates its dependency 'jettison' to '1.5.4' to fix CVE-2022-45693.\r\nhttps://github.com/h2oai/h2o-3/pull/6826", - "cve": "CVE-2022-45693", - "id": "pyup.io-59332", - "more_info_path": "/vulnerabilities/CVE-2022-45693/59332", + "advisory": "H2o 3.42.0.1 updates its dependency 'jettison' to '1.5.4' to fix CVE-2023-1436.\r\nhttps://github.com/h2oai/h2o-3/pull/6826", + "cve": "CVE-2023-1436", + "id": "pyup.io-59331", + "more_info_path": "/vulnerabilities/CVE-2023-1436/59331", "specs": [ "<3.42.0.1" ], "v": "<3.42.0.1" }, { - "advisory": "H2o 3.42.0.1 updates its dependency 'kotlin-stdlib' to '1.4.32' to fix CVE-2020-29582.\r\nhttps://github.com/h2oai/h2o-3/pull/15549", - "cve": "CVE-2020-29582", - "id": "pyup.io-59328", - "more_info_path": "/vulnerabilities/CVE-2020-29582/59328", + "advisory": "H2o 3.42.0.1 updates its dependency 'jetty' to '9.4.51.v20230217' to fix CVE-2023-26048.\r\nhttps://github.com/h2oai/h2o-3/pull/15547", + "cve": "CVE-2023-26048", + "id": "pyup.io-59329", + "more_info_path": "/vulnerabilities/CVE-2023-26048/59329", "specs": [ "<3.42.0.1" ], "v": "<3.42.0.1" }, { - "advisory": "H2o 3.42.0.1 updates its dependency 'guava' to '32.0.1-jre' to fix CVE-2023-2976.\r\nhttps://github.com/h2oai/h2o-3/pull/15593/commits/056a10b8e33c8ebcf1a1aca8f157aa9735fb3cff", - "cve": "CVE-2023-2976", - "id": "pyup.io-59320", - "more_info_path": "/vulnerabilities/CVE-2023-2976/59320", + "advisory": "H2o 3.42.0.1 updates its dependency 'jetty' to '9.4.51.v20230217' to fix CVE-2023-26049.\r\nhttps://github.com/h2oai/h2o-3/pull/15547", + "cve": "CVE-2023-26049", + "id": "pyup.io-59330", + "more_info_path": "/vulnerabilities/CVE-2023-26049/59330", "specs": [ "<3.42.0.1" ], "v": "<3.42.0.1" }, { - "advisory": "H2o 3.42.0.1 updates its dependency 'jetty' to '9.4.51.v20230217' to fix CVE-2023-26049.\r\nhttps://github.com/h2oai/h2o-3/pull/15547", - "cve": "CVE-2023-26049", - "id": "pyup.io-59330", - "more_info_path": "/vulnerabilities/CVE-2023-26049/59330", + "advisory": "H2o 3.42.0.1 updates its dependency 'kotlin-stdlib' to '1.4.32' to fix CVE-2020-29582.\r\nhttps://github.com/h2oai/h2o-3/pull/15549", + "cve": "CVE-2020-29582", + "id": "pyup.io-59328", + "more_info_path": "/vulnerabilities/CVE-2020-29582/59328", "specs": [ "<3.42.0.1" ], "v": "<3.42.0.1" }, { - "advisory": "H2o 3.42.0.1 updates its dependency 'jettison' to '1.5.4' to fix CVE-2022-40150.\r\nhttps://github.com/h2oai/h2o-3/pull/6826", - "cve": "CVE-2022-40150", - "id": "pyup.io-59334", - "more_info_path": "/vulnerabilities/CVE-2022-40150/59334", + "advisory": "H2o 3.42.0.1 updates its dependency 'jettison' to '1.5.4' to fix CVE-2022-45693.\r\nhttps://github.com/h2oai/h2o-3/pull/6826", + "cve": "CVE-2022-45693", + "id": "pyup.io-59332", + "more_info_path": "/vulnerabilities/CVE-2022-45693/59332", "specs": [ "<3.42.0.1" ], "v": "<3.42.0.1" }, { - "advisory": "H2o 3.42.0.1 updates its dependency 'jetty' to '9.4.51.v20230217' to fix CVE-2023-26048.\r\nhttps://github.com/h2oai/h2o-3/pull/15547", - "cve": "CVE-2023-26048", - "id": "pyup.io-59329", - "more_info_path": "/vulnerabilities/CVE-2023-26048/59329", + "advisory": "H2o 3.42.0.1 updates its dependency 'guava' to '32.0.1-jre' to fix CVE-2023-2976.\r\nhttps://github.com/h2oai/h2o-3/pull/15593/commits/056a10b8e33c8ebcf1a1aca8f157aa9735fb3cff", + "cve": "CVE-2023-2976", + "id": "pyup.io-59320", + "more_info_path": "/vulnerabilities/CVE-2023-2976/59320", "specs": [ "<3.42.0.1" ], "v": "<3.42.0.1" }, { - "advisory": "H2o 3.42.0.1 updates its dependency 'jettison' to '1.5.4' to fix CVE-2022-45685.\r\nhttps://github.com/h2oai/h2o-3/pull/6826", - "cve": "CVE-2022-45685", - "id": "pyup.io-59333", - "more_info_path": "/vulnerabilities/CVE-2022-45685/59333", + "advisory": "H2o 3.42.0.1 updates its dependency 'jettison' to '1.5.4' to fix CVE-2022-40150.\r\nhttps://github.com/h2oai/h2o-3/pull/6826", + "cve": "CVE-2022-40150", + "id": "pyup.io-59334", + "more_info_path": "/vulnerabilities/CVE-2022-40150/59334", "specs": [ "<3.42.0.1" ], "v": "<3.42.0.1" }, { - "advisory": "H2o 3.42.0.1 updates its dependency 'jettison' to '1.5.4' to fix CVE-2023-1436.\r\nhttps://github.com/h2oai/h2o-3/pull/6826", - "cve": "CVE-2023-1436", - "id": "pyup.io-59331", - "more_info_path": "/vulnerabilities/CVE-2023-1436/59331", + "advisory": "H2o 3.42.0.1 updates its dependency 'jettison' to '1.5.4' to fix CVE-2022-45685.\r\nhttps://github.com/h2oai/h2o-3/pull/6826", + "cve": "CVE-2022-45685", + "id": "pyup.io-59333", + "more_info_path": "/vulnerabilities/CVE-2022-45685/59333", "specs": [ "<3.42.0.1" ], @@ -51223,6 +51683,17 @@ "<=7.0.0" ], "v": "<=5.0.3,>=6.0.0,<=6.1.0,<=7.0.0" + }, + { + "advisory": "The template-validate command in OpenStack Orchestration API (Heat) before 2015.1.3 (kilo) and 5.0.x before 5.0.1 (liberty) allows remote authenticated users to cause a denial of service (memory consumption) or determine the existence of local files via the resource type in a template, as demonstrated by file:///dev/zero.", + "cve": "CVE-2015-5295", + "id": "pyup.io-70778", + "more_info_path": "/vulnerabilities/CVE-2015-5295/70778", + "specs": [ + ">2010,<2015.1.3", + "<5.0.1" + ], + "v": ">2010,<2015.1.3,<5.0.1" } ], "heedy": [ @@ -51674,20 +52145,20 @@ "v": "<2023.8.1" }, { - "advisory": "Homeassistant 2023.8.1 updates its dependency 'cryptography' to version '41.0.3' to include a fix for an Insufficient Verification of Data Authenticity vulnerability.\r\nhttps://github.com/home-assistant/core/pull/97611", - "cve": "CVE-2023-2975", - "id": "pyup.io-60230", - "more_info_path": "/vulnerabilities/CVE-2023-2975/60230", + "advisory": "Homeassistant 2023.8.1 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/home-assistant/core/pull/97611", + "cve": "CVE-2023-3817", + "id": "pyup.io-60215", + "more_info_path": "/vulnerabilities/CVE-2023-3817/60215", "specs": [ "<2023.8.1" ], "v": "<2023.8.1" }, { - "advisory": "Homeassistant 2023.8.1 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/home-assistant/core/pull/97611", - "cve": "CVE-2023-3817", - "id": "pyup.io-60215", - "more_info_path": "/vulnerabilities/CVE-2023-3817/60215", + "advisory": "Homeassistant 2023.8.1 updates its dependency 'cryptography' to version '41.0.3' to include a fix for an Insufficient Verification of Data Authenticity vulnerability.\r\nhttps://github.com/home-assistant/core/pull/97611", + "cve": "CVE-2023-2975", + "id": "pyup.io-60230", + "more_info_path": "/vulnerabilities/CVE-2023-2975/60230", "specs": [ "<2023.8.1" ], @@ -51704,10 +52175,10 @@ "v": "<2023.9.0" }, { - "advisory": "Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", - "cve": "CVE-2023-41894", - "id": "pyup.io-70403", - "more_info_path": "/vulnerabilities/CVE-2023-41894/70403", + "advisory": "Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", + "cve": "CVE-2023-41897", + "id": "pyup.io-70401", + "more_info_path": "/vulnerabilities/CVE-2023-41897/70401", "specs": [ "<2023.9.0" ], @@ -51724,10 +52195,10 @@ "v": "<2023.9.0" }, { - "advisory": "Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", - "cve": "CVE-2023-41897", - "id": "pyup.io-70401", - "more_info_path": "/vulnerabilities/CVE-2023-41897/70401", + "advisory": "Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", + "cve": "CVE-2023-41894", + "id": "pyup.io-70403", + "more_info_path": "/vulnerabilities/CVE-2023-41894/70403", "specs": [ "<2023.9.0" ], @@ -51796,20 +52267,20 @@ ], "honeybee-display": [ { - "advisory": "Honeybee-display 0.2.14 updates its dependency 'wheel' to v0.38.1 to include a security fix.", - "cve": "CVE-2022-40898", - "id": "pyup.io-52860", - "more_info_path": "/vulnerabilities/CVE-2022-40898/52860", + "advisory": "Honeybee-display 0.2.14 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", + "cve": "CVE-2022-40897", + "id": "pyup.io-52876", + "more_info_path": "/vulnerabilities/CVE-2022-40897/52876", "specs": [ "<0.2.14" ], "v": "<0.2.14" }, { - "advisory": "Honeybee-display 0.2.14 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", - "cve": "CVE-2022-40897", - "id": "pyup.io-52876", - "more_info_path": "/vulnerabilities/CVE-2022-40897/52876", + "advisory": "Honeybee-display 0.2.14 updates its dependency 'wheel' to v0.38.1 to include a security fix.", + "cve": "CVE-2022-40898", + "id": "pyup.io-52860", + "more_info_path": "/vulnerabilities/CVE-2022-40898/52860", "specs": [ "<0.2.14" ], @@ -51818,20 +52289,20 @@ ], "honeybee-radiance": [ { - "advisory": "Honeybee-radiance 1.64.132 updates its dev dependency 'wheel' to v0.38.1 to include a security fix.", - "cve": "CVE-2022-40898", - "id": "pyup.io-52981", - "more_info_path": "/vulnerabilities/CVE-2022-40898/52981", + "advisory": "Honeybee-radiance 1.64.132 updates its dev dependency 'setuptools' to v65.5.1 to include a security fix.", + "cve": "CVE-2022-40897", + "id": "pyup.io-52982", + "more_info_path": "/vulnerabilities/CVE-2022-40897/52982", "specs": [ "<1.64.132" ], "v": "<1.64.132" }, { - "advisory": "Honeybee-radiance 1.64.132 updates its dev dependency 'setuptools' to v65.5.1 to include a security fix.", - "cve": "CVE-2022-40897", - "id": "pyup.io-52982", - "more_info_path": "/vulnerabilities/CVE-2022-40897/52982", + "advisory": "Honeybee-radiance 1.64.132 updates its dev dependency 'wheel' to v0.38.1 to include a security fix.", + "cve": "CVE-2022-40898", + "id": "pyup.io-52981", + "more_info_path": "/vulnerabilities/CVE-2022-40898/52981", "specs": [ "<1.64.132" ], @@ -52062,6 +52533,30 @@ ], "v": "<=22.2.0" }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template.", + "cve": "CVE-2014-3473", + "id": "pyup.io-70774", + "more_info_path": "/vulnerabilities/CVE-2014-3473/70774", + "specs": [ + "==2014.2", + ">=2013.2,<2013.2.4", + ">=2014.1,<2014.1.2" + ], + "v": "==2014.2,>=2013.2,<2013.2.4,>=2014.1,<2014.1.2" + }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name.", + "cve": "CVE-2014-3474", + "id": "pyup.io-70775", + "more_info_path": "/vulnerabilities/CVE-2014-3474/70775", + "specs": [ + "==2014.2", + ">=2013.2,<2013.2.4", + ">=2014.1,<2014.1.2" + ], + "v": "==2014.2,>=2013.2,<2013.2.4,>=2014.1,<2014.1.2" + }, { "advisory": "Horizon 2012.1.1 includes a fix for CVE-2012-5474: The file /etc/openstack-dashboard/local_settings within Red Hat OpenStack Platform 2.0 and RHOS Essex Release (python-django-horizon package before 2012.1.1) is world readable and exposes the secret key value.\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5474", "cve": "CVE-2012-5474", @@ -52207,6 +52702,17 @@ ], "v": ">=2013.2.0,<2013.2.4" }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.", + "cve": "CVE-2016-4428", + "id": "pyup.io-70766", + "more_info_path": "/vulnerabilities/CVE-2016-4428/70766", + "specs": [ + ">=9.0.0,<=9.0.1", + ">=8.0.0,<=8.0.1" + ], + "v": ">=9.0.0,<=9.0.1,>=8.0.0,<=8.0.1" + }, { "advisory": "OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.", "cve": "CVE-2017-7400", @@ -54730,6 +55236,18 @@ "v": "<1.4" } ], + "hspf-reader": [ + { + "advisory": "Hspf-reader 1.1.0 updates its indirect dependency 'pillow' to versions '>=10.2.0' to include a security fix.", + "cve": "CVE-2023-50447", + "id": "pyup.io-71257", + "more_info_path": "/vulnerabilities/CVE-2023-50447/71257", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], "htbulma": [ { "advisory": "Htbulma 0.1.1 limits 'FileSelect' to the path to avoid directory transversal attacks.", @@ -55954,10 +56472,10 @@ "v": "<1.0.1" }, { - "advisory": "In-toto 2.0.0 fixes a security issue: Functionaries Do Not Perform Verification.\r\nhttps://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x", - "cve": "PVE-2023-58647", - "id": "pyup.io-58647", - "more_info_path": "/vulnerabilities/PVE-2023-58647/58647", + "advisory": "In-toto 2.0.0 fixes a security issue: Configuration Read From Local Directory.\r\nhttps://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf", + "cve": "CVE-2023-32076", + "id": "pyup.io-58654", + "more_info_path": "/vulnerabilities/CVE-2023-32076/58654", "specs": [ "<2.0.0" ], @@ -55974,10 +56492,10 @@ "v": "<2.0.0" }, { - "advisory": "In-toto 2.0.0 fixes a security issue: Configuration Read From Local Directory.\r\nhttps://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf", - "cve": "CVE-2023-32076", - "id": "pyup.io-58654", - "more_info_path": "/vulnerabilities/CVE-2023-32076/58654", + "advisory": "In-toto 2.0.0 fixes a security issue: Functionaries Do Not Perform Verification.\r\nhttps://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x", + "cve": "PVE-2023-58647", + "id": "pyup.io-58647", + "more_info_path": "/vulnerabilities/PVE-2023-58647/58647", "specs": [ "<2.0.0" ], @@ -68967,6 +69485,16 @@ } ], "invokeai": [ + { + "advisory": "Invokeai 2.0.2 updates its dependency, transformers, from version 4.19.2 to 4.21.3. This update was prompted by a vulnerability identified as CVE-2023-6730.\r\nhttps://github.com/invoke-ai/InvokeAI/commit/90d37eac034592cc3aed5a15a98971801b21988e", + "cve": "CVE-2023-6730", + "id": "pyup.io-63304", + "more_info_path": "/vulnerabilities/CVE-2023-6730/63304", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, { "advisory": "Invokeai 2.0.2 updates its dependency, protobuf, from version 3.19.4 to 3.19.6. This update was prompted by a vulnerability identified as CVE-2022-1941.\r\nhttps://github.com/invoke-ai/InvokeAI/commit/90d37eac034592cc3aed5a15a98971801b21988e", "cve": "CVE-2022-1941", @@ -68986,16 +69514,6 @@ "<2.0.2" ], "v": "<2.0.2" - }, - { - "advisory": "Invokeai 2.0.2 updates its dependency, transformers, from version 4.19.2 to 4.21.3. This update was prompted by a vulnerability identified as CVE-2023-6730.\r\nhttps://github.com/invoke-ai/InvokeAI/commit/90d37eac034592cc3aed5a15a98971801b21988e", - "cve": "CVE-2023-6730", - "id": "pyup.io-63304", - "more_info_path": "/vulnerabilities/CVE-2023-6730/63304", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" } ], "iotedgehubdev": [ @@ -69083,6 +69601,16 @@ ], "v": "<=3.0.0" }, + { + "advisory": "The get_user_grouplist function in the extdom plug-in in FreeIPA before 4.1.4 does not properly reallocate memory when processing user accounts, which allows remote attackers to cause a denial of service (crash) via a group list request for a user that belongs to a large number of groups.", + "cve": "CVE-2015-1827", + "id": "pyup.io-70762", + "more_info_path": "/vulnerabilities/CVE-2015-1827/70762", + "specs": [ + "<=4.1.3" + ], + "v": "<=4.1.3" + }, { "advisory": "FreeIPA 4.4.0 allows remote attackers to request an arbitrary SAN name for services.", "cve": "CVE-2016-5414", @@ -69207,6 +69735,28 @@ "v": ">0,<0" } ], + "ipex-llm": [ + { + "advisory": "Ipex-llm version 2.3.0 includes updates from BigDL version 2.3.0, which provide functional and security improvements. Notably, BigDL 2.3.0 addresses a SQL injection vulnerability in python/benchmark/run.py.", + "cve": "PVE-2023-55136", + "id": "pyup.io-71117", + "more_info_path": "/vulnerabilities/PVE-2023-55136/71117", + "specs": [ + "<2.3.0" + ], + "v": "<2.3.0" + }, + { + "advisory": "Ipex-llm version 2.4.0 includes updates from BigDL version 2.4.0, which provide both functional improvements and security enhancements. Notably, BigDL 2.4.0 addresses a command injection vulnerability, ensuring better security for users.", + "cve": "PVE-2023-62298", + "id": "pyup.io-71116", + "more_info_path": "/vulnerabilities/PVE-2023-62298/71116", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + } + ], "ipp": [ { "advisory": "Ipp 2019.1 fixes a potential security problem in the AES-CTR cipher functions.", @@ -69292,16 +69842,6 @@ ], "v": "<1.0.1" }, - { - "advisory": "** DISPUTED ** The default configuration of the Jinja templating engine used in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not enable auto-escaping, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via template variables. NOTE: This may be a duplicate of CVE-2015-5216. Moreover, the Jinja development team does not enable auto-escape by default for performance issues as explained in https://jinja.palletsprojects.com/en/master/faq/#why-is-autoescaping-not-the-default.", - "cve": "CVE-2015-5215", - "id": "pyup.io-70464", - "more_info_path": "/vulnerabilities/CVE-2015-5215/70464", - "specs": [ - "<1.0.1" - ], - "v": "<1.0.1" - }, { "advisory": "providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which allows remote authenticated users to cause a denial of service by deleting a SAML2 Service Provider (SP).", "cve": "CVE-2015-5301", @@ -69477,20 +70017,20 @@ "v": "<3.2.1" }, { - "advisory": "The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types.", - "cve": "CVE-2015-7337", - "id": "pyup.io-33133", - "more_info_path": "/vulnerabilities/CVE-2015-7337/33133", + "advisory": "Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.", + "cve": "CVE-2015-6938", + "id": "pyup.io-33132", + "more_info_path": "/vulnerabilities/CVE-2015-6938/33132", "specs": [ "<3.2.2" ], "v": "<3.2.2" }, { - "advisory": "Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.", - "cve": "CVE-2015-6938", - "id": "pyup.io-33132", - "more_info_path": "/vulnerabilities/CVE-2015-6938/33132", + "advisory": "The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types.", + "cve": "CVE-2015-7337", + "id": "pyup.io-33133", + "more_info_path": "/vulnerabilities/CVE-2015-7337/33133", "specs": [ "<3.2.2" ], @@ -69970,6 +70510,17 @@ "<4.2.2" ], "v": "<4.2.2" + }, + { + "advisory": "The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the v1/drivers/$DRIVER_NAME/vendor_passthru resource.", + "cve": "CVE-2016-4985", + "id": "pyup.io-70767", + "more_info_path": "/vulnerabilities/CVE-2016-4985/70767", + "specs": [ + "<4.2.5", + ">=5,<5.1.2" + ], + "v": "<4.2.5,>=5,<5.1.2" } ], "ironic-discoverd": [ @@ -70282,6 +70833,16 @@ } ], "jefferson": [ + { + "advisory": "A vulnerability has been found in sviehb jefferson up to 0.3 and classified as critical. This vulnerability affects unknown code of the file src/scripts/jefferson. The manipulation leads to path traversal. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 0.4 is able to address this issue. The name of the patch is 53b3f2fc34af0bb32afbcee29d18213e61471d87. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218020.", + "cve": "CVE-2022-4885", + "id": "pyup.io-70776", + "more_info_path": "/vulnerabilities/CVE-2022-4885/70776", + "specs": [ + "<0.4" + ], + "v": "<0.4" + }, { "advisory": "A path traversal vulnerability affects jefferson's JFFS2 filesystem extractor. By crafting malicious JFFS2 files, attackers could force jefferson to write outside of the extraction directory. This issue affects jefferson before 0.4.1.\r\nhttps://github.com/sviehb/jefferson/commit/971aca1a8b3b9f4fcb4674fa9621d3349195cdc6", "cve": "CVE-2023-0592", @@ -71565,14 +72126,14 @@ "v": "<3.1.3" }, { - "advisory": "** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the \"source\" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.", + "advisory": "In Jinja2, the from_string function is prone to Server Side Template Injection (SSTI) where it takes the \"source\" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. \r\nNOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.", "cve": "CVE-2019-8341", "id": "pyup.io-70612", "more_info_path": "/vulnerabilities/CVE-2019-8341/70612", "specs": [ - "<=2.10" + ">=0" ], - "v": "<=2.10" + "v": ">=0" }, { "advisory": "Jinja2 2.10.1 adds 'SandboxedEnvironment' to handle 'str.format_map' in order to prevent code execution through untrusted format strings.\r\nhttps://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26", @@ -71805,20 +72366,20 @@ "v": "<1.1.1" }, { - "advisory": "Joblib 1.2.0 includes a fix for CVE-2022-21797: The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.\r\nhttps://github.com/joblib/joblib/issues/1128", - "cve": "CVE-2022-21797", - "id": "pyup.io-51242", - "more_info_path": "/vulnerabilities/CVE-2022-21797/51242", + "advisory": "Joblib 1.2.0 fixes a security issue where 'eval(pre_dispatch)' could potentially run arbitrary code. Now only basic numerics are supported.\r\nhttps://github.com/joblib/joblib/pull/1327", + "cve": "PVE-2022-51041", + "id": "pyup.io-51041", + "more_info_path": "/vulnerabilities/PVE-2022-51041/51041", "specs": [ "<1.2.0" ], "v": "<1.2.0" }, { - "advisory": "Joblib 1.2.0 fixes a security issue where 'eval(pre_dispatch)' could potentially run arbitrary code. Now only basic numerics are supported.\r\nhttps://github.com/joblib/joblib/pull/1327", - "cve": "PVE-2022-51041", - "id": "pyup.io-51041", - "more_info_path": "/vulnerabilities/PVE-2022-51041/51041", + "advisory": "Joblib 1.2.0 includes a fix for CVE-2022-21797: The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.\r\nhttps://github.com/joblib/joblib/issues/1128", + "cve": "CVE-2022-21797", + "id": "pyup.io-51242", + "more_info_path": "/vulnerabilities/CVE-2022-21797/51242", "specs": [ "<1.2.0" ], @@ -72069,9 +72630,9 @@ "juntagrico": [ { "advisory": "Juntagrico 1.5.5 updates its dependency 'django' requirement to \"~=4.0.8\" to include security fixes.", - "cve": "CVE-2022-34265", - "id": "pyup.io-51982", - "more_info_path": "/vulnerabilities/CVE-2022-34265/51982", + "cve": "CVE-2022-28347", + "id": "pyup.io-51967", + "more_info_path": "/vulnerabilities/CVE-2022-28347/51967", "specs": [ "<1.5.5" ], @@ -72089,9 +72650,9 @@ }, { "advisory": "Juntagrico 1.5.5 updates its dependency 'django' requirement to \"~=4.0.8\" to include security fixes.", - "cve": "CVE-2022-28347", - "id": "pyup.io-51967", - "more_info_path": "/vulnerabilities/CVE-2022-28347/51967", + "cve": "CVE-2022-34265", + "id": "pyup.io-51982", + "more_info_path": "/vulnerabilities/CVE-2022-34265/51982", "specs": [ "<1.5.5" ], @@ -72099,9 +72660,9 @@ }, { "advisory": "Juntagrico 1.5.5 updates its dependency 'django' requirement to \"~=4.0.8\" to include security fixes.", - "cve": "CVE-2022-41323", - "id": "pyup.io-51984", - "more_info_path": "/vulnerabilities/CVE-2022-41323/51984", + "cve": "CVE-2022-28346", + "id": "pyup.io-51981", + "more_info_path": "/vulnerabilities/CVE-2022-28346/51981", "specs": [ "<1.5.5" ], @@ -72109,9 +72670,9 @@ }, { "advisory": "Juntagrico 1.5.5 updates its dependency 'django' requirement to \"~=4.0.8\" to include security fixes.", - "cve": "CVE-2022-28346", - "id": "pyup.io-51981", - "more_info_path": "/vulnerabilities/CVE-2022-28346/51981", + "cve": "CVE-2022-41323", + "id": "pyup.io-51984", + "more_info_path": "/vulnerabilities/CVE-2022-41323/51984", "specs": [ "<1.5.5" ], @@ -72142,6 +72703,18 @@ "v": ">=0,<4.11.2" } ], + "jupyter-cpp-kernel": [ + { + "advisory": "Jupyter-cpp-kernel version 1.0.0a5 has addressed a ReDoS (Regular Expression Denial of Service) vulnerability by fixing an inefficient regular expression issue.", + "cve": "PVE-2024-70956", + "id": "pyup.io-70956", + "more_info_path": "/vulnerabilities/PVE-2024-70956/70956", + "specs": [ + "<1.0.0a5" + ], + "v": "<1.0.0a5" + } + ], "jupyter-enterprise-gateway": [ { "advisory": "Jupyter-enterprise-gateway 0.8.0 enables SSH tunneling by default.\r\nhttps://github.com/jupyter-server/enterprise_gateway/issues/234", @@ -72845,9 +73418,9 @@ }, { "advisory": "Jupytext 1.11.5 updates its NPM dependency 'tar' to v6.1.11 to include security fixes.", - "cve": "CVE-2021-32803", - "id": "pyup.io-49039", - "more_info_path": "/vulnerabilities/CVE-2021-32803/49039", + "cve": "CVE-2021-37713", + "id": "pyup.io-49037", + "more_info_path": "/vulnerabilities/CVE-2021-37713/49037", "specs": [ "<1.11.5" ], @@ -72855,9 +73428,9 @@ }, { "advisory": "Jupytext 1.11.5 updates its NPM dependency 'tar' to v6.1.11 to include security fixes.", - "cve": "CVE-2021-37712", - "id": "pyup.io-49036", - "more_info_path": "/vulnerabilities/CVE-2021-37712/49036", + "cve": "CVE-2021-32804", + "id": "pyup.io-49038", + "more_info_path": "/vulnerabilities/CVE-2021-32804/49038", "specs": [ "<1.11.5" ], @@ -72865,9 +73438,9 @@ }, { "advisory": "Jupytext 1.11.5 updates its NPM dependency 'tar' to v6.1.11 to include security fixes.", - "cve": "CVE-2021-37713", - "id": "pyup.io-49037", - "more_info_path": "/vulnerabilities/CVE-2021-37713/49037", + "cve": "CVE-2021-37712", + "id": "pyup.io-49036", + "more_info_path": "/vulnerabilities/CVE-2021-37712/49036", "specs": [ "<1.11.5" ], @@ -72875,29 +73448,29 @@ }, { "advisory": "Jupytext 1.11.5 updates its NPM dependency 'tar' to v6.1.11 to include security fixes.", - "cve": "CVE-2021-32804", - "id": "pyup.io-49038", - "more_info_path": "/vulnerabilities/CVE-2021-32804/49038", + "cve": "CVE-2021-32803", + "id": "pyup.io-49039", + "more_info_path": "/vulnerabilities/CVE-2021-32803/49039", "specs": [ "<1.11.5" ], "v": "<1.11.5" }, { - "advisory": "Jupytext 1.11.5 updates its NPM dependency 'tar' to v6.1.11 to include security fixes.", - "cve": "CVE-2021-37701", - "id": "pyup.io-41249", - "more_info_path": "/vulnerabilities/CVE-2021-37701/41249", + "advisory": "Jupytext 1.11.5 updates its NPM dependency 'url-parse' to v1.5.3 to include a security fix.", + "cve": "CVE-2021-3664", + "id": "pyup.io-49040", + "more_info_path": "/vulnerabilities/CVE-2021-3664/49040", "specs": [ "<1.11.5" ], "v": "<1.11.5" }, { - "advisory": "Jupytext 1.11.5 updates its NPM dependency 'url-parse' to v1.5.3 to include a security fix.", - "cve": "CVE-2021-3664", - "id": "pyup.io-49040", - "more_info_path": "/vulnerabilities/CVE-2021-3664/49040", + "advisory": "Jupytext 1.11.5 updates its NPM dependency 'tar' to v6.1.11 to include security fixes.", + "cve": "CVE-2021-37701", + "id": "pyup.io-41249", + "more_info_path": "/vulnerabilities/CVE-2021-37701/41249", "specs": [ "<1.11.5" ], @@ -72914,10 +73487,10 @@ "v": "<1.13.0" }, { - "advisory": "Jupytext 1.13.8 updates its NPM dependency 'nanoid' to v3.3.1 to include a security fix.", - "cve": "CVE-2021-23566", - "id": "pyup.io-47972", - "more_info_path": "/vulnerabilities/CVE-2021-23566/47972", + "advisory": "Jupytext 1.13.8 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", + "cve": "CVE-2022-0691", + "id": "pyup.io-47984", + "more_info_path": "/vulnerabilities/CVE-2022-0691/47984", "specs": [ "<1.13.8" ], @@ -72934,10 +73507,10 @@ "v": "<1.13.8" }, { - "advisory": "Jupytext 1.13.8 updates its NPM dependency 'url-parse' to v1.5.10 to include security fixes.", - "cve": "CVE-2022-0691", - "id": "pyup.io-47984", - "more_info_path": "/vulnerabilities/CVE-2022-0691/47984", + "advisory": "Jupytext 1.13.8 updates its NPM dependency 'minimist' to v1.2.6 to include a security fix.", + "cve": "CVE-2021-44906", + "id": "pyup.io-47986", + "more_info_path": "/vulnerabilities/CVE-2021-44906/47986", "specs": [ "<1.13.8" ], @@ -72954,10 +73527,10 @@ "v": "<1.13.8" }, { - "advisory": "Jupytext 1.13.8 updates its NPM dependency 'minimist' to v1.2.6 to include a security fix.", - "cve": "CVE-2021-44906", - "id": "pyup.io-47986", - "more_info_path": "/vulnerabilities/CVE-2021-44906/47986", + "advisory": "Jupytext 1.13.8 updates its NPM dependency 'nanoid' to v3.3.1 to include a security fix.", + "cve": "CVE-2021-23566", + "id": "pyup.io-47972", + "more_info_path": "/vulnerabilities/CVE-2021-23566/47972", "specs": [ "<1.13.8" ], @@ -73445,6 +74018,16 @@ } ], "keras": [ + { + "advisory": "A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application. See CVE-2024-3660.", + "cve": "CVE-2024-3660", + "id": "pyup.io-70717", + "more_info_path": "/vulnerabilities/CVE-2024-3660/70717", + "specs": [ + "<2.13" + ], + "v": "<2.13" + }, { "advisory": "Keras 2.6.0rc3 fixes a security issue for loading keras models via yaml, which could allow arbitrary code execution. See CVE-2021-37678.\r\nhttps://github.com/keras-team/keras/commit/32febb6cdebe166fc70ad72f2da37607c13bb11a", "cve": "CVE-2021-37678", @@ -74304,16 +74887,6 @@ ], "v": "<5.2.1" }, - { - "advisory": "Khoros 5.2.1 updates its dependency 'pytest' to v7.2.0 to include a security fix.", - "cve": "CVE-2022-42969", - "id": "pyup.io-52622", - "more_info_path": "/vulnerabilities/CVE-2022-42969/52622", - "specs": [ - "<5.2.1" - ], - "v": "<5.2.1" - }, { "advisory": "Khoros 5.2.2 updates its dependency 'requests' to v2.31.0 to include a security fix.", "cve": "CVE-2023-32681", @@ -75230,6 +75803,48 @@ "v": "<5.2.1" } ], + "konoha": [ + { + "advisory": "Konoha version 5.5.6 upgrades its idna dependency from 3.6 to 3.7 due to the security issue identified in CVE-2024-3651.", + "cve": "CVE-2024-3651", + "id": "pyup.io-71010", + "more_info_path": "/vulnerabilities/CVE-2024-3651/71010", + "specs": [ + "<5.5.6" + ], + "v": "<5.5.6" + }, + { + "advisory": "Konoha version 5.5.6 updates its Jinja2 dependency from 3.1.3 to 3.1.4 due to CVE-2024-34064.", + "cve": "CVE-2024-34064", + "id": "pyup.io-71009", + "more_info_path": "/vulnerabilities/CVE-2024-34064/71009", + "specs": [ + "<5.5.6" + ], + "v": "<5.5.6" + }, + { + "advisory": "Konoha version 5.5.6a0 upgrades the idna library from version 3.6 to 3.7 to address the vulnerability identified in CVE-2024-3651.", + "cve": "CVE-2024-3651", + "id": "pyup.io-70971", + "more_info_path": "/vulnerabilities/CVE-2024-3651/70971", + "specs": [ + "<5.5.6a0" + ], + "v": "<5.5.6a0" + }, + { + "advisory": "Konoha version 5.5.6a0 updates its Jinja2 dependency from 3.1.3 to 3.1.4 in response to CVE-2024-34064.", + "cve": "CVE-2024-34064", + "id": "pyup.io-70969", + "more_info_path": "/vulnerabilities/CVE-2024-34064/70969", + "specs": [ + "<5.5.6a0" + ], + "v": "<5.5.6a0" + } + ], "kotti": [ { "advisory": "Kotti 1.3.2 and 2.0.0b2 include a fix for CVE-2018-9856: Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles implementation, as demonstrated by triggering a permission change via a /admin-document/@@share request.\r\nhttps://github.com/advisories/GHSA-3hq4-f2v6-q338", @@ -75690,6 +76305,16 @@ ], "v": "<1.11.0" }, + { + "advisory": "Label-studio version 1.12.1 addresses a security issue involving incomplete URL substring sanitization. This fix simplifies the generation of SVG data URLs, ensuring proper sanitization and enhancing security against potential vulnerabilities.", + "cve": "PVE-2024-71100", + "id": "pyup.io-71100", + "more_info_path": "/vulnerabilities/PVE-2024-71100/71100", + "specs": [ + "<1.12.1" + ], + "v": "<1.12.1" + }, { "advisory": "Label-studio 1.5.0 includes a fix from OWASP security check.\r\nhttps://github.com/HumanSignal/label-studio/commit/ed0cc5f2621406dda47c1ead0f31a50abc63c17d", "cve": "PVE-2024-64714", @@ -75720,16 +76345,6 @@ ], "v": "<1.8.2" }, - { - "advisory": "Label-studio 1.9.2.post0 includes a fix for CVE-2023-47117: In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character. In addition, Label Studio had a hard coded secret key that an attacker can use to forge a session token of any user by exploiting this ORM Leak vulnerability to leak account password hashes.\r\nhttps://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw", - "cve": "CVE-2023-47117", - "id": "pyup.io-62286", - "more_info_path": "/vulnerabilities/CVE-2023-47117/62286", - "specs": [ - "<1.9.2.post0" - ], - "v": "<1.9.2.post0" - }, { "advisory": "The vulnerability identified in Label Studio, a popular open-source data labeling tool, allows an XSS attack through avatar upload. It affects versions prior to 1.9.2, where an authenticated user can upload a crafted image file that gets rendered as an HTML file on the website. This vulnerability could allow an attacker to execute arbitrary JavaScript, potentially leading to malicious actions on Label Studio users who visit the crafted avatar image.\r\nhttps://github.com/HumanSignal/label-studio/security/advisories/GHSA-q68h-xwq5-mm7x", "cve": "CVE-2023-47115", @@ -75750,6 +76365,17 @@ ], "v": "<=1.7.1" }, + { + "advisory": "Label-studio 1.9.2.post0 includes a fix for CVE-2023-47117: In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character. In addition, Label Studio had a hard coded secret key that an attacker can use to forge a session token of any user by exploiting this ORM Leak vulnerability to leak account password hashes.\r\nhttps://github.com/HumanSignal/label-studio/security/advisories/GHSA-6hjj-gq77-j4qw", + "cve": "CVE-2023-47117", + "id": "pyup.io-62286", + "more_info_path": "/vulnerabilities/CVE-2023-47117/62286", + "specs": [ + "==1.9.2", + "<=1.9.2" + ], + "v": "==1.9.2,<=1.9.2" + }, { "advisory": "Label Studio before 0.9.1 is susceptible to an arbitrary code execution vulnerability. This issue arises from YAML deserialization attacks facilitated by unsafe loading practices.", "cve": "PVE-2024-99780", @@ -75883,6 +76509,28 @@ "v": "<0.0.45" } ], + "labelme2datasets": [ + { + "advisory": "Labelme2datasets version 0.0.3 has upgraded its dependency from setuptools at least version 58.0.4 to at least version 69.5.1. This update was made in response to the security vulnerability identified in CVE-2022-40897.", + "cve": "CVE-2022-40897", + "id": "pyup.io-70977", + "more_info_path": "/vulnerabilities/CVE-2022-40897/70977", + "specs": [ + "<0.0.3" + ], + "v": "<0.0.3" + }, + { + "advisory": "Labelme2datasets version 0.0.3 has upgraded its dependency scikit-learn from at least version 0.24.2 to at least version 1.4.2. This update was made in response to the security vulnerability identified in CVE-2020-28975.", + "cve": "CVE-2020-28975", + "id": "pyup.io-70963", + "more_info_path": "/vulnerabilities/CVE-2020-28975/70963", + "specs": [ + "<0.0.3" + ], + "v": "<0.0.3" + } + ], "labgrid": [ { "advisory": "Labgrid 23.0.2 fixes a race condition that previously occurred in the handling of USBSDMuxDevice/USBSDWireDevice paths. This issue arose particularly during USB resets or fast replugging events. It potentially led to the incorrect assignment of control and disk paths for the USBSDMuxDevice and USBSDWireDevice, impacting their accurate and reliable operation.\r\nhttps://github.com/labgrid-project/labgrid/compare/v23.0.1...v23.0.2#diff-bc256bde0e401738303653d85da6e6a1a1a937880d1eb6f9c423a9970eb349d2", @@ -76071,20 +76719,20 @@ ], "ladybug-comfort": [ { - "advisory": "Ladybug-comfort 0.16.18 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", - "cve": "CVE-2022-40897", - "id": "pyup.io-52844", - "more_info_path": "/vulnerabilities/CVE-2022-40897/52844", + "advisory": "Ladybug-comfort 0.16.18 updates its dependency 'wheel' to v0.38.1 to include a security fix.", + "cve": "CVE-2022-40898", + "id": "pyup.io-52877", + "more_info_path": "/vulnerabilities/CVE-2022-40898/52877", "specs": [ "<0.16.18" ], "v": "<0.16.18" }, { - "advisory": "Ladybug-comfort 0.16.18 updates its dependency 'wheel' to v0.38.1 to include a security fix.", - "cve": "CVE-2022-40898", - "id": "pyup.io-52877", - "more_info_path": "/vulnerabilities/CVE-2022-40898/52877", + "advisory": "Ladybug-comfort 0.16.18 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", + "cve": "CVE-2022-40897", + "id": "pyup.io-52844", + "more_info_path": "/vulnerabilities/CVE-2022-40897/52844", "specs": [ "<0.16.18" ], @@ -76195,20 +76843,20 @@ "v": "<0.0.236" }, { - "advisory": "Langchain 0.0.236 includes a fix for an Arbitrary Code Execution vulnerability. In affected versions, the vulnerability allows an attacker to execute arbitrary code via the Python exec calls in the PALChain.\r\nhttps://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137\r\nhttps://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e", - "cve": "CVE-2023-36095", - "id": "pyup.io-60218", - "more_info_path": "/vulnerabilities/CVE-2023-36095/60218", + "advisory": "Langchain 0.0.236 includes a fix for CVE-2023-36258: Versions before 0.0.236 allow an attacker to execute arbitrary code via the PALChain in the python exec method.\r\nhttps://github.com/langchain-ai/langchain/issues/5872\r\nhttps://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e", + "cve": "CVE-2023-36258", + "id": "pyup.io-59294", + "more_info_path": "/vulnerabilities/CVE-2023-36258/59294", "specs": [ "<0.0.236" ], "v": "<0.0.236" }, { - "advisory": "Langchain 0.0.236 includes a fix for CVE-2023-36258: Versions before 0.0.236 allow an attacker to execute arbitrary code via the PALChain in the python exec method.\r\nhttps://github.com/langchain-ai/langchain/issues/5872\r\nhttps://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e", - "cve": "CVE-2023-36258", - "id": "pyup.io-59294", - "more_info_path": "/vulnerabilities/CVE-2023-36258/59294", + "advisory": "Langchain 0.0.236 includes a fix for an Arbitrary Code Execution vulnerability. In affected versions, the vulnerability allows an attacker to execute arbitrary code via the Python exec calls in the PALChain.\r\nhttps://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137\r\nhttps://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e", + "cve": "CVE-2023-36095", + "id": "pyup.io-60218", + "more_info_path": "/vulnerabilities/CVE-2023-36095/60218", "specs": [ "<0.0.236" ], @@ -76304,6 +76952,16 @@ ], "v": "<0.1.12" }, + { + "advisory": "Langchain version 0.1.14 addresses CVE-2024-21503, updating the \"black\" python linter from version 24.2.0 to 24.3.0. This update remedies a Regex-related denial of service vulnerability present in the earlier version.", + "cve": "CVE-2024-21503", + "id": "pyup.io-70875", + "more_info_path": "/vulnerabilities/CVE-2024-21503/70875", + "specs": [ + "<0.1.14" + ], + "v": "<0.1.14" + }, { "advisory": "langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py. See CVE-2024-27444.", "cve": "CVE-2024-27444", @@ -76367,10 +77025,10 @@ ], "langchain-experimental": [ { - "advisory": "langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.", - "cve": "CVE-2023-45920", + "advisory": "** DISPUTED ** langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.", + "cve": "CVE-2024-27444", "id": "pyup.io-68479", - "more_info_path": "/vulnerabilities/CVE-2023-45920/68479", + "more_info_path": "/vulnerabilities/CVE-2024-27444/68479", "specs": [ "<0.0.52" ], @@ -76387,6 +77045,18 @@ "v": "<=0.0.29" } ], + "langflow": [ + { + "advisory": "Langflow 1.0.0a37 removes the unsecure and unused `/custom_component/reload` endpoint. This endpoint previously read the directory in the file system without validating the input parameter, posing a potential security risk. Since it is not used by the frontend, the decision was made to eliminate it entirely rather than implement path validation. This removal enhances the security of the application by eliminating an unnecessary vulnerability.", + "cve": "PVE-2024-71218", + "id": "pyup.io-71218", + "more_info_path": "/vulnerabilities/PVE-2024-71218/71218", + "specs": [ + "<1.0.0a37" + ], + "v": "<1.0.0a37" + } + ], "langfuse": [ { "advisory": "Langfuse version 2.1.0 updates its nodemailer dependency to 6.9.9 from 6.9.8, prompted by security considerations.\r\nhttps://github.com/langfuse/langfuse/pull/1027", @@ -76626,6 +77296,16 @@ ], "v": "<2.2.3" }, + { + "advisory": "Lazuli 2.2.3 updates its dependency 'mkdocs' to v1.3.1 to include a security fix.", + "cve": "CVE-2021-40978", + "id": "pyup.io-50476", + "more_info_path": "/vulnerabilities/CVE-2021-40978/50476", + "specs": [ + "<2.2.3" + ], + "v": "<2.2.3" + }, { "advisory": "Lazuli 2.2.3 updates its dependency 'pygments' to v2.12.0 to include a security fix.", "cve": "CVE-2021-27291", @@ -76675,16 +77355,6 @@ "<2.2.3" ], "v": "<2.2.3" - }, - { - "advisory": "Lazuli 2.2.3 updates its dependency 'mkdocs' to v1.3.1 to include a security fix.", - "cve": "CVE-2021-40978", - "id": "pyup.io-50476", - "more_info_path": "/vulnerabilities/CVE-2021-40978/50476", - "specs": [ - "<2.2.3" - ], - "v": "<2.2.3" } ], "lbt-dragonfly": [ @@ -76879,6 +77549,16 @@ ], "v": "<1.2.0" }, + { + "advisory": "Lemur 1.3.2 includes a security fix for an insecure random generation vulnerability.\r\nhttps://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm", + "cve": "PVE-2023-53505", + "id": "pyup.io-53505", + "more_info_path": "/vulnerabilities/PVE-2023-53505/53505", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, { "advisory": "Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.", "cve": "CVE-2023-30797", @@ -76890,14 +77570,14 @@ "v": "<1.3.2" }, { - "advisory": "Lemur 1.3.2 includes a security fix for an insecure random generation vulnerability.\r\nhttps://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm", - "cve": "PVE-2023-53505", - "id": "pyup.io-53505", - "more_info_path": "/vulnerabilities/PVE-2023-53505/53505", + "advisory": "Lemur version 1.7.0 addresses a Denial of Service (DoS) security issue affecting Windows environments. This vulnerability involved the `name` parameter of the certificate POST endpoint.\r\n# This vulnerability only impacts Windows users.", + "cve": "PVE-2024-71065", + "id": "pyup.io-71065", + "more_info_path": "/vulnerabilities/PVE-2024-71065/71065", "specs": [ - "<1.3.2" + "<1.7.0" ], - "v": "<1.3.2" + "v": "<1.7.0" } ], "leo": [ @@ -76957,16 +77637,6 @@ ], "v": "<2.1.4" }, - { - "advisory": "Lg-rez version 2.1.4 updates its dependency 'pillow' to v8.2.0 to include security fixes.", - "cve": "CVE-2021-28678", - "id": "pyup.io-42049", - "more_info_path": "/vulnerabilities/CVE-2021-28678/42049", - "specs": [ - "<2.1.4" - ], - "v": "<2.1.4" - }, { "advisory": "Lg-rez 2.1.4 updates its dependency 'rsa' to v4.7 to include a security fix.", "cve": "CVE-2020-25658", @@ -76986,6 +77656,16 @@ "<2.1.4" ], "v": "<2.1.4" + }, + { + "advisory": "Lg-rez version 2.1.4 updates its dependency 'pillow' to v8.2.0 to include security fixes.", + "cve": "CVE-2021-28678", + "id": "pyup.io-42049", + "more_info_path": "/vulnerabilities/CVE-2021-28678/42049", + "specs": [ + "<2.1.4" + ], + "v": "<2.1.4" } ], "libarchive-c": [ @@ -77186,7 +77866,7 @@ "v": "<1.1.105" }, { - "advisory": "Libtaxii 1.1.118 includes a fix for CVE-2020-27197:TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser. \r\nNOTE: the vendor points out that the parse method \"wraps the lxml library\" and that this may be an issue to \"raise ... to the lxml group.\"\r\nhttps://github.com/TAXIIProject/libtaxii/pull/247/commits/e8918f07ef86f6a5ea9778fcd443784f4b13277e", + "advisory": "Libtaxii 1.1.118 includes a fix for CVE-2020-27197:TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser. \r\nNOTE: the vendor points out that the parse method \"wraps the lxml library\" and that this may be an issue to \"raise ... to the lxml group.\"", "cve": "CVE-2020-27197", "id": "pyup.io-54231", "more_info_path": "/vulnerabilities/CVE-2020-27197/54231", @@ -77534,20 +78214,20 @@ "v": "<2.0.4" }, { - "advisory": "Lightning 2.0.4 updates its dependency 'ipython' to version '8.14.0' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/98e1aabd0c711e508d33f599265de011ca5dfba8", - "cve": "CVE-2023-24816", - "id": "pyup.io-59170", - "more_info_path": "/vulnerabilities/CVE-2023-24816/59170", + "advisory": "Lightning 2.0.4 updates its dependency 'requests' to '2.31.0' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/37be44d2a3804dad52f0d4e4dcc5419bcb48391f", + "cve": "CVE-2023-32681", + "id": "pyup.io-59187", + "more_info_path": "/vulnerabilities/CVE-2023-32681/59187", "specs": [ "<2.0.4" ], "v": "<2.0.4" }, { - "advisory": "Lightning 2.0.4 updates its dependency 'requests' to '2.31.0' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/37be44d2a3804dad52f0d4e4dcc5419bcb48391f", - "cve": "CVE-2023-32681", - "id": "pyup.io-59187", - "more_info_path": "/vulnerabilities/CVE-2023-32681/59187", + "advisory": "Lightning 2.0.4 updates its dependency 'ipython' to version '8.14.0' to include a security fix.\r\nhttps://github.com/Lightning-AI/lightning/commit/98e1aabd0c711e508d33f599265de011ca5dfba8", + "cve": "CVE-2023-24816", + "id": "pyup.io-59170", + "more_info_path": "/vulnerabilities/CVE-2023-24816/59170", "specs": [ "<2.0.4" ], @@ -77850,6 +78530,18 @@ "v": "<1.35.20.dev2" } ], + "litestar": [ + { + "advisory": "Affected versions of Litestar are vulnerable to Path Traversal. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server.", + "cve": "CVE-2024-32982", + "id": "pyup.io-70845", + "more_info_path": "/vulnerabilities/CVE-2024-32982/70845", + "specs": [ + "<=2.8.2" + ], + "v": "<=2.8.2" + } + ], "lithops": [ { "advisory": "Lithops 1.0.1 fixes a flask security issue. See: CVE-2018-1000656.", @@ -77906,6 +78598,26 @@ "<0.2.12" ], "v": "<0.2.12" + }, + { + "advisory": "Llama-cpp-python version 0.2.72 enhances security by updating all remaining Jinja chat templates to use an immutable sandbox.", + "cve": "PVE-2024-70929", + "id": "pyup.io-70929", + "more_info_path": "/vulnerabilities/PVE-2024-70929/70929", + "specs": [ + "<0.2.72" + ], + "v": "<0.2.72" + }, + { + "advisory": "Llama-cpp-python version 0.2.72 addresses a security issue by fixing a Remote Code Execution vulnerability caused by Server-Side Template Injection in Model Metadata.", + "cve": "CVE-2024-34359", + "id": "pyup.io-70912", + "more_info_path": "/vulnerabilities/CVE-2024-34359/70912", + "specs": [ + "<0.2.72" + ], + "v": "<0.2.72" } ], "llama-hub": [ @@ -78006,6 +78718,28 @@ "v": "<0.0.10" } ], + "lnbits": [ + { + "advisory": "Lnbits version 0.12.5 updates its `black` dependency from version 24.2.0 to 24.3.0 to address the security vulnerability identified as CVE-2024-21503. This update is implemented as a security measure, ensuring the package remains secure by incorporating the necessary fixes from the updated version of the `black` code formatter.", + "cve": "CVE-2024-21503", + "id": "pyup.io-71111", + "more_info_path": "/vulnerabilities/CVE-2024-21503/71111", + "specs": [ + "<0.12.5" + ], + "v": "<0.12.5" + }, + { + "advisory": "Lnbits version 0.12.5 addresses a security issue in the `pycryptodomex` library. The dependency is updated from version 3.19.0 to 3.19.1 to resolve the vulnerability identified as CVE-2023-52323. This update ensures that the package remains secure by incorporating the necessary fixes from the updated library version.", + "cve": "CVE-2023-52323", + "id": "pyup.io-71115", + "more_info_path": "/vulnerabilities/CVE-2023-52323/71115", + "specs": [ + "<0.12.5" + ], + "v": "<0.12.5" + } + ], "localstack": [ { "advisory": "Localstack 0.12.14 fixes CORS setup to prevent CSRF attacks.\r\nhttps://github.com/localstack/localstack/commit/809235e3079a1060dae599ce83ed06c84b0e34a5", @@ -78185,16 +78919,6 @@ } ], "logbesselk": [ - { - "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41227", - "id": "pyup.io-51611", - "more_info_path": "/vulnerabilities/CVE-2021-41227/51611", - "specs": [ - "<0.8.5" - ], - "v": "<0.8.5" - }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41196", @@ -78215,26 +78939,6 @@ ], "v": "<0.8.5" }, - { - "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41199", - "id": "pyup.io-51583", - "more_info_path": "/vulnerabilities/CVE-2021-41199/51583", - "specs": [ - "<0.8.5" - ], - "v": "<0.8.5" - }, - { - "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41200", - "id": "pyup.io-51584", - "more_info_path": "/vulnerabilities/CVE-2021-41200/51584", - "specs": [ - "<0.8.5" - ], - "v": "<0.8.5" - }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41201", @@ -78245,16 +78949,6 @@ ], "v": "<0.8.5" }, - { - "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41202", - "id": "pyup.io-51586", - "more_info_path": "/vulnerabilities/CVE-2021-41202/51586", - "specs": [ - "<0.8.5" - ], - "v": "<0.8.5" - }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41209", @@ -78265,16 +78959,6 @@ ], "v": "<0.8.5" }, - { - "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41210", - "id": "pyup.io-51594", - "more_info_path": "/vulnerabilities/CVE-2021-41210/51594", - "specs": [ - "<0.8.5" - ], - "v": "<0.8.5" - }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41212", @@ -78285,16 +78969,6 @@ ], "v": "<0.8.5" }, - { - "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41213", - "id": "pyup.io-51597", - "more_info_path": "/vulnerabilities/CVE-2021-41213/51597", - "specs": [ - "<0.8.5" - ], - "v": "<0.8.5" - }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41215", @@ -78335,16 +79009,6 @@ ], "v": "<0.8.5" }, - { - "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41222", - "id": "pyup.io-51606", - "more_info_path": "/vulnerabilities/CVE-2021-41222/51606", - "specs": [ - "<0.8.5" - ], - "v": "<0.8.5" - }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41224", @@ -78355,36 +79019,6 @@ ], "v": "<0.8.5" }, - { - "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41225", - "id": "pyup.io-51609", - "more_info_path": "/vulnerabilities/CVE-2021-41225/51609", - "specs": [ - "<0.8.5" - ], - "v": "<0.8.5" - }, - { - "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41226", - "id": "pyup.io-51610", - "more_info_path": "/vulnerabilities/CVE-2021-41226/51610", - "specs": [ - "<0.8.5" - ], - "v": "<0.8.5" - }, - { - "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41228", - "id": "pyup.io-51612", - "more_info_path": "/vulnerabilities/CVE-2021-41228/51612", - "specs": [ - "<0.8.5" - ], - "v": "<0.8.5" - }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", "cve": "CVE-2021-41197", @@ -78397,9 +79031,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41204", - "id": "pyup.io-51588", - "more_info_path": "/vulnerabilities/CVE-2021-41204/51588", + "cve": "CVE-2021-41217", + "id": "pyup.io-51601", + "more_info_path": "/vulnerabilities/CVE-2021-41217/51601", "specs": [ "<0.8.5" ], @@ -78407,9 +79041,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41205", - "id": "pyup.io-51589", - "more_info_path": "/vulnerabilities/CVE-2021-41205/51589", + "cve": "CVE-2021-41214", + "id": "pyup.io-51598", + "more_info_path": "/vulnerabilities/CVE-2021-41214/51598", "specs": [ "<0.8.5" ], @@ -78417,9 +79051,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41206", - "id": "pyup.io-51590", - "more_info_path": "/vulnerabilities/CVE-2021-41206/51590", + "cve": "CVE-2021-41203", + "id": "pyup.io-51587", + "more_info_path": "/vulnerabilities/CVE-2021-41203/51587", "specs": [ "<0.8.5" ], @@ -78427,9 +79061,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41195", - "id": "pyup.io-51579", - "more_info_path": "/vulnerabilities/CVE-2021-41195/51579", + "cve": "CVE-2021-41207", + "id": "pyup.io-51591", + "more_info_path": "/vulnerabilities/CVE-2021-41207/51591", "specs": [ "<0.8.5" ], @@ -78437,9 +79071,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41208", - "id": "pyup.io-51592", - "more_info_path": "/vulnerabilities/CVE-2021-41208/51592", + "cve": "CVE-2021-41219", + "id": "pyup.io-51603", + "more_info_path": "/vulnerabilities/CVE-2021-41219/51603", "specs": [ "<0.8.5" ], @@ -78447,9 +79081,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41214", - "id": "pyup.io-51598", - "more_info_path": "/vulnerabilities/CVE-2021-41214/51598", + "cve": "CVE-2021-41200", + "id": "pyup.io-51584", + "more_info_path": "/vulnerabilities/CVE-2021-41200/51584", "specs": [ "<0.8.5" ], @@ -78457,9 +79091,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41217", - "id": "pyup.io-51601", - "more_info_path": "/vulnerabilities/CVE-2021-41217/51601", + "cve": "CVE-2021-41208", + "id": "pyup.io-51592", + "more_info_path": "/vulnerabilities/CVE-2021-41208/51592", "specs": [ "<0.8.5" ], @@ -78467,9 +79101,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41221", - "id": "pyup.io-51605", - "more_info_path": "/vulnerabilities/CVE-2021-41221/51605", + "cve": "CVE-2021-22925", + "id": "pyup.io-51577", + "more_info_path": "/vulnerabilities/CVE-2021-22925/51577", "specs": [ "<0.8.5" ], @@ -78477,9 +79111,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41223", - "id": "pyup.io-51607", - "more_info_path": "/vulnerabilities/CVE-2021-41223/51607", + "cve": "CVE-2021-22924", + "id": "pyup.io-51576", + "more_info_path": "/vulnerabilities/CVE-2021-22924/51576", "specs": [ "<0.8.5" ], @@ -78487,19 +79121,19 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-22925", - "id": "pyup.io-51577", - "more_info_path": "/vulnerabilities/CVE-2021-22925/51577", + "cve": "CVE-2021-41211", + "id": "pyup.io-51595", + "more_info_path": "/vulnerabilities/CVE-2021-41211/51595", "specs": [ "<0.8.5" ], "v": "<0.8.5" }, { - "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-22924", - "id": "pyup.io-51576", - "more_info_path": "/vulnerabilities/CVE-2021-22924/51576", + "advisory": "Logbesselk 0.8.5 updates its dependency 'numpy' to v1.21.5 to include a security fix.", + "cve": "CVE-2021-33430", + "id": "pyup.io-51528", + "more_info_path": "/vulnerabilities/CVE-2021-33430/51528", "specs": [ "<0.8.5" ], @@ -78507,9 +79141,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-22922", - "id": "pyup.io-51574", - "more_info_path": "/vulnerabilities/CVE-2021-22922/51574", + "cve": "CVE-2021-41228", + "id": "pyup.io-51612", + "more_info_path": "/vulnerabilities/CVE-2021-41228/51612", "specs": [ "<0.8.5" ], @@ -78517,9 +79151,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41203", - "id": "pyup.io-51587", - "more_info_path": "/vulnerabilities/CVE-2021-41203/51587", + "cve": "CVE-2021-41227", + "id": "pyup.io-51611", + "more_info_path": "/vulnerabilities/CVE-2021-41227/51611", "specs": [ "<0.8.5" ], @@ -78527,9 +79161,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41211", - "id": "pyup.io-51595", - "more_info_path": "/vulnerabilities/CVE-2021-41211/51595", + "cve": "CVE-2021-41206", + "id": "pyup.io-51590", + "more_info_path": "/vulnerabilities/CVE-2021-41206/51590", "specs": [ "<0.8.5" ], @@ -78537,9 +79171,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41207", - "id": "pyup.io-51591", - "more_info_path": "/vulnerabilities/CVE-2021-41207/51591", + "cve": "CVE-2021-41221", + "id": "pyup.io-51605", + "more_info_path": "/vulnerabilities/CVE-2021-41221/51605", "specs": [ "<0.8.5" ], @@ -78547,19 +79181,9 @@ }, { "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", - "cve": "CVE-2021-41219", - "id": "pyup.io-51603", - "more_info_path": "/vulnerabilities/CVE-2021-41219/51603", - "specs": [ - "<0.8.5" - ], - "v": "<0.8.5" - }, - { - "advisory": "Logbesselk 0.8.5 updates its dependency 'numpy' to v1.21.5 to include a security fix.", - "cve": "CVE-2021-33430", - "id": "pyup.io-51528", - "more_info_path": "/vulnerabilities/CVE-2021-33430/51528", + "cve": "CVE-2021-22922", + "id": "pyup.io-51574", + "more_info_path": "/vulnerabilities/CVE-2021-22922/51574", "specs": [ "<0.8.5" ], @@ -78594,6 +79218,116 @@ "<0.8.5" ], "v": "<0.8.5" + }, + { + "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-41202", + "id": "pyup.io-51586", + "more_info_path": "/vulnerabilities/CVE-2021-41202/51586", + "specs": [ + "<0.8.5" + ], + "v": "<0.8.5" + }, + { + "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-41199", + "id": "pyup.io-51583", + "more_info_path": "/vulnerabilities/CVE-2021-41199/51583", + "specs": [ + "<0.8.5" + ], + "v": "<0.8.5" + }, + { + "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-41213", + "id": "pyup.io-51597", + "more_info_path": "/vulnerabilities/CVE-2021-41213/51597", + "specs": [ + "<0.8.5" + ], + "v": "<0.8.5" + }, + { + "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-41222", + "id": "pyup.io-51606", + "more_info_path": "/vulnerabilities/CVE-2021-41222/51606", + "specs": [ + "<0.8.5" + ], + "v": "<0.8.5" + }, + { + "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-41210", + "id": "pyup.io-51594", + "more_info_path": "/vulnerabilities/CVE-2021-41210/51594", + "specs": [ + "<0.8.5" + ], + "v": "<0.8.5" + }, + { + "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-41225", + "id": "pyup.io-51609", + "more_info_path": "/vulnerabilities/CVE-2021-41225/51609", + "specs": [ + "<0.8.5" + ], + "v": "<0.8.5" + }, + { + "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-41226", + "id": "pyup.io-51610", + "more_info_path": "/vulnerabilities/CVE-2021-41226/51610", + "specs": [ + "<0.8.5" + ], + "v": "<0.8.5" + }, + { + "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-41205", + "id": "pyup.io-51589", + "more_info_path": "/vulnerabilities/CVE-2021-41205/51589", + "specs": [ + "<0.8.5" + ], + "v": "<0.8.5" + }, + { + "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-41204", + "id": "pyup.io-51588", + "more_info_path": "/vulnerabilities/CVE-2021-41204/51588", + "specs": [ + "<0.8.5" + ], + "v": "<0.8.5" + }, + { + "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-41195", + "id": "pyup.io-51579", + "more_info_path": "/vulnerabilities/CVE-2021-41195/51579", + "specs": [ + "<0.8.5" + ], + "v": "<0.8.5" + }, + { + "advisory": "Logbesselk 0.8.5 updates its dependency 'tensorflow' to v2.8.0 to include security fixes.", + "cve": "CVE-2021-41223", + "id": "pyup.io-51607", + "more_info_path": "/vulnerabilities/CVE-2021-41223/51607", + "specs": [ + "<0.8.5" + ], + "v": "<0.8.5" } ], "loggerhead": [ @@ -78632,20 +79366,20 @@ ], "logprep": [ { - "advisory": "Logprep 7.0.0 updates its dependency 'certifi' to include a security fix.", - "cve": "CVE-2023-37920", - "id": "pyup.io-61802", - "more_info_path": "/vulnerabilities/CVE-2023-37920/61802", + "advisory": "Logprep 7.0.0 updates its dependency 'aiohttp' to include a security fix.", + "cve": "CVE-2023-37276", + "id": "pyup.io-61805", + "more_info_path": "/vulnerabilities/CVE-2023-37276/61805", "specs": [ "<7.0.0" ], "v": "<7.0.0" }, { - "advisory": "Logprep 7.0.0 updates its dependency 'aiohttp' to include a security fix.", - "cve": "CVE-2023-37276", - "id": "pyup.io-61805", - "more_info_path": "/vulnerabilities/CVE-2023-37276/61805", + "advisory": "Logprep 7.0.0 updates its dependency 'certifi' to include a security fix.", + "cve": "CVE-2023-37920", + "id": "pyup.io-61802", + "more_info_path": "/vulnerabilities/CVE-2023-37920/61802", "specs": [ "<7.0.0" ], @@ -79176,10 +79910,10 @@ "v": "<0.9.4" }, { - "advisory": "Mage-ai 0.9.62 has updated its pyarrow dependency from 10.0.1 to 14.0.1 to address the security issue identified as CVE-2019-12410.", - "cve": "CVE-2019-12410", - "id": "pyup.io-65053", - "more_info_path": "/vulnerabilities/CVE-2019-12410/65053", + "advisory": "Mage-ai 0.9.62 has updated its cryptography dependency from 36.0.2 to 41.0.6 to address the security issue identified as CVE-2024-22195.", + "cve": "CVE-2024-0727", + "id": "pyup.io-65072", + "more_info_path": "/vulnerabilities/CVE-2024-0727/65072", "specs": [ "<0.9.62" ], @@ -79196,10 +79930,10 @@ "v": "<0.9.62" }, { - "advisory": "Mage-ai 0.9.62 has updated its cryptography dependency from 36.0.2 to 41.0.6 to address the security issue identified as CVE-2024-22195.", - "cve": "CVE-2024-0727", - "id": "pyup.io-65072", - "more_info_path": "/vulnerabilities/CVE-2024-0727/65072", + "advisory": "Mage-ai 0.9.62 has updated its pyarrow dependency from 10.0.1 to 14.0.1 to address the security issue identified as CVE-2019-12410.", + "cve": "CVE-2019-12410", + "id": "pyup.io-65053", + "more_info_path": "/vulnerabilities/CVE-2019-12410/65053", "specs": [ "<0.9.62" ], @@ -79216,20 +79950,20 @@ "v": "<0.9.62" }, { - "advisory": "Mage-ai version 0.9.65 updates its Jinja2 dependency to 3.1.3 from the previous 3.1.2 in response to the security vulnerability CVE-2024-22195.\r\nhttps://github.com/mage-ai/mage-ai/pull/4444/commits/6fd7c487c4accb1af62438b07b876d732d3c301a", - "cve": "CVE-2024-22195", - "id": "pyup.io-66072", - "more_info_path": "/vulnerabilities/CVE-2024-22195/66072", + "advisory": "Mage-ai version 0.9.65 updates its jupyter-server dependency to 2.11.2 from the previous 1.23.5 in response to the security vulnerability CVE-2023-49080.\r\nhttps://github.com/mage-ai/mage-ai/pull/4444/commits/6fd7c487c4accb1af62438b07b876d732d3c301a", + "cve": "CVE-2023-49080", + "id": "pyup.io-66645", + "more_info_path": "/vulnerabilities/CVE-2023-49080/66645", "specs": [ "<0.9.65" ], "v": "<0.9.65" }, { - "advisory": "Mage-ai version 0.9.65 updates its jupyter-server dependency to 2.11.2 from the previous 1.23.5 in response to the security vulnerability CVE-2023-49080.\r\nhttps://github.com/mage-ai/mage-ai/pull/4444/commits/6fd7c487c4accb1af62438b07b876d732d3c301a", - "cve": "CVE-2023-49080", - "id": "pyup.io-66645", - "more_info_path": "/vulnerabilities/CVE-2023-49080/66645", + "advisory": "Mage-ai version 0.9.65 updates its Jinja2 dependency to 3.1.3 from the previous 3.1.2 in response to the security vulnerability CVE-2024-22195.\r\nhttps://github.com/mage-ai/mage-ai/pull/4444/commits/6fd7c487c4accb1af62438b07b876d732d3c301a", + "cve": "CVE-2024-22195", + "id": "pyup.io-66072", + "more_info_path": "/vulnerabilities/CVE-2024-22195/66072", "specs": [ "<0.9.65" ], @@ -79247,6 +79981,16 @@ } ], "magnum": [ + { + "advisory": "An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component. See CVE-2024-28717.", + "cve": "CVE-2024-28717", + "id": "pyup.io-70631", + "more_info_path": "/vulnerabilities/CVE-2024-28717/70631", + "specs": [ + "<14.1.2" + ], + "v": "<14.1.2" + }, { "advisory": "OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform.", "cve": "CVE-2016-7404", @@ -79256,6 +80000,16 @@ "<3.1.2" ], "v": "<3.1.2" + }, + { + "advisory": "An issue in OpenStack magnum yoga-eom version allows a remote attacker to execute arbitrary code via the cert_manager.py. component. See CVE-2024-28718.", + "cve": "CVE-2024-28718", + "id": "pyup.io-70632", + "more_info_path": "/vulnerabilities/CVE-2024-28718/70632", + "specs": [ + "<=14.1.2" + ], + "v": "<=14.1.2" } ], "mail-validator": [ @@ -79655,6 +80409,16 @@ ], "v": ">=1.0,<=2.1.5" }, + { + "advisory": "GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.", + "cve": "CVE-2020-12137", + "id": "pyup.io-70735", + "more_info_path": "/vulnerabilities/CVE-2020-12137/70735", + "specs": [ + ">=2.0,<2.1.30" + ], + "v": ">=2.0,<2.1.30" + }, { "advisory": "Scrubber.py in Mailman 2.1.5-8 does not properly handle UTF8 character encodings in filenames of e-mail attachments, which allows remote attackers to cause a denial of service (application crash).", "cve": "CVE-2005-3573", @@ -79827,9 +80591,9 @@ }, { "advisory": "Mapchete 2022.11.0 updates its dependency 'rasterio' requirement to '>1.2.10' to include security fixes.", - "cve": "CVE-2020-12762", - "id": "pyup.io-51993", - "more_info_path": "/vulnerabilities/CVE-2020-12762/51993", + "cve": "CVE-2020-10809", + "id": "pyup.io-51978", + "more_info_path": "/vulnerabilities/CVE-2020-10809/51978", "specs": [ "<2022.11.0" ], @@ -79837,9 +80601,9 @@ }, { "advisory": "Mapchete 2022.11.0 updates its dependency 'rasterio' requirement to '>1.2.10' to include security fixes.", - "cve": "CVE-2020-10810", - "id": "pyup.io-51990", - "more_info_path": "/vulnerabilities/CVE-2020-10810/51990", + "cve": "CVE-2020-10811", + "id": "pyup.io-51991", + "more_info_path": "/vulnerabilities/CVE-2020-10811/51991", "specs": [ "<2022.11.0" ], @@ -79847,9 +80611,9 @@ }, { "advisory": "Mapchete 2022.11.0 updates its dependency 'rasterio' requirement to '>1.2.10' to include security fixes.", - "cve": "CVE-2020-10809", - "id": "pyup.io-51978", - "more_info_path": "/vulnerabilities/CVE-2020-10809/51978", + "cve": "CVE-2020-10810", + "id": "pyup.io-51990", + "more_info_path": "/vulnerabilities/CVE-2020-10810/51990", "specs": [ "<2022.11.0" ], @@ -79857,9 +80621,9 @@ }, { "advisory": "Mapchete 2022.11.0 updates its dependency 'rasterio' requirement to '>1.2.10' to include security fixes.", - "cve": "CVE-2020-10811", - "id": "pyup.io-51991", - "more_info_path": "/vulnerabilities/CVE-2020-10811/51991", + "cve": "CVE-2020-12762", + "id": "pyup.io-51993", + "more_info_path": "/vulnerabilities/CVE-2020-12762/51993", "specs": [ "<2022.11.0" ], @@ -80021,20 +80785,20 @@ ], "maptasker": [ { - "advisory": "Maptasker 1.3.3 uses 'defusedxml' to prevent XXE vulnerabilities.\r\nhttps://github.com/mctinker/Map-Tasker/commit/748dc69ed16053fff0b8bb54fb1a3b589300355c", - "cve": "CVE-2013-1665", - "id": "pyup.io-55045", - "more_info_path": "/vulnerabilities/CVE-2013-1665/55045", + "advisory": "Maptasker 1.3.3 replaces 'pickle' with 'json' to avoid code execution vulnerabilities.", + "cve": "PVE-2023-55051", + "id": "pyup.io-55051", + "more_info_path": "/vulnerabilities/PVE-2023-55051/55051", "specs": [ "<1.3.3" ], "v": "<1.3.3" }, { - "advisory": "Maptasker 1.3.3 replaces 'pickle' with 'json' to avoid code execution vulnerabilities.", - "cve": "PVE-2023-55051", - "id": "pyup.io-55051", - "more_info_path": "/vulnerabilities/PVE-2023-55051/55051", + "advisory": "Maptasker 1.3.3 uses 'defusedxml' to prevent XXE vulnerabilities.\r\nhttps://github.com/mctinker/Map-Tasker/commit/748dc69ed16053fff0b8bb54fb1a3b589300355c", + "cve": "CVE-2013-1665", + "id": "pyup.io-55045", + "more_info_path": "/vulnerabilities/CVE-2013-1665/55045", "specs": [ "<1.3.3" ], @@ -80131,6 +80895,16 @@ "<0.3.9" ], "v": "<0.3.9" + }, + { + "advisory": "Marimo 0.5.0 introduces markdown sanitization to protect against malicious content in notebooks.", + "cve": "PVE-2024-70872", + "id": "pyup.io-70872", + "more_info_path": "/vulnerabilities/PVE-2024-70872/70872", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" } ], "markdown-it-py": [ @@ -80639,6 +81413,18 @@ "v": ">0,<0" } ], + "matprops": [ + { + "advisory": "Matprops version 1.0.4.2 updates its `setuptools` dependency from `setuptools~=58.1.0` to `setuptools>=65.5.1` to address the security vulnerability identified in CVE-2022-40897.", + "cve": "CVE-2022-40897", + "id": "pyup.io-71059", + "more_info_path": "/vulnerabilities/CVE-2022-40897/71059", + "specs": [ + "<1.0.4.2" + ], + "v": "<1.0.4.2" + } + ], "matrix-nio": [ { "advisory": "Matrix-nio 0.20 includes a fix for CVE-2022-39254: Prior to version 0.20, when a user requests a room key from their devices, the software correctly remember the request. Once they receive a forwarded room key, they accept it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack.", @@ -80867,20 +81653,20 @@ "v": "<1.74.0" }, { - "advisory": "Matrix-synapse 1.85.0 includes a security fix: URL deny list bypass via oEmbed and image URLs when generating previews.\r\nhttps://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc\r\nhttps://github.com/matrix-org/synapse/pull/15601", - "cve": "CVE-2023-32683", - "id": "pyup.io-58943", - "more_info_path": "/vulnerabilities/CVE-2023-32683/58943", + "advisory": "Matrix-synapse 1.85.0 includes a security fix: Improper checks for deactivated users during login.\r\nhttps://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p\r\nhttps://github.com/matrix-org/synapse/pull/15624\r\nhttps://github.com/matrix-org/synapse/pull/15634", + "cve": "CVE-2023-32682", + "id": "pyup.io-58942", + "more_info_path": "/vulnerabilities/CVE-2023-32682/58942", "specs": [ "<1.85.0" ], "v": "<1.85.0" }, { - "advisory": "Matrix-synapse 1.85.0 includes a security fix: Improper checks for deactivated users during login.\r\nhttps://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p\r\nhttps://github.com/matrix-org/synapse/pull/15624\r\nhttps://github.com/matrix-org/synapse/pull/15634", - "cve": "CVE-2023-32682", - "id": "pyup.io-58942", - "more_info_path": "/vulnerabilities/CVE-2023-32682/58942", + "advisory": "Matrix-synapse 1.85.0 includes a security fix: URL deny list bypass via oEmbed and image URLs when generating previews.\r\nhttps://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc\r\nhttps://github.com/matrix-org/synapse/pull/15601", + "cve": "CVE-2023-32683", + "id": "pyup.io-58943", + "more_info_path": "/vulnerabilities/CVE-2023-32683/58943", "specs": [ "<1.85.0" ], @@ -81113,6 +81899,18 @@ "v": "<1.0.0" } ], + "mauth-client": [ + { + "advisory": "Mauth-client version 1.6.5 updates its `requests` dependency from version ^2.23 to ^2.31.0 to address the security vulnerability identified in CVE-2023-32681.", + "cve": "CVE-2023-32681", + "id": "pyup.io-71027", + "more_info_path": "/vulnerabilities/CVE-2023-32681/71027", + "specs": [ + "<1.6.5" + ], + "v": "<1.6.5" + } + ], "mautrix-telegram": [ { "advisory": "Mautrix-telegram 0.6.0 fixes a vulnerability in event handling.", @@ -81138,6 +81936,16 @@ } ], "mayan-edms": [ + { + "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a (1) tag or the (2) title of a source in a Staging folder, (3) Name field in a bootstrap setup, or Title field in a (4) smart link or (5) web form.", + "cve": "CVE-2014-3840", + "id": "pyup.io-70422", + "more_info_path": "/vulnerabilities/CVE-2014-3840/70422", + "specs": [ + "<1.0" + ], + "v": "<1.0" + }, { "advisory": "Mayan-edms versions before 3.0.2 are affected by CVE-2018-16406:\r\nThe Cabinets app has XSS via a crafted cabinet label.\r\nhttps://gitlab.com/mayan-edms/mayan-edms/blob/master/HISTORY.rst\r\nhttps://gitlab.com/mayan-edms/mayan-edms/commit/48dfc06e49c7f773749e063f8cc69c95509d1c32\r\nhttps://gitlab.com/mayan-edms/mayan-edms/issues/495", "cve": "CVE-2018-16406", @@ -81174,19 +81982,9 @@ "id": "pyup.io-62545", "more_info_path": "/vulnerabilities/CVE-2022-47419/62545", "specs": [ - "<4.4.10" - ], - "v": "<4.4.10" - }, - { - "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a (1) tag or the (2) title of a source in a Staging folder, (3) Name field in a bootstrap setup, or Title field in a (4) smart link or (5) web form.", - "cve": "CVE-2014-3840", - "id": "pyup.io-70422", - "more_info_path": "/vulnerabilities/CVE-2014-3840/70422", - "specs": [ - "<=0.13" + "<4.4.3" ], - "v": "<=0.13" + "v": "<4.4.3" } ], "md4c": [ @@ -81457,20 +82255,20 @@ "v": ">=0,<3.2.4" }, { - "advisory": "Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.", - "cve": "CVE-2016-3068", - "id": "pyup.io-54113", - "more_info_path": "/vulnerabilities/CVE-2016-3068/54113", + "advisory": "The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.", + "cve": "CVE-2016-3630", + "id": "pyup.io-54117", + "more_info_path": "/vulnerabilities/CVE-2016-3630/54117", "specs": [ ">=0,<3.7.3" ], "v": ">=0,<3.7.3" }, { - "advisory": "The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.", - "cve": "CVE-2016-3630", - "id": "pyup.io-54117", - "more_info_path": "/vulnerabilities/CVE-2016-3630/54117", + "advisory": "Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.", + "cve": "CVE-2016-3068", + "id": "pyup.io-54113", + "more_info_path": "/vulnerabilities/CVE-2016-3068/54113", "specs": [ ">=0,<3.7.3" ], @@ -81497,20 +82295,20 @@ "v": ">=0,<3.8-rc" }, { - "advisory": "Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.", - "cve": "CVE-2017-1000116", - "id": "pyup.io-53926", - "more_info_path": "/vulnerabilities/CVE-2017-1000116/53926", + "advisory": "Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository", + "cve": "CVE-2017-1000115", + "id": "pyup.io-53925", + "more_info_path": "/vulnerabilities/CVE-2017-1000115/53925", "specs": [ ">=0,<4.3" ], "v": ">=0,<4.3" }, { - "advisory": "Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository", - "cve": "CVE-2017-1000115", - "id": "pyup.io-53925", - "more_info_path": "/vulnerabilities/CVE-2017-1000115/53925", + "advisory": "Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.", + "cve": "CVE-2017-1000116", + "id": "pyup.io-53926", + "more_info_path": "/vulnerabilities/CVE-2017-1000116/53926", "specs": [ ">=0,<4.3" ], @@ -81536,16 +82334,6 @@ ], "v": ">=0,<4.5.1" }, - { - "advisory": "mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.", - "cve": "CVE-2018-13347", - "id": "pyup.io-54003", - "more_info_path": "/vulnerabilities/CVE-2018-13347/54003", - "specs": [ - ">=0,<4.6.1" - ], - "v": ">=0,<4.6.1" - }, { "advisory": "The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.", "cve": "CVE-2018-13346", @@ -81566,6 +82354,16 @@ ], "v": ">=0,<4.6.1" }, + { + "advisory": "mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.", + "cve": "CVE-2018-13347", + "id": "pyup.io-54003", + "more_info_path": "/vulnerabilities/CVE-2018-13347/54003", + "specs": [ + ">=0,<4.6.1" + ], + "v": ">=0,<4.6.1" + }, { "advisory": "cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.", "cve": "CVE-2018-17983", @@ -81635,6 +82433,28 @@ "v": "<1.11.3" } ], + "metldata": [ + { + "advisory": "Metldata version 1.3.0 updates its `cryptography` dependency to \"cryptography>=42.0.0\" to address vulnerabilities, including CVE-2023-50782.", + "cve": "CVE-2023-50782", + "id": "pyup.io-71293", + "more_info_path": "/vulnerabilities/CVE-2023-50782/71293", + "specs": [ + "<1.3.0" + ], + "v": "<1.3.0" + }, + { + "advisory": "Metldata version 1.3.0 updates its `cryptography` dependency to \"cryptography>=42.0.0\" to address vulnerabilities, including CVE-2023-49083.", + "cve": "CVE-2023-49083", + "id": "pyup.io-71299", + "more_info_path": "/vulnerabilities/CVE-2023-49083/71299", + "specs": [ + "<1.3.0" + ], + "v": "<1.3.0" + } + ], "metpx-sarracenia": [ { "advisory": "Metpx-sarracenia 2.20.4b2 removes recursion in the connection recovery, which was vulnerable to stack exhaustion on long failures.\r\nhttps://github.com/MetPX/sarracenia/commit/b1b78e1a1fcfe08fe81dee2840aa29d71becda65", @@ -81733,20 +82553,20 @@ "v": "<=4.3.1" }, { - "advisory": "An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header.", - "cve": "CVE-2024-22311", + "advisory": "** DISPUTED ** An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header.", + "cve": "CVE-2024-25170", "id": "pyup.io-68491", - "more_info_path": "/vulnerabilities/CVE-2024-22311/68491", + "more_info_path": "/vulnerabilities/CVE-2024-25170/68491", "specs": [ "<=6.0.0" ], "v": "<=6.0.0" }, { - "advisory": "An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request.", - "cve": "CVE-2023-45922", + "advisory": "** DISPUTED ** An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request.", + "cve": "CVE-2024-25169", "id": "pyup.io-68492", - "more_info_path": "/vulnerabilities/CVE-2023-45922/68492", + "more_info_path": "/vulnerabilities/CVE-2024-25169/68492", "specs": [ "<=6.0.0" ], @@ -81885,30 +82705,6 @@ "v": "<2024.1.5" } ], - "micropython-copy": [ - { - "advisory": "A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.", - "cve": "CVE-2023-7152", - "id": "pyup.io-70396", - "more_info_path": "/vulnerabilities/CVE-2023-7152/70396", - "specs": [ - "<1.22.0" - ], - "v": "<1.22.0" - } - ], - "micropython-io": [ - { - "advisory": "A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.", - "cve": "CVE-2023-7152", - "id": "pyup.io-70397", - "more_info_path": "/vulnerabilities/CVE-2023-7152/70397", - "specs": [ - "<1.22.0" - ], - "v": "<1.22.0" - } - ], "micropython-mdns": [ { "advisory": "Micropython-mdns 1.3.0 updates its dependency 'wheel' to v0.38.0 to include a security fix.", @@ -81924,9 +82720,9 @@ "microstructpy": [ { "advisory": "Microstructpy 1.5.4 updates its dependency 'numpy' to v1.22.0 to include security fixes.", - "cve": "CVE-2021-41496", - "id": "pyup.io-50915", - "more_info_path": "/vulnerabilities/CVE-2021-41496/50915", + "cve": "CVE-2021-33430", + "id": "pyup.io-50871", + "more_info_path": "/vulnerabilities/CVE-2021-33430/50871", "specs": [ "<1.5.4" ], @@ -81934,9 +82730,9 @@ }, { "advisory": "Microstructpy 1.5.4 updates its dependency 'numpy' to v1.22.0 to include security fixes.", - "cve": "CVE-2021-34141", - "id": "pyup.io-50914", - "more_info_path": "/vulnerabilities/CVE-2021-34141/50914", + "cve": "CVE-2021-41496", + "id": "pyup.io-50915", + "more_info_path": "/vulnerabilities/CVE-2021-41496/50915", "specs": [ "<1.5.4" ], @@ -81944,9 +82740,9 @@ }, { "advisory": "Microstructpy 1.5.4 updates its dependency 'numpy' to v1.22.0 to include security fixes.", - "cve": "CVE-2021-33430", - "id": "pyup.io-50871", - "more_info_path": "/vulnerabilities/CVE-2021-33430/50871", + "cve": "CVE-2021-34141", + "id": "pyup.io-50914", + "more_info_path": "/vulnerabilities/CVE-2021-34141/50914", "specs": [ "<1.5.4" ], @@ -82002,9 +82798,9 @@ "mindee": [ { "advisory": "Mindee 2.0.1 updates its dependency 'Pillow' to v9.0.1 to include security fixes.", - "cve": "CVE-2022-24303", - "id": "pyup.io-45115", - "more_info_path": "/vulnerabilities/CVE-2022-24303/45115", + "cve": "CVE-2022-22817", + "id": "pyup.io-45377", + "more_info_path": "/vulnerabilities/CVE-2022-22817/45377", "specs": [ "<2.0.1" ], @@ -82012,9 +82808,9 @@ }, { "advisory": "Mindee 2.0.1 updates its dependency 'Pillow' to v9.0.1 to include security fixes.", - "cve": "CVE-2022-22817", - "id": "pyup.io-45377", - "more_info_path": "/vulnerabilities/CVE-2022-22817/45377", + "cve": "CVE-2022-24303", + "id": "pyup.io-45115", + "more_info_path": "/vulnerabilities/CVE-2022-24303/45115", "specs": [ "<2.0.1" ], @@ -82125,20 +82921,20 @@ "v": "<0.5.0beta" }, { - "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-13434.", - "cve": "CVE-2020-13434", - "id": "pyup.io-40840", - "more_info_path": "/vulnerabilities/CVE-2020-13434/40840", + "advisory": "Mindspore 0.5.0beta upgrades its dependency 'SQLite' to handle CVE-2020-13630.", + "cve": "CVE-2020-13630", + "id": "pyup.io-40836", + "more_info_path": "/vulnerabilities/CVE-2020-13630/40836", "specs": [ "<0.5.0beta" ], "v": "<0.5.0beta" }, { - "advisory": "Mindspore 0.5.0beta upgrades its dependency 'SQLite' to handle CVE-2020-13630.", - "cve": "CVE-2020-13630", - "id": "pyup.io-40836", - "more_info_path": "/vulnerabilities/CVE-2020-13630/40836", + "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-13434.", + "cve": "CVE-2020-13434", + "id": "pyup.io-40840", + "more_info_path": "/vulnerabilities/CVE-2020-13434/40840", "specs": [ "<0.5.0beta" ], @@ -82317,6 +83113,38 @@ "v": "<0.8" } ], + "mini-racer": [ + { + "advisory": "Mini-racer version 0.12.1 updates to V8 12.4, which includes fixes for CVE-2024-2625. This update ensures that the package incorporates the latest security patches and improvements from the updated V8 engine version.", + "cve": "CVE-2024-2625", + "id": "pyup.io-71114", + "more_info_path": "/vulnerabilities/CVE-2024-2625/71114", + "specs": [ + "<0.12.1" + ], + "v": "<0.12.1" + }, + { + "advisory": "Mini-racer version 0.12.1 updates to V8 12.4, which includes fixes for CVE-2024-3159. This update ensures that the package benefits from the latest security improvements and patches provided in the new V8 engine version.", + "cve": "CVE-2024-3159", + "id": "pyup.io-71105", + "more_info_path": "/vulnerabilities/CVE-2024-3159/71105", + "specs": [ + "<0.12.1" + ], + "v": "<0.12.1" + }, + { + "advisory": "Mini-racer version 0.12.1 updates to V8 12.4, which includes fixes for CVE-2024-3156. This update ensures that the package incorporates the latest security patches and improvements provided by the new version of the V8 engine.", + "cve": "CVE-2024-3156", + "id": "pyup.io-71113", + "more_info_path": "/vulnerabilities/CVE-2024-3156/71113", + "specs": [ + "<0.12.1" + ], + "v": "<0.12.1" + } + ], "mirahezebot-plugins": [ { "advisory": "Mirahezebot-plugins 9.0.2 includes a fix for CVE-2020-15251: In the Channelmgnt plug-in for Sopel (a Python IRC bot) before version 1.0.3, malicious users are able to op/voice and take over a channel. This is an ACL bypass vulnerability. This plugin is bundled with MirahezeBot-Plugins with versions from 9.0.0 and less than 9.0.2.\r\nhttps://github.com/MirahezeBots/sopel-channelmgnt/security/advisories/GHSA-j257-jfvv-h3x5", @@ -82591,18 +83419,6 @@ "v": ">0,<0" } ], - "mitogen": [ - { - "advisory": "Mitogen 0.2.8 includes a fix for CVE-2019-15149: core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected. NOTE: the vendor disputes this issue because it is exploitable only in conjunction with hypothetical other factors, i.e., an affected use case within a library caller, and a bug in the message receiver policy code that led to reliance on this extra protection mechanism.\r\nhttps://github.com/mitogen-hq/mitogen/commit/5924af1566763e48c42028399ea0cd95c457b3dc", - "cve": "CVE-2019-15149", - "id": "pyup.io-54156", - "more_info_path": "/vulnerabilities/CVE-2019-15149/54156", - "specs": [ - ">=0,<0.2.8" - ], - "v": ">=0,<0.2.8" - } - ], "mitsuba": [ { "advisory": "Mitsuba 0.4.0 fixes a race condition in `jit_sync_thread()` which can corrupt internal\r\nnanothread data structures.\r\nhttps://github.com/mitsuba-renderer/drjit-core/commit/6690923505cb4fca3fb7d75b2e1705008c0af738", @@ -82651,7 +83467,7 @@ "v": "<1.3.0" }, { - "advisory": "Mkdocs 1.2.3 includes a fix for CVE-2021-40978: Built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information.\r\nNOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601", + "advisory": "** DISPUTED ** Mkdocs 1.2.3 includes a fix for CVE-2021-40978: Built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information.\r\nNOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601", "cve": "CVE-2021-40978", "id": "pyup.io-54697", "more_info_path": "/vulnerabilities/CVE-2021-40978/54697", @@ -82836,9 +83652,9 @@ }, { "advisory": "Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables.", - "cve": "CVE-2023-49815", + "cve": "CVE-2024-27132", "id": "pyup.io-68487", - "more_info_path": "/vulnerabilities/CVE-2023-49815/68487", + "more_info_path": "/vulnerabilities/CVE-2024-27132/68487", "specs": [ "<2.10.0" ], @@ -82846,9 +83662,9 @@ }, { "advisory": "Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.", - "cve": "CVE-2024-22300", + "cve": "CVE-2024-27133", "id": "pyup.io-68486", - "more_info_path": "/vulnerabilities/CVE-2024-22300/68486", + "more_info_path": "/vulnerabilities/CVE-2024-27133/68486", "specs": [ "<2.10.0" ], @@ -82865,14 +83681,14 @@ "v": "<2.12.1" }, { - "advisory": "Mlflow 2.2.1 includes a fix for CVE-2023-1176: Remote file existence check vulnerability in 'mlflow server' and 'mlflow ui' CLIs.\r\nhttps://github.com/advisories/GHSA-wp72-7hj9-5265", - "cve": "CVE-2023-1176", - "id": "pyup.io-55010", - "more_info_path": "/vulnerabilities/CVE-2023-1176/55010", + "advisory": "Mlflow version 2.12.2 updates its gunicorn dependency to version 22 to remedy a security vulnerability specified in CVE-2024-1135. The version constraint for gunicorn has been set to less than 23, ensuring the integration of the latest, secure version of gunicorn.", + "cve": "CVE-2024-1135", + "id": "pyup.io-70904", + "more_info_path": "/vulnerabilities/CVE-2024-1135/70904", "specs": [ - "<2.2.1" + "<2.12.2" ], - "v": "<2.2.1" + "v": "<2.12.2" }, { "advisory": "Mlflow 2.2.1 includes a fix for CVE-2023-1177: Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.\r\nhttps://github.com/advisories/GHSA-xg73-94fp-g449", @@ -82884,6 +83700,16 @@ ], "v": "<2.2.1" }, + { + "advisory": "Mlflow 2.2.1 includes a fix for CVE-2023-1176: Remote file existence check vulnerability in 'mlflow server' and 'mlflow ui' CLIs.\r\nhttps://github.com/advisories/GHSA-wp72-7hj9-5265", + "cve": "CVE-2023-1176", + "id": "pyup.io-55010", + "more_info_path": "/vulnerabilities/CVE-2023-1176/55010", + "specs": [ + "<2.2.1" + ], + "v": "<2.2.1" + }, { "advisory": "Mlflow 2.3.0 includes a fix for a Path Traversal vulnerability.\r\nhttps://github.com/advisories/GHSA-wjq3-7jxx-whj9", "cve": "CVE-2023-2780", @@ -82925,20 +83751,20 @@ "v": "<2.4.1" }, { - "advisory": "Mlflow 2.6.0 includes a fix for a Command Injection vulnerability.\r\nhttps://github.com/advisories/GHSA-ffw3-6378-cqgp", - "cve": "CVE-2023-4033", - "id": "pyup.io-60599", - "more_info_path": "/vulnerabilities/CVE-2023-4033/60599", + "advisory": "Mlflow 2.6.0 includes a fix for CVE-2023-3765: Multiple path traversals on Windows hosts.\r\nhttps://github.com/advisories/GHSA-fmxj-6h9g-6vw3\r\nhttps://huntr.dev/bounties/4be5fd63-8a0a-490d-9ee1-f33dc768ed76\r\nhttps://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b", + "cve": "CVE-2023-3765", + "id": "pyup.io-60598", + "more_info_path": "/vulnerabilities/CVE-2023-3765/60598", "specs": [ "<2.6.0" ], "v": "<2.6.0" }, { - "advisory": "Mlflow 2.6.0 includes a fix for CVE-2023-3765: Multiple path traversals on Windows hosts.\r\nhttps://github.com/advisories/GHSA-fmxj-6h9g-6vw3\r\nhttps://huntr.dev/bounties/4be5fd63-8a0a-490d-9ee1-f33dc768ed76\r\nhttps://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b", - "cve": "CVE-2023-3765", - "id": "pyup.io-60598", - "more_info_path": "/vulnerabilities/CVE-2023-3765/60598", + "advisory": "Mlflow 2.6.0 includes a fix for a Command Injection vulnerability.\r\nhttps://github.com/advisories/GHSA-ffw3-6378-cqgp", + "cve": "CVE-2023-4033", + "id": "pyup.io-60599", + "more_info_path": "/vulnerabilities/CVE-2023-4033/60599", "specs": [ "<2.6.0" ], @@ -82985,20 +83811,20 @@ "v": "<2.9.2" }, { - "advisory": "mlflow 2.9.2 addresses an Improper Neutralization of Special Elements Used in a Template Engine.\r\nhttps://github.com/mlflow/mlflow/pull/10640/commits/930eb808c6394360d1aa217a9eaa33891c1d244d", - "cve": "CVE-2023-6709", - "id": "pyup.io-62995", - "more_info_path": "/vulnerabilities/CVE-2023-6709/62995", + "advisory": "mlflow 2.9.2 addresses a vulnerability that allows an attacker to inject malicious code into the \u201cContent-Type\u201d header of a POST request, which is then reflected back to the user without proper sanitization or escaping.\r\nhttps://github.com/mlflow/mlflow/commit/28ff3f94994941e038f2172c6484b65dc4db6ca1", + "cve": "CVE-2023-6568", + "id": "pyup.io-62994", + "more_info_path": "/vulnerabilities/CVE-2023-6568/62994", "specs": [ "<2.9.2" ], "v": "<2.9.2" }, { - "advisory": "mlflow 2.9.2 addresses a vulnerability that allows an attacker to inject malicious code into the \u201cContent-Type\u201d header of a POST request, which is then reflected back to the user without proper sanitization or escaping.\r\nhttps://github.com/mlflow/mlflow/commit/28ff3f94994941e038f2172c6484b65dc4db6ca1", - "cve": "CVE-2023-6568", - "id": "pyup.io-62994", - "more_info_path": "/vulnerabilities/CVE-2023-6568/62994", + "advisory": "mlflow 2.9.2 addresses an Improper Neutralization of Special Elements Used in a Template Engine.\r\nhttps://github.com/mlflow/mlflow/pull/10640/commits/930eb808c6394360d1aa217a9eaa33891c1d244d", + "cve": "CVE-2023-6709", + "id": "pyup.io-62995", + "more_info_path": "/vulnerabilities/CVE-2023-6709/62995", "specs": [ "<2.9.2" ], @@ -83025,10 +83851,10 @@ "v": ">=0,<1.23.1" }, { - "advisory": "A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.", - "cve": "CVE-2023-6974", - "id": "pyup.io-65219", - "more_info_path": "/vulnerabilities/CVE-2023-6974/65219", + "advisory": "with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.", + "cve": "CVE-2023-6940", + "id": "pyup.io-65218", + "more_info_path": "/vulnerabilities/CVE-2023-6940/65218", "specs": [ ">=0,<2.9.2" ], @@ -83036,49 +83862,49 @@ }, { "advisory": "Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.", - "cve": "CVE-2023-6831", - "id": "pyup.io-65216", - "more_info_path": "/vulnerabilities/CVE-2023-6831/65216", + "cve": "CVE-2023-6909", + "id": "pyup.io-65217", + "more_info_path": "/vulnerabilities/CVE-2023-6909/65217", "specs": [ ">=0,<2.9.2" ], "v": ">=0,<2.9.2" }, { - "advisory": "A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.", - "cve": "CVE-2023-6975", - "id": "pyup.io-65220", - "more_info_path": "/vulnerabilities/CVE-2023-6975/65220", + "advisory": "Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.", + "cve": "CVE-2023-6831", + "id": "pyup.io-65216", + "more_info_path": "/vulnerabilities/CVE-2023-6831/65216", "specs": [ ">=0,<2.9.2" ], "v": ">=0,<2.9.2" }, { - "advisory": "Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.", - "cve": "CVE-2023-6909", - "id": "pyup.io-65217", - "more_info_path": "/vulnerabilities/CVE-2023-6909/65217", + "advisory": "This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.", + "cve": "CVE-2023-6976", + "id": "pyup.io-65221", + "more_info_path": "/vulnerabilities/CVE-2023-6976/65221", "specs": [ ">=0,<2.9.2" ], "v": ">=0,<2.9.2" }, { - "advisory": "This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.", - "cve": "CVE-2023-6976", - "id": "pyup.io-65221", - "more_info_path": "/vulnerabilities/CVE-2023-6976/65221", + "advisory": "A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.", + "cve": "CVE-2023-6974", + "id": "pyup.io-65219", + "more_info_path": "/vulnerabilities/CVE-2023-6974/65219", "specs": [ ">=0,<2.9.2" ], "v": ">=0,<2.9.2" }, { - "advisory": "with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.", - "cve": "CVE-2023-6940", - "id": "pyup.io-65218", - "more_info_path": "/vulnerabilities/CVE-2023-6940/65218", + "advisory": "A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.", + "cve": "CVE-2023-6975", + "id": "pyup.io-65220", + "more_info_path": "/vulnerabilities/CVE-2023-6975/65220", "specs": [ ">=0,<2.9.2" ], @@ -83121,19 +83947,19 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-21699", - "id": "pyup.io-49170", - "more_info_path": "/vulnerabilities/CVE-2022-21699/49170", + "cve": "CVE-2022-24785", + "id": "pyup.io-49205", + "more_info_path": "/vulnerabilities/CVE-2022-24785/49205", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e\r\nhttps://github.com/advisories/GHSA-hxwm-x553-x359", - "cve": "PVE-2022-49161", - "id": "pyup.io-49165", - "more_info_path": "/vulnerabilities/PVE-2022-49161/49165", + "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", + "cve": "CVE-2021-32797", + "id": "pyup.io-49174", + "more_info_path": "/vulnerabilities/CVE-2021-32797/49174", "specs": [ "<1.0.3rc1" ], @@ -83141,9 +83967,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-32804", - "id": "pyup.io-49208", - "more_info_path": "/vulnerabilities/CVE-2021-32804/49208", + "cve": "CVE-2021-32803", + "id": "pyup.io-49210", + "more_info_path": "/vulnerabilities/CVE-2021-32803/49210", "specs": [ "<1.0.3rc1" ], @@ -83161,9 +83987,19 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-24785", - "id": "pyup.io-49205", - "more_info_path": "/vulnerabilities/CVE-2022-24785/49205", + "cve": "CVE-2021-3918", + "id": "pyup.io-49171", + "more_info_path": "/vulnerabilities/CVE-2021-3918/49171", + "specs": [ + "<1.0.3rc1" + ], + "v": "<1.0.3rc1" + }, + { + "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", + "cve": "CVE-2022-23219", + "id": "pyup.io-49178", + "more_info_path": "/vulnerabilities/CVE-2022-23219/49178", "specs": [ "<1.0.3rc1" ], @@ -83171,19 +84007,19 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", - "cve": "CVE-2022-22817", - "id": "pyup.io-49220", - "more_info_path": "/vulnerabilities/CVE-2022-22817/49220", + "cve": "CVE-2022-22816", + "id": "pyup.io-49218", + "more_info_path": "/vulnerabilities/CVE-2022-22816/49218", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-41247", - "id": "pyup.io-49173", - "more_info_path": "/vulnerabilities/CVE-2021-41247/49173", + "advisory": "Mlrun 1.0.3rc1 adds \"notebook~=6.4\" to requirements to tackle vulnerabilities.", + "cve": "CVE-2022-24758", + "id": "pyup.io-49215", + "more_info_path": "/vulnerabilities/CVE-2022-24758/49215", "specs": [ "<1.0.3rc1" ], @@ -83191,19 +84027,19 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-37713", - "id": "pyup.io-49209", - "more_info_path": "/vulnerabilities/CVE-2021-37713/49209", + "cve": "CVE-2022-23218", + "id": "pyup.io-49180", + "more_info_path": "/vulnerabilities/CVE-2022-23218/49180", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-3997", - "id": "pyup.io-49204", - "more_info_path": "/vulnerabilities/CVE-2021-3997/49204", + "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", + "cve": "CVE-2022-24303", + "id": "pyup.io-49217", + "more_info_path": "/vulnerabilities/CVE-2022-24303/49217", "specs": [ "<1.0.3rc1" ], @@ -83211,9 +84047,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2020-29562", - "id": "pyup.io-49184", - "more_info_path": "/vulnerabilities/CVE-2020-29562/49184", + "cve": "CVE-2020-13529", + "id": "pyup.io-49203", + "more_info_path": "/vulnerabilities/CVE-2020-13529/49203", "specs": [ "<1.0.3rc1" ], @@ -83221,9 +84057,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-3918", - "id": "pyup.io-49171", - "more_info_path": "/vulnerabilities/CVE-2021-3918/49171", + "cve": "CVE-2021-32804", + "id": "pyup.io-49208", + "more_info_path": "/vulnerabilities/CVE-2021-32804/49208", "specs": [ "<1.0.3rc1" ], @@ -83231,9 +84067,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-33910", - "id": "pyup.io-49202", - "more_info_path": "/vulnerabilities/CVE-2021-33910/49202", + "cve": "CVE-2020-29562", + "id": "pyup.io-49184", + "more_info_path": "/vulnerabilities/CVE-2020-29562/49184", "specs": [ "<1.0.3rc1" ], @@ -83241,9 +84077,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-3807", - "id": "pyup.io-49166", - "more_info_path": "/vulnerabilities/CVE-2021-3807/49166", + "cve": "CVE-2021-33910", + "id": "pyup.io-49202", + "more_info_path": "/vulnerabilities/CVE-2021-33910/49202", "specs": [ "<1.0.3rc1" ], @@ -83251,9 +84087,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-23218", - "id": "pyup.io-49180", - "more_info_path": "/vulnerabilities/CVE-2022-23218/49180", + "cve": "CVE-2021-35942", + "id": "pyup.io-49175", + "more_info_path": "/vulnerabilities/CVE-2021-35942/49175", "specs": [ "<1.0.3rc1" ], @@ -83261,9 +84097,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-27645", - "id": "pyup.io-49177", - "more_info_path": "/vulnerabilities/CVE-2021-27645/49177", + "cve": "CVE-2021-33503", + "id": "pyup.io-49213", + "more_info_path": "/vulnerabilities/CVE-2021-33503/49213", "specs": [ "<1.0.3rc1" ], @@ -83271,9 +84107,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-24757", - "id": "pyup.io-49172", - "more_info_path": "/vulnerabilities/CVE-2022-24757/49172", + "cve": "CVE-2021-27645", + "id": "pyup.io-49177", + "more_info_path": "/vulnerabilities/CVE-2021-27645/49177", "specs": [ "<1.0.3rc1" ], @@ -83281,9 +84117,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2020-13529", - "id": "pyup.io-49203", - "more_info_path": "/vulnerabilities/CVE-2020-13529/49203", + "cve": "CVE-2021-3326", + "id": "pyup.io-49179", + "more_info_path": "/vulnerabilities/CVE-2021-3326/49179", "specs": [ "<1.0.3rc1" ], @@ -83291,9 +84127,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-23219", - "id": "pyup.io-49178", - "more_info_path": "/vulnerabilities/CVE-2022-23219/49178", + "cve": "CVE-2021-3997", + "id": "pyup.io-49204", + "more_info_path": "/vulnerabilities/CVE-2021-3997/49204", "specs": [ "<1.0.3rc1" ], @@ -83301,9 +84137,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2022-0536", - "id": "pyup.io-49168", - "more_info_path": "/vulnerabilities/CVE-2022-0536/49168", + "cve": "CVE-2021-43138", + "id": "pyup.io-49167", + "more_info_path": "/vulnerabilities/CVE-2021-43138/49167", "specs": [ "<1.0.3rc1" ], @@ -83330,20 +84166,20 @@ "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds \"notebook~=6.4\" to requirements to tackle vulnerabilities.", - "cve": "CVE-2022-24758", - "id": "pyup.io-49215", - "more_info_path": "/vulnerabilities/CVE-2022-24758/49215", + "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", + "cve": "CVE-2022-22815", + "id": "pyup.io-49219", + "more_info_path": "/vulnerabilities/CVE-2022-22815/49219", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", - "cve": "CVE-2022-22816", - "id": "pyup.io-49218", - "more_info_path": "/vulnerabilities/CVE-2022-22816/49218", + "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", + "cve": "CVE-2021-41247", + "id": "pyup.io-49173", + "more_info_path": "/vulnerabilities/CVE-2021-41247/49173", "specs": [ "<1.0.3rc1" ], @@ -83361,9 +84197,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-33503", - "id": "pyup.io-49213", - "more_info_path": "/vulnerabilities/CVE-2021-33503/49213", + "cve": "CVE-2021-37713", + "id": "pyup.io-49209", + "more_info_path": "/vulnerabilities/CVE-2021-37713/49209", "specs": [ "<1.0.3rc1" ], @@ -83371,9 +84207,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-33430", - "id": "pyup.io-49206", - "more_info_path": "/vulnerabilities/CVE-2021-33430/49206", + "cve": "CVE-2022-0536", + "id": "pyup.io-49168", + "more_info_path": "/vulnerabilities/CVE-2022-0536/49168", "specs": [ "<1.0.3rc1" ], @@ -83381,9 +84217,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-39135", - "id": "pyup.io-49161", - "more_info_path": "/vulnerabilities/CVE-2021-39135/49161", + "cve": "CVE-2021-37712", + "id": "pyup.io-49212", + "more_info_path": "/vulnerabilities/CVE-2021-37712/49212", "specs": [ "<1.0.3rc1" ], @@ -83391,9 +84227,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2019-25013", - "id": "pyup.io-49185", - "more_info_path": "/vulnerabilities/CVE-2019-25013/49185", + "cve": "CVE-2016-10228", + "id": "pyup.io-49200", + "more_info_path": "/vulnerabilities/CVE-2016-10228/49200", "specs": [ "<1.0.3rc1" ], @@ -83401,29 +84237,19 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2020-27618", - "id": "pyup.io-49176", - "more_info_path": "/vulnerabilities/CVE-2020-27618/49176", - "specs": [ - "<1.0.3rc1" - ], - "v": "<1.0.3rc1" - }, - { - "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", - "cve": "CVE-2022-24303", - "id": "pyup.io-49217", - "more_info_path": "/vulnerabilities/CVE-2022-24303/49217", + "cve": "CVE-2021-39135", + "id": "pyup.io-49161", + "more_info_path": "/vulnerabilities/CVE-2021-39135/49161", "specs": [ "<1.0.3rc1" ], "v": "<1.0.3rc1" }, { - "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-3999", - "id": "pyup.io-49188", - "more_info_path": "/vulnerabilities/CVE-2021-3999/49188", + "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e\r\nhttps://github.com/advisories/GHSA-hxwm-x553-x359", + "cve": "PVE-2022-49161", + "id": "pyup.io-49165", + "more_info_path": "/vulnerabilities/PVE-2022-49161/49165", "specs": [ "<1.0.3rc1" ], @@ -83431,9 +84257,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-32803", - "id": "pyup.io-49210", - "more_info_path": "/vulnerabilities/CVE-2021-32803/49210", + "cve": "CVE-2020-27618", + "id": "pyup.io-49176", + "more_info_path": "/vulnerabilities/CVE-2020-27618/49176", "specs": [ "<1.0.3rc1" ], @@ -83441,9 +84267,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-32797", - "id": "pyup.io-49174", - "more_info_path": "/vulnerabilities/CVE-2021-32797/49174", + "cve": "CVE-2021-33430", + "id": "pyup.io-49206", + "more_info_path": "/vulnerabilities/CVE-2021-33430/49206", "specs": [ "<1.0.3rc1" ], @@ -83451,9 +84277,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-37712", - "id": "pyup.io-49212", - "more_info_path": "/vulnerabilities/CVE-2021-37712/49212", + "cve": "CVE-2022-21699", + "id": "pyup.io-49170", + "more_info_path": "/vulnerabilities/CVE-2022-21699/49170", "specs": [ "<1.0.3rc1" ], @@ -83461,9 +84287,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-3326", - "id": "pyup.io-49179", - "more_info_path": "/vulnerabilities/CVE-2021-3326/49179", + "cve": "CVE-2022-24757", + "id": "pyup.io-49172", + "more_info_path": "/vulnerabilities/CVE-2022-24757/49172", "specs": [ "<1.0.3rc1" ], @@ -83471,9 +84297,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2016-10228", - "id": "pyup.io-49200", - "more_info_path": "/vulnerabilities/CVE-2016-10228/49200", + "cve": "CVE-2021-3807", + "id": "pyup.io-49166", + "more_info_path": "/vulnerabilities/CVE-2021-3807/49166", "specs": [ "<1.0.3rc1" ], @@ -83491,9 +84317,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-35942", - "id": "pyup.io-49175", - "more_info_path": "/vulnerabilities/CVE-2021-35942/49175", + "cve": "CVE-2021-37701", + "id": "pyup.io-49211", + "more_info_path": "/vulnerabilities/CVE-2021-37701/49211", "specs": [ "<1.0.3rc1" ], @@ -83501,9 +84327,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-37701", - "id": "pyup.io-49211", - "more_info_path": "/vulnerabilities/CVE-2021-37701/49211", + "cve": "CVE-2021-3999", + "id": "pyup.io-49188", + "more_info_path": "/vulnerabilities/CVE-2021-3999/49188", "specs": [ "<1.0.3rc1" ], @@ -83511,9 +84337,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds command to install security fixes in Docker base image.\r\nhttps://github.com/mlrun/mlrun/pull/1997/commits/de4c87f478f8d76dd8e46942588c81ef0d0b481e", - "cve": "CVE-2021-43138", - "id": "pyup.io-49167", - "more_info_path": "/vulnerabilities/CVE-2021-43138/49167", + "cve": "CVE-2019-25013", + "id": "pyup.io-49185", + "more_info_path": "/vulnerabilities/CVE-2019-25013/49185", "specs": [ "<1.0.3rc1" ], @@ -83521,9 +84347,9 @@ }, { "advisory": "Mlrun 1.0.3rc1 adds \"pillow~=9.0\" to requirements to tackle vulnerabilities.", - "cve": "CVE-2022-22815", - "id": "pyup.io-49219", - "more_info_path": "/vulnerabilities/CVE-2022-22815/49219", + "cve": "CVE-2022-22817", + "id": "pyup.io-49220", + "more_info_path": "/vulnerabilities/CVE-2022-22817/49220", "specs": [ "<1.0.3rc1" ], @@ -83570,120 +84396,120 @@ "v": "<1.0.4rc1" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package '@npmcli/arborist' in its base image to include security fixes.", - "cve": "CVE-2021-39134", - "id": "pyup.io-50985", - "more_info_path": "/vulnerabilities/CVE-2021-39134/50985", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2022-23218", + "id": "pyup.io-51012", + "more_info_path": "/vulnerabilities/CVE-2022-23218/51012", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-33910", - "id": "pyup.io-51018", - "more_info_path": "/vulnerabilities/CVE-2021-33910/51018", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2016-10228", + "id": "pyup.io-51015", + "more_info_path": "/vulnerabilities/CVE-2016-10228/51015", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the Python package 'urllib3' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-33503", - "id": "pyup.io-51006", - "more_info_path": "/vulnerabilities/CVE-2021-33503/51006", + "advisory": "Mlrun 1.1.0 updates the NPM package 'ansi-regex' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-3807", + "id": "pyup.io-50987", + "more_info_path": "/vulnerabilities/CVE-2021-3807/50987", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2019-25013", - "id": "pyup.io-51017", - "more_info_path": "/vulnerabilities/CVE-2019-25013/51017", + "advisory": "Mlrun 1.1.0 updates the Python package 'urllib3' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-33503", + "id": "pyup.io-51006", + "more_info_path": "/vulnerabilities/CVE-2021-33503/51006", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'async' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-43138", - "id": "pyup.io-50988", - "more_info_path": "/vulnerabilities/CVE-2021-43138/50988", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-27645", + "id": "pyup.io-51009", + "more_info_path": "/vulnerabilities/CVE-2021-27645/51009", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'ansi-regex' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-3807", - "id": "pyup.io-50987", - "more_info_path": "/vulnerabilities/CVE-2021-3807/50987", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-3326", + "id": "pyup.io-51011", + "more_info_path": "/vulnerabilities/CVE-2021-3326/51011", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-23219", - "id": "pyup.io-51010", - "more_info_path": "/vulnerabilities/CVE-2022-23219/51010", + "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-33910", + "id": "pyup.io-51018", + "more_info_path": "/vulnerabilities/CVE-2021-33910/51018", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-23218", - "id": "pyup.io-51012", - "more_info_path": "/vulnerabilities/CVE-2022-23218/51012", + "advisory": "Mlrun 1.1.0 updates the NPM package 'async' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-43138", + "id": "pyup.io-50988", + "more_info_path": "/vulnerabilities/CVE-2021-43138/50988", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the Python package 'jupyterhub' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-41247", - "id": "pyup.io-51002", - "more_info_path": "/vulnerabilities/CVE-2021-41247/51002", + "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-37701", + "id": "pyup.io-50997", + "more_info_path": "/vulnerabilities/CVE-2021-37701/50997", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package '@npmcli/git' in its base image to include a security fix.\r\nhttps://github.com/advisories/GHSA-hxwm-x553-x359", - "cve": "PVE-2022-50919", - "id": "pyup.io-50986", - "more_info_path": "/vulnerabilities/PVE-2022-50919/50986", + "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-37712", + "id": "pyup.io-51000", + "more_info_path": "/vulnerabilities/CVE-2021-37712/51000", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'json-schema' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-3918", - "id": "pyup.io-50991", - "more_info_path": "/vulnerabilities/CVE-2021-3918/50991", + "advisory": "Mlrun 1.1.0 updates the Python package 'ipython' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2022-21699", + "id": "pyup.io-51004", + "more_info_path": "/vulnerabilities/CVE-2022-21699/51004", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2020-13529", - "id": "pyup.io-51019", - "more_info_path": "/vulnerabilities/CVE-2020-13529/51019", + "advisory": "Mlrun 1.1.0 updates the NPM package '@npmcli/arborist' in its base image to include security fixes.", + "cve": "CVE-2021-39134", + "id": "pyup.io-50985", + "more_info_path": "/vulnerabilities/CVE-2021-39134/50985", "specs": [ "<1.1.0" ], @@ -83700,10 +84526,10 @@ "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the Python package 'ipython' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-21699", - "id": "pyup.io-51004", - "more_info_path": "/vulnerabilities/CVE-2022-21699/51004", + "advisory": "Mlrun 1.1.0 updates the Python package 'jupyter-server' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2022-24757", + "id": "pyup.io-51001", + "more_info_path": "/vulnerabilities/CVE-2022-24757/51001", "specs": [ "<1.1.0" ], @@ -83711,139 +84537,139 @@ }, { "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2016-10228", - "id": "pyup.io-51015", - "more_info_path": "/vulnerabilities/CVE-2016-10228/51015", + "cve": "CVE-2021-35942", + "id": "pyup.io-51007", + "more_info_path": "/vulnerabilities/CVE-2021-35942/51007", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'moment' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-24785", - "id": "pyup.io-50992", - "more_info_path": "/vulnerabilities/CVE-2022-24785/50992", + "advisory": "Mlrun 1.1.0 updates the NPM package 'follow-redirects' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2022-0536", + "id": "pyup.io-50989", + "more_info_path": "/vulnerabilities/CVE-2022-0536/50989", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'follow-redirects' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-0155", - "id": "pyup.io-50990", - "more_info_path": "/vulnerabilities/CVE-2022-0155/50990", + "advisory": "Mlrun 1.1.0 updates the NPM package '@npmcli/git' in its base image to include a security fix.\r\nhttps://github.com/advisories/GHSA-hxwm-x553-x359", + "cve": "PVE-2022-50919", + "id": "pyup.io-50986", + "more_info_path": "/vulnerabilities/PVE-2022-50919/50986", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2020-29562", - "id": "pyup.io-51016", - "more_info_path": "/vulnerabilities/CVE-2020-29562/51016", + "advisory": "Mlrun 1.1.0 updates the NPM package 'json-schema' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-3918", + "id": "pyup.io-50991", + "more_info_path": "/vulnerabilities/CVE-2021-3918/50991", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-3997", - "id": "pyup.io-51020", - "more_info_path": "/vulnerabilities/CVE-2021-3997/51020", + "advisory": "Mlrun 1.1.0 updates the Python package 'jupyterhub' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-41247", + "id": "pyup.io-51002", + "more_info_path": "/vulnerabilities/CVE-2021-41247/51002", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the Python package 'jupyter-server' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-24757", - "id": "pyup.io-51001", - "more_info_path": "/vulnerabilities/CVE-2022-24757/51001", + "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-3997", + "id": "pyup.io-51020", + "more_info_path": "/vulnerabilities/CVE-2021-3997/51020", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-32804", - "id": "pyup.io-50994", - "more_info_path": "/vulnerabilities/CVE-2021-32804/50994", + "advisory": "Mlrun 1.1.0 updates the Python package 'numpy' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-33430", + "id": "pyup.io-51005", + "more_info_path": "/vulnerabilities/CVE-2021-33430/51005", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-32803", - "id": "pyup.io-50996", - "more_info_path": "/vulnerabilities/CVE-2021-32803/50996", + "advisory": "Mlrun 1.1.0 updates the packages 'libsystemd0' and 'libudev1' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2020-13529", + "id": "pyup.io-51019", + "more_info_path": "/vulnerabilities/CVE-2020-13529/51019", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-3999", - "id": "pyup.io-51013", - "more_info_path": "/vulnerabilities/CVE-2021-3999/51013", + "advisory": "Mlrun 1.1.0 updates the NPM package 'moment' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2022-24785", + "id": "pyup.io-50992", + "more_info_path": "/vulnerabilities/CVE-2022-24785/50992", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-37701", - "id": "pyup.io-50997", - "more_info_path": "/vulnerabilities/CVE-2021-37701/50997", + "advisory": "Mlrun 1.1.0 updates the NPM package 'path-parse' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-23343", + "id": "pyup.io-50993", + "more_info_path": "/vulnerabilities/CVE-2021-23343/50993", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package '@npmcli/arborist' in its base image to include security fixes.", - "cve": "CVE-2021-39135", - "id": "pyup.io-50919", - "more_info_path": "/vulnerabilities/CVE-2021-39135/50919", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-3999", + "id": "pyup.io-51013", + "more_info_path": "/vulnerabilities/CVE-2021-3999/51013", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the Python package 'numpy' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-33430", - "id": "pyup.io-51005", - "more_info_path": "/vulnerabilities/CVE-2021-33430/51005", + "advisory": "Mlrun 1.1.0 updates the NPM package 'follow-redirects' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2022-0155", + "id": "pyup.io-50990", + "more_info_path": "/vulnerabilities/CVE-2022-0155/50990", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'path-parse' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-23343", - "id": "pyup.io-50993", - "more_info_path": "/vulnerabilities/CVE-2021-23343/50993", + "advisory": "Mlrun 1.1.0 updates the Python package 'jupyterlab' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-32797", + "id": "pyup.io-51003", + "more_info_path": "/vulnerabilities/CVE-2021-32797/51003", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'follow-redirects' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2022-0536", - "id": "pyup.io-50989", - "more_info_path": "/vulnerabilities/CVE-2022-0536/50989", + "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-37713", + "id": "pyup.io-50995", + "more_info_path": "/vulnerabilities/CVE-2021-37713/50995", "specs": [ "<1.1.0" ], @@ -83851,9 +84677,9 @@ }, { "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-35942", - "id": "pyup.io-51007", - "more_info_path": "/vulnerabilities/CVE-2021-35942/51007", + "cve": "CVE-2022-23219", + "id": "pyup.io-51010", + "more_info_path": "/vulnerabilities/CVE-2022-23219/51010", "specs": [ "<1.1.0" ], @@ -83861,9 +84687,9 @@ }, { "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-37713", - "id": "pyup.io-50995", - "more_info_path": "/vulnerabilities/CVE-2021-37713/50995", + "cve": "CVE-2021-32803", + "id": "pyup.io-50996", + "more_info_path": "/vulnerabilities/CVE-2021-32803/50996", "specs": [ "<1.1.0" ], @@ -83871,39 +84697,39 @@ }, { "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2020-6096", - "id": "pyup.io-51014", - "more_info_path": "/vulnerabilities/CVE-2020-6096/51014", + "cve": "CVE-2019-25013", + "id": "pyup.io-51017", + "more_info_path": "/vulnerabilities/CVE-2019-25013/51017", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-37712", - "id": "pyup.io-51000", - "more_info_path": "/vulnerabilities/CVE-2021-37712/51000", + "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2020-6096", + "id": "pyup.io-51014", + "more_info_path": "/vulnerabilities/CVE-2020-6096/51014", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-3326", - "id": "pyup.io-51011", - "more_info_path": "/vulnerabilities/CVE-2021-3326/51011", + "advisory": "Mlrun 1.1.0 updates the NPM package 'tar' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", + "cve": "CVE-2021-32804", + "id": "pyup.io-50994", + "more_info_path": "/vulnerabilities/CVE-2021-32804/50994", "specs": [ "<1.1.0" ], "v": "<1.1.0" }, { - "advisory": "Mlrun 1.1.0 updates the Python package 'jupyterlab' in its base image to include a security fix.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-32797", - "id": "pyup.io-51003", - "more_info_path": "/vulnerabilities/CVE-2021-32797/51003", + "advisory": "Mlrun 1.1.0 updates the NPM package '@npmcli/arborist' in its base image to include security fixes.", + "cve": "CVE-2021-39135", + "id": "pyup.io-50919", + "more_info_path": "/vulnerabilities/CVE-2021-39135/50919", "specs": [ "<1.1.0" ], @@ -83911,9 +84737,9 @@ }, { "advisory": "Mlrun 1.1.0 updates the packages 'libc-bin', 'libc-dev-bin', 'libc6', 'libc6-dev' and 'locales' in its base image to include security fixes.\r\nhttps://github.com/mlrun/mlrun/pull/1997", - "cve": "CVE-2021-27645", - "id": "pyup.io-51009", - "more_info_path": "/vulnerabilities/CVE-2021-27645/51009", + "cve": "CVE-2020-29562", + "id": "pyup.io-51016", + "more_info_path": "/vulnerabilities/CVE-2020-29562/51016", "specs": [ "<1.1.0" ], @@ -84432,7 +85258,7 @@ "v": "<3.6.0" }, { - "advisory": "Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server.", + "advisory": "** DISPUTED ** Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server.", "cve": "CVE-2023-42261", "id": "pyup.io-65353", "more_info_path": "/vulnerabilities/CVE-2023-42261/65353", @@ -85428,40 +86254,40 @@ "v": "<0.13.0" }, { - "advisory": "Mosaicml 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "CVE-2022-22816", - "id": "pyup.io-53704", - "more_info_path": "/vulnerabilities/CVE-2022-22816/53704", + "advisory": "Mosaicml 0.13.0 updates its dependency 'urllib3' requirement to '>=1.26.5,<2'' in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", + "cve": "CVE-2021-33503", + "id": "pyup.io-53699", + "more_info_path": "/vulnerabilities/CVE-2021-33503/53699", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { - "advisory": "Mosaicml 0.13.0 updates its dependency 'ipython' to v8.11.0 in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "CVE-2023-24816", - "id": "pyup.io-53698", - "more_info_path": "/vulnerabilities/CVE-2023-24816/53698", + "advisory": "Mosaicml 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", + "cve": "PVE-2022-44524", + "id": "pyup.io-53703", + "more_info_path": "/vulnerabilities/PVE-2022-44524/53703", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { - "advisory": "Mosaicml 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "PVE-2022-44524", - "id": "pyup.io-53703", - "more_info_path": "/vulnerabilities/PVE-2022-44524/53703", + "advisory": "Mosaicml 0.13.0 updates its dependency 'ipython' to v8.11.0 in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", + "cve": "CVE-2023-24816", + "id": "pyup.io-53698", + "more_info_path": "/vulnerabilities/CVE-2023-24816/53698", "specs": [ "<0.13.0" ], "v": "<0.13.0" }, { - "advisory": "Mosaicml 0.13.0 updates its dependency 'urllib3' requirement to '>=1.26.5,<2'' in Dockerfile to include a security fix.\r\nhttps://github.com/mosaicml/composer/pull/2007", - "cve": "CVE-2021-33503", - "id": "pyup.io-53699", - "more_info_path": "/vulnerabilities/CVE-2021-33503/53699", + "advisory": "Mosaicml 0.13.0 updates its dependency 'pillow' to v9.0.0 in Dockerfile to include security fixes.\r\nhttps://github.com/mosaicml/composer/pull/2007", + "cve": "CVE-2022-22816", + "id": "pyup.io-53704", + "more_info_path": "/vulnerabilities/CVE-2022-22816/53704", "specs": [ "<0.13.0" ], @@ -85522,20 +86348,20 @@ ], "mosec": [ { - "advisory": "Mosec 0.3.2 updates its rust dependencies 'thread_local' and 'tracing-subscriber' to include security fixes.\r\nhttps://github.com/mosecorg/mosec/issues/116", - "cve": "PVE-2022-44921", - "id": "pyup.io-44921", - "more_info_path": "/vulnerabilities/PVE-2022-44921/44921", + "advisory": "Mosec 0.3.2 updates its rust dependency 'tokio' to v1.16.1 to include a security fix.", + "cve": "CVE-2021-45710", + "id": "pyup.io-44806", + "more_info_path": "/vulnerabilities/CVE-2021-45710/44806", "specs": [ "<0.3.2" ], "v": "<0.3.2" }, { - "advisory": "Mosec 0.3.2 updates its rust dependency 'tokio' to v1.16.1 to include a security fix.", - "cve": "CVE-2021-45710", - "id": "pyup.io-44806", - "more_info_path": "/vulnerabilities/CVE-2021-45710/44806", + "advisory": "Mosec 0.3.2 updates its rust dependencies 'thread_local' and 'tracing-subscriber' to include security fixes.\r\nhttps://github.com/mosecorg/mosec/issues/116", + "cve": "PVE-2022-44921", + "id": "pyup.io-44921", + "more_info_path": "/vulnerabilities/PVE-2022-44921/44921", "specs": [ "<0.3.2" ], @@ -85989,20 +86815,20 @@ "v": "<1.1.0" }, { - "advisory": "Msticpy 1.8.2 removes ability to use plaintext token cache because of security concerns.\r\nhttps://github.com/microsoft/msticpy/pull/413", - "cve": "PVE-2022-48630", - "id": "pyup.io-48630", - "more_info_path": "/vulnerabilities/PVE-2022-48630/48630", + "advisory": "Msticpy 1.8.2 updates Docker source to mcr Anaconda for preventing supply chain attacks.\r\nhttps://github.com/microsoft/msticpy/pull/397", + "cve": "PVE-2022-48632", + "id": "pyup.io-48632", + "more_info_path": "/vulnerabilities/PVE-2022-48632/48632", "specs": [ "<1.8.2" ], "v": "<1.8.2" }, { - "advisory": "Msticpy 1.8.2 updates Docker source to mcr Anaconda for preventing supply chain attacks.\r\nhttps://github.com/microsoft/msticpy/pull/397", - "cve": "PVE-2022-48632", - "id": "pyup.io-48632", - "more_info_path": "/vulnerabilities/PVE-2022-48632/48632", + "advisory": "Msticpy 1.8.2 removes ability to use plaintext token cache because of security concerns.\r\nhttps://github.com/microsoft/msticpy/pull/413", + "cve": "PVE-2022-48630", + "id": "pyup.io-48630", + "more_info_path": "/vulnerabilities/PVE-2022-48630/48630", "specs": [ "<1.8.2" ], @@ -86440,6 +87266,16 @@ ], "v": "<2.3.2" }, + { + "advisory": "Muffnn 2.3.2 increases the minimum version of 'tensorflow' to v1.15.4 to include security fixes.", + "cve": "CVE-2019-13960", + "id": "pyup.io-43787", + "more_info_path": "/vulnerabilities/CVE-2019-13960/43787", + "specs": [ + "<2.3.2" + ], + "v": "<2.3.2" + }, { "advisory": "Muffnn 2.3.2 updates TensorFlow to v1.15.4 to include security fixes.", "cve": "CVE-2020-15358", @@ -86589,16 +87425,6 @@ "<2.3.2" ], "v": "<2.3.2" - }, - { - "advisory": "Muffnn 2.3.2 increases the minimum version of 'tensorflow' to v1.15.4 to include security fixes.", - "cve": "CVE-2019-13960", - "id": "pyup.io-43787", - "more_info_path": "/vulnerabilities/CVE-2019-13960/43787", - "specs": [ - "<2.3.2" - ], - "v": "<2.3.2" } ], "mujoco": [ @@ -86788,6 +87614,16 @@ } ], "muttlib": [ + { + "advisory": "Muttlib 1.4.19 updates its dependency 'numpy' to include security fixes.", + "cve": "CVE-2021-41496", + "id": "pyup.io-50859", + "more_info_path": "/vulnerabilities/CVE-2021-41496/50859", + "specs": [ + "<1.4.19" + ], + "v": "<1.4.19" + }, { "advisory": "Muttlib 1.4.19 updates its dependency 'pillow' requirement to \">=9.1.1\" to include security fixes.", "cve": "CVE-2022-22817", @@ -86858,16 +87694,6 @@ ], "v": "<1.4.19" }, - { - "advisory": "Muttlib 1.4.19 updates its dependency 'numpy' to include security fixes.", - "cve": "CVE-2021-41496", - "id": "pyup.io-50859", - "more_info_path": "/vulnerabilities/CVE-2021-41496/50859", - "specs": [ - "<1.4.19" - ], - "v": "<1.4.19" - }, { "advisory": "Muttlib 1.4.19 updates its dependency 'numpy' to include security fixes.", "cve": "CVE-2021-33430", @@ -87201,6 +88027,16 @@ ], "v": "<=8.0.28" }, + { + "advisory": "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 8.3.0 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). See CVE-2024-21090.", + "cve": "CVE-2024-21090", + "id": "pyup.io-70625", + "more_info_path": "/vulnerabilities/CVE-2024-21090/70625", + "specs": [ + "<=8.3.0" + ], + "v": "<=8.3.0" + }, { "advisory": "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).\r\n\r\nAlias:\r\nGHSA-w6f2-8wx4-47r5", "cve": "CVE-2021-2471", @@ -87243,9 +88079,9 @@ "id": "pyup.io-54357", "more_info_path": "/vulnerabilities/CVE-2021-41078/54357", "specs": [ - ">=0,<2.14.0" + "<2.14.0" ], - "v": ">=0,<2.14.0" + "v": "<2.14.0" } ], "nameko-keycloak": [ @@ -87284,20 +88120,20 @@ ], "nannyml": [ { - "advisory": "Nannyml 0.8.4 updates its dependency 'jupyter-core' to v4.11.2 to include a security fix.", - "cve": "CVE-2022-39286", - "id": "pyup.io-53760", - "more_info_path": "/vulnerabilities/CVE-2022-39286/53760", + "advisory": "Nannyml 0.8.4 updates its dependency 'wheel' to v0.38.1 to include a security fix.", + "cve": "CVE-2022-40898", + "id": "pyup.io-53758", + "more_info_path": "/vulnerabilities/CVE-2022-40898/53758", "specs": [ "<0.8.4" ], "v": "<0.8.4" }, { - "advisory": "Nannyml 0.8.4 updates its dependency 'wheel' to v0.38.1 to include a security fix.", - "cve": "CVE-2022-40898", - "id": "pyup.io-53758", - "more_info_path": "/vulnerabilities/CVE-2022-40898/53758", + "advisory": "Nannyml 0.8.4 updates its dependency 'jupyter-core' to v4.11.2 to include a security fix.", + "cve": "CVE-2022-39286", + "id": "pyup.io-53760", + "more_info_path": "/vulnerabilities/CVE-2022-39286/53760", "specs": [ "<0.8.4" ], @@ -87314,20 +88150,20 @@ "v": "<0.8.4" }, { - "advisory": "Nannyml 0.8.4 updates its dependency 'pip' to v21.1 to include a security fix.", - "cve": "CVE-2021-3572", - "id": "pyup.io-53749", - "more_info_path": "/vulnerabilities/CVE-2021-3572/53749", + "advisory": "Nannyml 0.8.4 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", + "cve": "CVE-2022-40897", + "id": "pyup.io-53757", + "more_info_path": "/vulnerabilities/CVE-2022-40897/53757", "specs": [ "<0.8.4" ], "v": "<0.8.4" }, { - "advisory": "Nannyml 0.8.4 updates its dependency 'setuptools' to v65.5.1 to include a security fix.", - "cve": "CVE-2022-40897", - "id": "pyup.io-53757", - "more_info_path": "/vulnerabilities/CVE-2022-40897/53757", + "advisory": "Nannyml 0.8.4 updates its dependency 'pip' to v21.1 to include a security fix.", + "cve": "CVE-2021-3572", + "id": "pyup.io-53749", + "more_info_path": "/vulnerabilities/CVE-2021-3572/53749", "specs": [ "<0.8.4" ], @@ -87379,6 +88215,16 @@ ], "v": "<0.2.9.5,>=0.4.0.dev0,<0.4.2,>=0.3.0.dev0,<0.3.9.6" }, + { + "advisory": "Nanopb before 0.3.1 allows size_t overflows in pb_dec_bytes and pb_dec_string.", + "cve": "CVE-2014-125106", + "id": "pyup.io-70900", + "more_info_path": "/vulnerabilities/CVE-2014-125106/70900", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + }, { "advisory": "Nanopb before 0.3.1 fixes a security issue due to size_t overflows.", "cve": "PVE-2021-37704", @@ -87496,9 +88342,9 @@ }, { "advisory": "Nautilus-trader 1.137.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "PVE-2022-44524", - "id": "pyup.io-44600", - "more_info_path": "/vulnerabilities/PVE-2022-44524/44600", + "cve": "CVE-2022-22816", + "id": "pyup.io-44602", + "more_info_path": "/vulnerabilities/CVE-2022-22816/44602", "specs": [ "<1.137.1" ], @@ -87506,9 +88352,9 @@ }, { "advisory": "Nautilus-trader 1.137.1 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22816", - "id": "pyup.io-44602", - "more_info_path": "/vulnerabilities/CVE-2022-22816/44602", + "cve": "PVE-2022-44524", + "id": "pyup.io-44600", + "more_info_path": "/vulnerabilities/PVE-2022-44524/44600", "specs": [ "<1.137.1" ], @@ -87566,6 +88412,16 @@ ], "v": "<1.2.3" }, + { + "advisory": "Nautobot 1.2.4 upgrades its `Pillow` dependency to 9.0.0 for Python versions >=3.7 to fix CVEs. This change is in response to the security vulnerability identified as CVE-2022-22817. \r\nhttps://github.com/nautobot/nautobot/pull/1270/commits/6434eff5b26ff28a4e06985e3bbb00ae64b8b324", + "cve": "CVE-2022-22817", + "id": "pyup.io-63594", + "more_info_path": "/vulnerabilities/CVE-2022-22817/63594", + "specs": [ + "<1.2.4" + ], + "v": "<1.2.4" + }, { "advisory": "Nautobot 1.2.4 upgrades its `Pillow` dependency to 9.0.0 for Python versions >=3.7 to fix CVEs. This change is in response to the security vulnerability identified as CVE-2022-22815. \r\nhttps://github.com/nautobot/nautobot/pull/1270/commits/6434eff5b26ff28a4e06985e3bbb00ae64b8b324", "cve": "CVE-2022-22815", @@ -87586,16 +88442,6 @@ ], "v": "<1.2.4" }, - { - "advisory": "Nautobot 1.2.4 upgrades its `Pillow` dependency to 9.0.0 for Python versions >=3.7 to fix CVEs. This change is in response to the security vulnerability identified as CVE-2022-22817. \r\nhttps://github.com/nautobot/nautobot/pull/1270/commits/6434eff5b26ff28a4e06985e3bbb00ae64b8b324", - "cve": "CVE-2022-22817", - "id": "pyup.io-63594", - "more_info_path": "/vulnerabilities/CVE-2022-22817/63594", - "specs": [ - "<1.2.4" - ], - "v": "<1.2.4" - }, { "advisory": "Nautobot 1.2.9 requires Pillow 9.0.1 or later for Python >= 3.7 in develop. This change is in response to the security vulnerability identified as CVE-2022-22817. \r\nhttps://github.com/nautobot/nautobot/pull/1488/commits/2f117f8e8a648a1e58a779477aa282f813014f40", "cve": "CVE-2022-22817", @@ -87658,10 +88504,10 @@ "v": "<1.6.10,>=2.0.0,<2.1.2" }, { - "advisory": "Nautobot is affected by a potential XSS vulnerability via 'files/get'. The mentioned endpoint was configured without \"add_attachment_headers\": True and it was missing the Content-Disposition: attachment HTTP header. Without this header, users might not be prompted to download a file; instead, the file could potentially be executed or displayed directly in the browser. This behavior can lead to various security issues, such as Cross-Site Scripting (XSS), automatic execution of potentially malicious files, or unintended disclosure of sensitive information.\r\nhttps://github.com/nautobot/nautobot/pull/5109", - "cve": "PVE-2024-64429", - "id": "pyup.io-64429", - "more_info_path": "/vulnerabilities/PVE-2024-64429/64429", + "advisory": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.", + "cve": "CVE-2024-23345", + "id": "pyup.io-66715", + "more_info_path": "/vulnerabilities/CVE-2024-23345/66715", "specs": [ "<1.6.10", ">=2.0.0,<2.1.2" @@ -87669,10 +88515,10 @@ "v": "<1.6.10,>=2.0.0,<2.1.2" }, { - "advisory": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.", - "cve": "CVE-2024-23345", - "id": "pyup.io-66715", - "more_info_path": "/vulnerabilities/CVE-2024-23345/66715", + "advisory": "Nautobot is affected by a potential XSS vulnerability via 'files/get'. The mentioned endpoint was configured without \"add_attachment_headers\": True and it was missing the Content-Disposition: attachment HTTP header. Without this header, users might not be prompted to download a file; instead, the file could potentially be executed or displayed directly in the browser. This behavior can lead to various security issues, such as Cross-Site Scripting (XSS), automatic execution of potentially malicious files, or unintended disclosure of sensitive information.\r\nhttps://github.com/nautobot/nautobot/pull/5109", + "cve": "PVE-2024-64429", + "id": "pyup.io-64429", + "more_info_path": "/vulnerabilities/PVE-2024-64429/64429", "specs": [ "<1.6.10", ">=2.0.0,<2.1.2" @@ -87713,7 +88559,7 @@ "v": "<1.6.8,>=2.0.0rc1,<2.1.0" }, { - "advisory": "Nautobot 1.6.8 updates its paramiko dependency from version 3.3.1 to 3.4.0. This change is in response to the security vulnerability identified as CVE-2023-48795.\r\nhttps://github.com/nautobot/nautobot/pull/5002/commits/e8e2bfdf4c0c0e8d923d936b44d53e91405eb256", + "advisory": "Nautobot 1.6.8 and 2.1.0 updates its paramiko dependency from version 3.3.1 to 3.4.0. This change is in response to the security vulnerability identified as CVE-2023-48795.\r\nhttps://github.com/nautobot/nautobot/pull/5002/commits/e8e2bfdf4c0c0e8d923d936b44d53e91405eb256", "cve": "CVE-2023-48795", "id": "pyup.io-63586", "more_info_path": "/vulnerabilities/CVE-2023-48795/63586", @@ -87723,6 +88569,16 @@ ], "v": "<1.6.8,>=2.0.0rc1,<2.1.0" }, + { + "advisory": "Nautobot 2.0.3 addresses a security vulnerability in certain REST API endpoints. These endpoints, when combined with the ?depth= query parameter, could potentially expose hashed user passwords to any authenticated user with access to these endpoints. Although the passwords were not exposed in plaintext, this vulnerability was considered significant enough to warrant a patch.\r\nhttps://github.com/nautobot/nautobot/pull/4692\r\nhttps://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp", + "cve": "CVE-2023-46128", + "id": "pyup.io-63588", + "more_info_path": "/vulnerabilities/CVE-2023-46128/63588", + "specs": [ + "<2.0.3" + ], + "v": "<2.0.3" + }, { "advisory": "Nautobot 2.0.3 upgrades the urllib3 dependency from version 2.0.6 to 2.0.7, following the discovery of a security vulnerability known as CVE-2023-45803.\r\nhttps://github.com/nautobot/nautobot/pull/4671/commits/387d30432452dd622f5125fe3ccd23dd8045790d", "cve": "CVE-2023-45803", @@ -87743,16 +88599,6 @@ ], "v": "<2.0.3" }, - { - "advisory": "Nautobot 2.0.3 addresses a security vulnerability in certain REST API endpoints. These endpoints, when combined with the ?depth= query parameter, could potentially expose hashed user passwords to any authenticated user with access to these endpoints. Although the passwords were not exposed in plaintext, this vulnerability was considered significant enough to warrant a patch.\r\nhttps://github.com/nautobot/nautobot/pull/4692\r\nhttps://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp", - "cve": "CVE-2023-46128", - "id": "pyup.io-63588", - "more_info_path": "/vulnerabilities/CVE-2023-46128/63588", - "specs": [ - "<2.0.3" - ], - "v": "<2.0.3" - }, { "advisory": "Nautobot 2.0.6 resolves problems related to network device discovery and data consistency checks. With this release, users can expect improved performance and fewer disruptions during operation. \r\nhttps://github.com/nautobot/nautobot/pull/4959", "cve": "PVE-2024-63587", @@ -87775,10 +88621,10 @@ "v": "<2.0.6,<1.6.7" }, { - "advisory": "Nautobot updates its Django dependency to '~3.2.25' to address the security concerns highlighted in CVE-2024-27351.", - "cve": "CVE-2024-27351", - "id": "pyup.io-67146", - "more_info_path": "/vulnerabilities/CVE-2024-27351/67146", + "advisory": "Nautobot fixes the CVE-2024-29199: Several Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9.", + "cve": "CVE-2024-29199", + "id": "pyup.io-67024", + "more_info_path": "/vulnerabilities/CVE-2024-29199/67024", "specs": [ ">= 2.0.0,< 2.1.9", "<1.6.16" @@ -87786,10 +88632,10 @@ "v": ">= 2.0.0,< 2.1.9,<1.6.16" }, { - "advisory": "Nautobot fixes the CVE-2024-29199: Several Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9.", - "cve": "CVE-2024-29199", - "id": "pyup.io-67024", - "more_info_path": "/vulnerabilities/CVE-2024-29199/67024", + "advisory": "Nautobot updates its Django dependency to '~3.2.25' to address the security concerns highlighted in CVE-2024-27351.", + "cve": "CVE-2024-27351", + "id": "pyup.io-67146", + "more_info_path": "/vulnerabilities/CVE-2024-27351/67146", "specs": [ ">= 2.0.0,< 2.1.9", "<1.6.16" @@ -87807,6 +88653,17 @@ ], "v": ">=1.1.0,<1.6.7,>2.0.0,<2.0.6" }, + { + "advisory": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable. This issue has been fixed in Nautobot versions 1.6.20 and 2.2.3. There are no known workarounds for this vulnerability. See CVE-2024-32979.", + "cve": "CVE-2024-32979", + "id": "pyup.io-71239", + "more_info_path": "/vulnerabilities/CVE-2024-32979/71239", + "specs": [ + ">=1.5.0,<1.6.20", + ">=2.0.0,<2.2.3" + ], + "v": ">=1.5.0,<1.6.20,>=2.0.0,<2.2.3" + }, { "advisory": "Nautobot has a known issue where submitting a job via a button only checks for model-level permissions. This means users with permission to run jobs can execute all configured JobButton jobs. The fix for this will be included in versions 1.6.8 and 2.1.0 of Nautobot.\r\nhttps://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999", "cve": "CVE-2023-51649", @@ -87900,9 +88757,9 @@ "nba-api": [ { "advisory": "Nba-api 1.1.14 updates its dependency 'numpy' to v1.22.2 to include a security fix.", - "cve": "CVE-2021-34141", - "id": "pyup.io-61646", - "more_info_path": "/vulnerabilities/CVE-2021-34141/61646", + "cve": "CVE-2021-41496", + "id": "pyup.io-61610", + "more_info_path": "/vulnerabilities/CVE-2021-41496/61610", "specs": [ "<1.1.14" ], @@ -87910,9 +88767,9 @@ }, { "advisory": "Nba-api 1.1.14 updates its dependency 'numpy' to v1.22.2 to include a security fix.", - "cve": "CVE-2021-41496", - "id": "pyup.io-61610", - "more_info_path": "/vulnerabilities/CVE-2021-41496/61610", + "cve": "CVE-2021-34141", + "id": "pyup.io-61646", + "more_info_path": "/vulnerabilities/CVE-2021-34141/61646", "specs": [ "<1.1.14" ], @@ -88117,6 +88974,16 @@ "<0.22.1" ], "v": "<0.22.1" + }, + { + "advisory": "Affected versions of Nearbeach are vulnerable to Improper Authorization. A user who has \"Read Only\" access to \"Projects\", can easily modify project's start and end date on a Gantt chart.", + "cve": "PVE-2024-71003", + "id": "pyup.io-71003", + "more_info_path": "/vulnerabilities/PVE-2024-71003/71003", + "specs": [ + "<0.31.21" + ], + "v": "<0.31.21" } ], "nef-pipelines": [ @@ -88186,9 +89053,9 @@ }, { "advisory": "Nemo 1.14.4 updates its dependency 'django' to v1.11.23 to include security fixes.", - "cve": "CVE-2019-14234", - "id": "pyup.io-52403", - "more_info_path": "/vulnerabilities/CVE-2019-14234/52403", + "cve": "CVE-2019-14233", + "id": "pyup.io-52537", + "more_info_path": "/vulnerabilities/CVE-2019-14233/52537", "specs": [ "<1.14.4" ], @@ -88196,9 +89063,9 @@ }, { "advisory": "Nemo 1.14.4 updates its dependency 'django' to v1.11.23 to include security fixes.", - "cve": "CVE-2019-14233", - "id": "pyup.io-52537", - "more_info_path": "/vulnerabilities/CVE-2019-14233/52537", + "cve": "CVE-2019-14235", + "id": "pyup.io-52539", + "more_info_path": "/vulnerabilities/CVE-2019-14235/52539", "specs": [ "<1.14.4" ], @@ -88206,9 +89073,9 @@ }, { "advisory": "Nemo 1.14.4 updates its dependency 'django' to v1.11.23 to include security fixes.", - "cve": "CVE-2019-14235", - "id": "pyup.io-52539", - "more_info_path": "/vulnerabilities/CVE-2019-14235/52539", + "cve": "CVE-2019-14234", + "id": "pyup.io-52403", + "more_info_path": "/vulnerabilities/CVE-2019-14234/52403", "specs": [ "<1.14.4" ], @@ -88236,9 +89103,9 @@ }, { "advisory": "Nemo 2.3.3 updates the 'Django' dependency to v2.2.13 to include security fixes.", - "cve": "CVE-2020-13254", - "id": "pyup.io-43666", - "more_info_path": "/vulnerabilities/CVE-2020-13254/43666", + "cve": "CVE-2020-9402", + "id": "pyup.io-40131", + "more_info_path": "/vulnerabilities/CVE-2020-9402/40131", "specs": [ "<2.3.3" ], @@ -88246,9 +89113,9 @@ }, { "advisory": "Nemo 2.3.3 updates the 'Django' dependency to v2.2.13 to include security fixes.", - "cve": "CVE-2020-9402", - "id": "pyup.io-40131", - "more_info_path": "/vulnerabilities/CVE-2020-9402/40131", + "cve": "CVE-2020-13596", + "id": "pyup.io-43665", + "more_info_path": "/vulnerabilities/CVE-2020-13596/43665", "specs": [ "<2.3.3" ], @@ -88256,9 +89123,9 @@ }, { "advisory": "Nemo 2.3.3 updates the 'Django' dependency to v2.2.13 to include security fixes.", - "cve": "CVE-2020-13596", - "id": "pyup.io-43665", - "more_info_path": "/vulnerabilities/CVE-2020-13596/43665", + "cve": "CVE-2020-13254", + "id": "pyup.io-43666", + "more_info_path": "/vulnerabilities/CVE-2020-13254/43666", "specs": [ "<2.3.3" ], @@ -88276,9 +89143,9 @@ }, { "advisory": "Nemo 3.14.0 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22817", - "id": "pyup.io-44751", - "more_info_path": "/vulnerabilities/CVE-2022-22817/44751", + "cve": "CVE-2022-22816", + "id": "pyup.io-44730", + "more_info_path": "/vulnerabilities/CVE-2022-22816/44730", "specs": [ "<3.14.0" ], @@ -88286,9 +89153,9 @@ }, { "advisory": "Nemo 3.14.0 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22816", - "id": "pyup.io-44730", - "more_info_path": "/vulnerabilities/CVE-2022-22816/44730", + "cve": "CVE-2022-22817", + "id": "pyup.io-44751", + "more_info_path": "/vulnerabilities/CVE-2022-22817/44751", "specs": [ "<3.14.0" ], @@ -88296,9 +89163,9 @@ }, { "advisory": "Nemo 3.15.0 updates its dependency 'Django' to v2.2.27 to include security fixes.", - "cve": "CVE-2022-23833", - "id": "pyup.io-45313", - "more_info_path": "/vulnerabilities/CVE-2022-23833/45313", + "cve": "CVE-2022-22818", + "id": "pyup.io-45284", + "more_info_path": "/vulnerabilities/CVE-2022-22818/45284", "specs": [ "<3.15.0" ], @@ -88306,9 +89173,9 @@ }, { "advisory": "Nemo 3.15.0 updates its dependency 'Django' to v2.2.27 to include security fixes.", - "cve": "CVE-2022-22818", - "id": "pyup.io-45284", - "more_info_path": "/vulnerabilities/CVE-2022-22818/45284", + "cve": "CVE-2022-23833", + "id": "pyup.io-45313", + "more_info_path": "/vulnerabilities/CVE-2022-23833/45313", "specs": [ "<3.15.0" ], @@ -88345,20 +89212,20 @@ "v": "<3.9.2" }, { - "advisory": "Nemo 4.1.0 updates its dependency 'Django' to v3.2.13 to include security fixes.", - "cve": "CVE-2022-28346", - "id": "pyup.io-49527", - "more_info_path": "/vulnerabilities/CVE-2022-28346/49527", + "advisory": "Nemo 4.1.0 updates its dependency 'Pillow' to v9.1.1 to include a security fix.", + "cve": "CVE-2022-30595", + "id": "pyup.io-49528", + "more_info_path": "/vulnerabilities/CVE-2022-30595/49528", "specs": [ "<4.1.0" ], "v": "<4.1.0" }, { - "advisory": "Nemo 4.1.0 updates its dependency 'Pillow' to v9.1.1 to include a security fix.", - "cve": "CVE-2022-30595", - "id": "pyup.io-49528", - "more_info_path": "/vulnerabilities/CVE-2022-30595/49528", + "advisory": "Nemo 4.1.0 updates its dependency 'Django' to v3.2.13 to include security fixes.", + "cve": "CVE-2022-28346", + "id": "pyup.io-49527", + "more_info_path": "/vulnerabilities/CVE-2022-28346/49527", "specs": [ "<4.1.0" ], @@ -88475,20 +89342,20 @@ "v": "<4.6.4" }, { - "advisory": "Nemo 4.7.0 updates its dependency 'django' to v3.2.22 to include a security fix.", - "cve": "CVE-2023-43665", - "id": "pyup.io-61746", - "more_info_path": "/vulnerabilities/CVE-2023-43665/61746", + "advisory": "Nemo 4.7.0 updates its dependency 'pillow' to v10.0.1 to include a security fix.", + "cve": "CVE-2023-4863", + "id": "pyup.io-61781", + "more_info_path": "/vulnerabilities/CVE-2023-4863/61781", "specs": [ "<4.7.0" ], "v": "<4.7.0" }, { - "advisory": "Nemo 4.7.0 updates its dependency 'pillow' to v10.0.1 to include a security fix.", - "cve": "CVE-2023-4863", - "id": "pyup.io-61781", - "more_info_path": "/vulnerabilities/CVE-2023-4863/61781", + "advisory": "Nemo 4.7.0 updates its dependency 'django' to v3.2.22 to include a security fix.", + "cve": "CVE-2023-43665", + "id": "pyup.io-61746", + "more_info_path": "/vulnerabilities/CVE-2023-43665/61746", "specs": [ "<4.7.0" ], @@ -89091,6 +89958,17 @@ ], "v": ">2010,<2014.2.2" }, + { + "advisory": "Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.", + "cve": "CVE-2015-5240", + "id": "pyup.io-70764", + "more_info_path": "/vulnerabilities/CVE-2015-5240/70764", + "specs": [ + ">2010,<2014.2.3", + ">=2015.1.0,<2015.1.1" + ], + "v": ">2010,<2014.2.3,>=2015.1.0,<2015.1.1" + }, { "advisory": "The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).", "cve": "CVE-2014-4615", @@ -89136,6 +90014,17 @@ ], "v": ">=2010,<2013.2.4,>=2014,<2014.1.2" }, + { + "advisory": "OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.", + "cve": "CVE-2014-7821", + "id": "pyup.io-70765", + "more_info_path": "/vulnerabilities/CVE-2014-7821/70765", + "specs": [ + ">=2010,<2014.1.4", + ">=2014.2,<2014.2.1" + ], + "v": ">=2010,<2014.1.4,>=2014.2,<2014.2.1" + }, { "advisory": "OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 (kilo), when using the IPTables firewall driver, allows remote authenticated users to cause a denial of service (L2 agent crash) by adding an address pair that is rejected by the ipset tool.", "cve": "CVE-2015-3221", @@ -89147,6 +90036,16 @@ ], "v": ">=2010,<2014.2.4,>=2015.1,<2015.1.1" }, + { + "advisory": "The default configuration in a sudoers file in the Red Hat openstack-neutron package before 2014.1.2-4, as used in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6, allows remote attackers to gain privileges via a crafted configuration file. NOTE: this vulnerability exists because of a CVE-2013-6433 regression.", + "cve": "CVE-2014-3632", + "id": "pyup.io-70763", + "more_info_path": "/vulnerabilities/CVE-2014-3632/70763", + "specs": [ + ">=2010,<=2014.1.2" + ], + "v": ">=2010,<=2014.1.2" + }, { "advisory": "The default configuration in the Red Hat openstack-neutron package before 2013.2.3-7 does not properly set a configuration file for rootwrap, which allows remote attackers to gain privileges via a crafted configuration file.", "cve": "CVE-2013-6433", @@ -89332,9 +90231,9 @@ "nicegui": [ { "advisory": "Nicegui 0.7.2 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22815", - "id": "pyup.io-44585", - "more_info_path": "/vulnerabilities/CVE-2022-22815/44585", + "cve": "CVE-2022-22817", + "id": "pyup.io-44596", + "more_info_path": "/vulnerabilities/CVE-2022-22817/44596", "specs": [ "<0.7.2" ], @@ -89342,9 +90241,9 @@ }, { "advisory": "Nicegui 0.7.2 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22816", - "id": "pyup.io-44595", - "more_info_path": "/vulnerabilities/CVE-2022-22816/44595", + "cve": "CVE-2022-22815", + "id": "pyup.io-44585", + "more_info_path": "/vulnerabilities/CVE-2022-22815/44585", "specs": [ "<0.7.2" ], @@ -89362,9 +90261,9 @@ }, { "advisory": "Nicegui 0.7.2 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22817", - "id": "pyup.io-44596", - "more_info_path": "/vulnerabilities/CVE-2022-22817/44596", + "cve": "CVE-2022-22816", + "id": "pyup.io-44595", + "more_info_path": "/vulnerabilities/CVE-2022-22816/44595", "specs": [ "<0.7.2" ], @@ -89382,9 +90281,9 @@ }, { "advisory": "Nicegui 0.9.26 updates its dependency 'cryptography' to v38.0.3 to include security fixes.", - "cve": "CVE-2022-3602", - "id": "pyup.io-52527", - "more_info_path": "/vulnerabilities/CVE-2022-3602/52527", + "cve": "CVE-2022-3786", + "id": "pyup.io-52420", + "more_info_path": "/vulnerabilities/CVE-2022-3786/52420", "specs": [ "<0.9.26" ], @@ -89392,9 +90291,9 @@ }, { "advisory": "Nicegui 0.9.26 updates its dependency 'cryptography' to v38.0.3 to include security fixes.", - "cve": "CVE-2022-3786", - "id": "pyup.io-52420", - "more_info_path": "/vulnerabilities/CVE-2022-3786/52420", + "cve": "CVE-2022-3602", + "id": "pyup.io-52527", + "more_info_path": "/vulnerabilities/CVE-2022-3602/52527", "specs": [ "<0.9.26" ], @@ -89419,6 +90318,16 @@ "<1.4.16" ], "v": "<1.4.16" + }, + { + "advisory": "NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website. This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability. See CVE-2024-32005.", + "cve": "CVE-2024-32005", + "id": "pyup.io-70706", + "more_info_path": "/vulnerabilities/CVE-2024-32005/70706", + "specs": [ + "<=1.4.20,>=1.4.6" + ], + "v": "<=1.4.20,>=1.4.6" } ], "niceml": [ @@ -89487,20 +90396,20 @@ "v": "<1.0.0pre4" }, { - "advisory": "Denial of service (DoS) vulnerability in Nicotine+ starting with version 3.0.3 and prior to version 3.2.1 allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.", - "cve": "CVE-2021-45848", - "id": "pyup.io-54424", - "more_info_path": "/vulnerabilities/CVE-2021-45848/54424", + "advisory": "Nicotine-plus 3.2.1 fixes a crash vulnerability when receiving a download request with a malformed file path.\r\nhttps://github.com/nicotine-plus/nicotine-plus/commit/0e3e2fac27a518f0a84330f1ddf1193424522045", + "cve": "PVE-2022-44940", + "id": "pyup.io-44940", + "more_info_path": "/vulnerabilities/PVE-2022-44940/44940", "specs": [ ">=3.0.3,<3.2.1" ], "v": ">=3.0.3,<3.2.1" }, { - "advisory": "Nicotine-plus 3.2.1 fixes a crash vulnerability when receiving a download request with a malformed file path.\r\nhttps://github.com/nicotine-plus/nicotine-plus/commit/0e3e2fac27a518f0a84330f1ddf1193424522045", - "cve": "PVE-2022-44940", - "id": "pyup.io-44940", - "more_info_path": "/vulnerabilities/PVE-2022-44940/44940", + "advisory": "Denial of service (DoS) vulnerability in Nicotine+ starting with version 3.0.3 and prior to version 3.2.1 allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.", + "cve": "CVE-2021-45848", + "id": "pyup.io-54424", + "more_info_path": "/vulnerabilities/CVE-2021-45848/54424", "specs": [ ">=3.0.3,<3.2.1" ], @@ -91537,16 +92446,6 @@ } ], "nsupdate": [ - { - "advisory": "A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file `src/nsupdate/settings/base.py` of the component `CSRF Cookie Handler`. The manipulation of the argument `CSRF_COOKIE_HTTPONLY` leads to cookie without `httponly` flag. It is possible to initiate the attack remotely. The name of the patch is 60a3fe559c453bc36b0ec3e5dd39c1303640a59a. It is recommended to apply a patch to fix this issue. The identifier VDB-216909 was assigned to this vulnerability.", - "cve": "CVE-2019-25091", - "id": "pyup.io-54640", - "more_info_path": "/vulnerabilities/CVE-2019-25091/54640", - "specs": [ - "<0.12.0" - ], - "v": "<0.12.0" - }, { "advisory": "nsupdate before 0.3.0 is vulnerable to a undisclosed security issue.", "cve": "PVE-2021-25906", @@ -91740,6 +92639,26 @@ "<2.44.1" ], "v": "<2.44.1" + }, + { + "advisory": "Nucliadb version 3.1.0 upgrades the idna library from version 3.6 to 3.7 to address the security issue identified in CVE-2024-3651.", + "cve": "CVE-2024-3651", + "id": "pyup.io-70928", + "more_info_path": "/vulnerabilities/CVE-2024-3651/70928", + "specs": [ + "<3.1.0" + ], + "v": "<3.1.0" + }, + { + "advisory": "Nucliadb version 3.1.0 upgrades aiohttp from version 3.9.3 to 3.9.4 in response to CVE-2024-27306.", + "cve": "CVE-2024-27306", + "id": "pyup.io-70910", + "more_info_path": "/vulnerabilities/CVE-2024-27306/70910", + "specs": [ + "<3.1.0" + ], + "v": "<3.1.0" } ], "nuclio-jupyter": [ @@ -91978,20 +92897,20 @@ "v": ">=0,<2.0.16" }, { - "advisory": "NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.", - "cve": "CVE-2022-31604", - "id": "pyup.io-54409", - "more_info_path": "/vulnerabilities/CVE-2022-31604/54409", + "advisory": "NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.", + "cve": "CVE-2022-31605", + "id": "pyup.io-54410", + "more_info_path": "/vulnerabilities/CVE-2022-31605/54410", "specs": [ ">=0,<2.1.2" ], "v": ">=0,<2.1.2" }, { - "advisory": "NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.", - "cve": "CVE-2022-31605", - "id": "pyup.io-54410", - "more_info_path": "/vulnerabilities/CVE-2022-31605/54410", + "advisory": "NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.", + "cve": "CVE-2022-31604", + "id": "pyup.io-54409", + "more_info_path": "/vulnerabilities/CVE-2022-31604/54409", "specs": [ ">=0,<2.1.2" ], @@ -92373,6 +93292,16 @@ ], "v": "<1.10.0rc1" }, + { + "advisory": "Affected versions of OctoPrint allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests on port 8081 as the default behavior. From version 1.5.0rc1 onwards, access control is enabled by default. \r\nNOTE: the vendor disputes the significance of this report because their documentation states that with \"blind port forwarding ... Putting OctoPrint onto the public internet is a terrible idea, and I really can't emphasize that enough.\"", + "cve": "CVE-2018-16710", + "id": "pyup.io-67596", + "more_info_path": "/vulnerabilities/CVE-2018-16710/67596", + "specs": [ + "<1.5.0rc1" + ], + "v": "<1.5.0rc1" + }, { "advisory": "Octoprint 1.8.1 fixes an XSS issue in the user/group delete confirmation.\r\nhttps://github.com/OctoPrint/OctoPrint/commit/77904a71b45e6d017cf4c7e5eb8b8d973693c146", "cve": "PVE-2022-49380", @@ -92423,16 +93352,6 @@ ], "v": "<1.9.3" }, - { - "advisory": "** DISPUTED ** OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests on port 8081. NOTE: the vendor disputes the significance of this report because their documentation states that with \"blind port forwarding ... Putting OctoPrint onto the public internet is a terrible idea, and I really can't emphasize that enough.\"", - "cve": "CVE-2018-16710", - "id": "pyup.io-67596", - "more_info_path": "/vulnerabilities/CVE-2018-16710/67596", - "specs": [ - "<=1.3.9" - ], - "v": "<=1.3.9" - }, { "advisory": "OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the \"Test\" button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The vulnerability is patched in version 1.10.0rc3. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.", "cve": "CVE-2024-28237", @@ -92513,6 +93432,16 @@ ], "v": ">=0,<1.8.0" }, + { + "advisory": "OctoPrint prior to 1.8.3 is vulnerable to Special Element Injection.", + "cve": "CVE-2022-3607", + "id": "pyup.io-54570", + "more_info_path": "/vulnerabilities/CVE-2022-3607/54570", + "specs": [ + ">=0,<1.8.3" + ], + "v": ">=0,<1.8.3" + }, { "advisory": "Versions of OctoPrint prior to 1.8.3 did not require the current user password in order to change that users password. As a result users could be locked out of their accounts or have their accounts stolen under certain circumstances.", "cve": "CVE-2022-2930", @@ -92543,16 +93472,6 @@ ], "v": ">=0,<1.8.3" }, - { - "advisory": "OctoPrint prior to 1.8.3 is vulnerable to Special Element Injection.", - "cve": "CVE-2022-3607", - "id": "pyup.io-54570", - "more_info_path": "/vulnerabilities/CVE-2022-3607/54570", - "specs": [ - ">=0,<1.8.3" - ], - "v": ">=0,<1.8.3" - }, { "advisory": "Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.", "cve": "CVE-2022-3068", @@ -92597,16 +93516,6 @@ ], "v": "<0.10.4" }, - { - "advisory": "Octue 0.41.0 updates its dependency 'pytest' to v7.2.0 to include a safe version of 'py'.", - "cve": "CVE-2022-42969", - "id": "pyup.io-51643", - "more_info_path": "/vulnerabilities/CVE-2022-42969/51643", - "specs": [ - "<0.41.0" - ], - "v": "<0.41.0" - }, { "advisory": "Octue 0.43.3 updates its dependency 'werkzeug' to v2.2.3 to include security fixes.", "cve": "CVE-2023-23934", @@ -92842,6 +93751,16 @@ } ], "omegaml": [ + { + "advisory": "Omegaml 0.15.2 updates its dependency 'numpy' to v1.22.2 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", + "cve": "CVE-2021-33430", + "id": "pyup.io-52214", + "more_info_path": "/vulnerabilities/CVE-2021-33430/52214", + "specs": [ + "<0.15.2" + ], + "v": "<0.15.2" + }, { "advisory": "Omegaml 0.15.2 updates its dependency 'urllib3' to v1.26.5 to include security fixes.", "cve": "CVE-2021-33503", @@ -92862,6 +93781,16 @@ ], "v": "<0.15.2" }, + { + "advisory": "Omegaml 0.15.2 updates its dependency 'numpy' to v1.22.2 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", + "cve": "CVE-2021-41496", + "id": "pyup.io-52213", + "more_info_path": "/vulnerabilities/CVE-2021-41496/52213", + "specs": [ + "<0.15.2" + ], + "v": "<0.15.2" + }, { "advisory": "Omegaml 0.15.2 updates its dependency 'bleach' to v3.3.0 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", "cve": "CVE-2020-6816", @@ -93472,16 +94401,6 @@ ], "v": "<0.15.2" }, - { - "advisory": "Omegaml 0.15.2 updates its dependency 'numpy' to v1.22.2 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", - "cve": "CVE-2021-41496", - "id": "pyup.io-52213", - "more_info_path": "/vulnerabilities/CVE-2021-41496/52213", - "specs": [ - "<0.15.2" - ], - "v": "<0.15.2" - }, { "advisory": "Omegaml 0.15.2 updates its dependency 'psutil' to v5.6.7 to include a security fix.\r\nhttps://github.com/omegaml/omegaml/pull/273", "cve": "CVE-2019-18874", @@ -93672,16 +94591,6 @@ ], "v": "<0.15.2" }, - { - "advisory": "Omegaml 0.15.2 updates its dependency 'numpy' to v1.22.2 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", - "cve": "CVE-2021-33430", - "id": "pyup.io-52214", - "more_info_path": "/vulnerabilities/CVE-2021-33430/52214", - "specs": [ - "<0.15.2" - ], - "v": "<0.15.2" - }, { "advisory": "Omegaml 0.15.2 updates its dependency 'pillow' to v9.0.1 to include security fixes.\r\nhttps://github.com/omegaml/omegaml/pull/273", "cve": "CVE-2020-10994", @@ -93976,6 +94885,16 @@ ], "v": "<5.20.0" }, + { + "advisory": "Omero-web version 5.26.0 addresses a critical security vulnerability (CVE-2024-35180) by validating the JSONP callback parameter. Previously, OMERO.web endpoints with JSONP enabled, such as `/webclient/imgData/`, lacked escaping or validation for the callback parameter, which could be exploited if not properly managed. Although this vulnerability is hard to exploit in the default OMERO.web setup due to jQuery's callback name generation, it poses a significant risk for plugins using these metadata endpoints.", + "cve": "CVE-2024-35180", + "id": "pyup.io-71090", + "more_info_path": "/vulnerabilities/CVE-2024-35180/71090", + "specs": [ + "<5.26.0" + ], + "v": "<5.26.0" + }, { "advisory": "In OMERO 5.3.3 or earlier a user could create an OriginalFile and adjust its path such that it now points to another user's file on the underlying filesystem, then manipulate the user's data.", "cve": "CVE-2017-1000438", @@ -94573,20 +95492,20 @@ ], "openapi-python-client": [ { - "advisory": "In openapi-python-client before version 0.5.3, there is a path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk. See: CVE-2020-15141.", - "cve": "CVE-2020-15141", - "id": "pyup.io-38690", - "more_info_path": "/vulnerabilities/CVE-2020-15141/38690", + "advisory": "In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution. See: CVE-2020-15142.", + "cve": "CVE-2020-15142", + "id": "pyup.io-38691", + "more_info_path": "/vulnerabilities/CVE-2020-15142/38691", "specs": [ "<0.5.3" ], "v": "<0.5.3" }, { - "advisory": "In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution. See: CVE-2020-15142.", - "cve": "CVE-2020-15142", - "id": "pyup.io-38691", - "more_info_path": "/vulnerabilities/CVE-2020-15142/38691", + "advisory": "In openapi-python-client before version 0.5.3, there is a path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk. See: CVE-2020-15141.", + "cve": "CVE-2020-15141", + "id": "pyup.io-38690", + "more_info_path": "/vulnerabilities/CVE-2020-15141/38690", "specs": [ "<0.5.3" ], @@ -94806,16 +95725,6 @@ ], "v": "<2.3.0" }, - { - "advisory": "Openbb 2.3.0 updates its dependency 'cryptography' to v39.0.0 to include security fixes.", - "cve": "CVE-2022-3786", - "id": "pyup.io-53328", - "more_info_path": "/vulnerabilities/CVE-2022-3786/53328", - "specs": [ - "<2.3.0" - ], - "v": "<2.3.0" - }, { "advisory": "Openbb 2.3.0 updates its dependency 'gitpython' to v3.1.30 to include a security fix.", "cve": "CVE-2022-24439", @@ -94837,14 +95746,14 @@ "v": "<2.3.0" }, { - "advisory": "Openbb 2.4.0 updates its NPM dependency 'eta' to v2.0.0 to include security fixes.", - "cve": "CVE-2022-25967", - "id": "pyup.io-53379", - "more_info_path": "/vulnerabilities/CVE-2022-25967/53379", + "advisory": "Openbb 2.3.0 updates its dependency 'cryptography' to v39.0.0 to include security fixes.", + "cve": "CVE-2022-3786", + "id": "pyup.io-53328", + "more_info_path": "/vulnerabilities/CVE-2022-3786/53328", "specs": [ - "<2.4.0" + "<2.3.0" ], - "v": "<2.4.0" + "v": "<2.3.0" }, { "advisory": "Openbb 2.4.0 updates its NPM dependency 'eta' to v2.0.0 to include security fixes.", @@ -94855,6 +95764,36 @@ "<2.4.0" ], "v": "<2.4.0" + }, + { + "advisory": "Openbb 2.4.0 updates its NPM dependency 'eta' to v2.0.0 to include security fixes.", + "cve": "CVE-2022-25967", + "id": "pyup.io-53379", + "more_info_path": "/vulnerabilities/CVE-2022-25967/53379", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + }, + { + "advisory": "Openbb version 4.2.0 updates its `fastapi` dependency from `^0.104.1` to `^0.111.0` to address the security vulnerability identified as CVE-2024-24762. This update ensures the application remains secure by incorporating the necessary fixes from the newer version of the FastAPI framework.", + "cve": "CVE-2024-24762", + "id": "pyup.io-71141", + "more_info_path": "/vulnerabilities/CVE-2024-24762/71141", + "specs": [ + "<4.2.0" + ], + "v": "<4.2.0" + }, + { + "advisory": "Openbb version 4.2.0 updates its `aiohttp` dependency from `^3.9.0` to `^3.9.5` to address the security vulnerability identified as CVE-2024-27306. This update ensures enhanced security and stability by incorporating the necessary fixes from the newer version of the `aiohttp` library.", + "cve": "CVE-2024-27306", + "id": "pyup.io-71126", + "more_info_path": "/vulnerabilities/CVE-2024-27306/71126", + "specs": [ + "<4.2.0" + ], + "v": "<4.2.0" } ], "openbrokerapi": [ @@ -95232,6 +96171,16 @@ ], "v": "<4.1.2.30" }, + { + "advisory": "** DISPUTED ** OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.\r\nhttps://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6", + "cve": "CVE-2023-2618", + "id": "pyup.io-63408", + "more_info_path": "/vulnerabilities/CVE-2023-2618/63408", + "specs": [ + "<4.7.0" + ], + "v": "<4.7.0" + }, { "advisory": "Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.", "cve": "CVE-2022-37434", @@ -95273,17 +96222,7 @@ "v": "<4.7.0" }, { - "advisory": "OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.\r\nhttps://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6", - "cve": "CVE-2023-2618", - "id": "pyup.io-63408", - "more_info_path": "/vulnerabilities/CVE-2023-2618/63408", - "specs": [ - "<4.7.0" - ], - "v": "<4.7.0" - }, - { - "advisory": "The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.\r\nhttps://github.com/opencv/opencv_contrib/pull/3480", + "advisory": "** DISPUTED ** The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.\r\nhttps://github.com/opencv/opencv_contrib/pull/3480", "cve": "CVE-2023-2617", "id": "pyup.io-63406", "more_info_path": "/vulnerabilities/CVE-2023-2617/63406", @@ -95888,6 +96827,16 @@ "<1.0.9" ], "v": "<1.0.9" + }, + { + "advisory": "Opentera version 1.2.6 addresses a configuration issue in nginx where services using dynamically specified ports in the URL were not restricted to certain ranges. This could potentially allow attackers to access other internal ports. The update resolves this by cleaning up the nginx configuration, specifically removing settings related to external services to restrict the URL-specified port to only the necessary ranges for each service.", + "cve": "PVE-2024-70970", + "id": "pyup.io-70970", + "more_info_path": "/vulnerabilities/PVE-2024-70970/70970", + "specs": [ + "<1.2.6" + ], + "v": "<1.2.6" } ], "openvc": [ @@ -99078,9 +100027,9 @@ "opsml": [ { "advisory": "Opsml 0.3.0 updates its dependency 'tensorflow' to v2.11.1 to include several security fixes affecting Confidentiality, Integrity and Availability.", - "cve": "CVE-2023-25669", - "id": "pyup.io-61334", - "more_info_path": "/vulnerabilities/CVE-2023-25669/61334", + "cve": "CVE-2023-25659", + "id": "pyup.io-61323", + "more_info_path": "/vulnerabilities/CVE-2023-25659/61323", "specs": [ "<0.3.0" ], @@ -99088,9 +100037,9 @@ }, { "advisory": "Opsml 0.3.0 updates its dependency 'tensorflow' to v2.11.1 to include several security fixes affecting Confidentiality, Integrity and Availability.", - "cve": "CVE-2023-25663", - "id": "pyup.io-61333", - "more_info_path": "/vulnerabilities/CVE-2023-25663/61333", + "cve": "CVE-2023-25801", + "id": "pyup.io-61332", + "more_info_path": "/vulnerabilities/CVE-2023-25801/61332", "specs": [ "<0.3.0" ], @@ -99098,9 +100047,9 @@ }, { "advisory": "Opsml 0.3.0 updates its dependency 'tensorflow' to v2.11.1 to include several security fixes affecting Confidentiality, Integrity and Availability.", - "cve": "CVE-2023-25659", - "id": "pyup.io-61323", - "more_info_path": "/vulnerabilities/CVE-2023-25659/61323", + "cve": "CVE-2023-25667", + "id": "pyup.io-61335", + "more_info_path": "/vulnerabilities/CVE-2023-25667/61335", "specs": [ "<0.3.0" ], @@ -99108,9 +100057,9 @@ }, { "advisory": "Opsml 0.3.0 updates its dependency 'tensorflow' to v2.11.1 to include several security fixes affecting Confidentiality, Integrity and Availability.", - "cve": "CVE-2023-25801", - "id": "pyup.io-61332", - "more_info_path": "/vulnerabilities/CVE-2023-25801/61332", + "cve": "CVE-2023-25669", + "id": "pyup.io-61334", + "more_info_path": "/vulnerabilities/CVE-2023-25669/61334", "specs": [ "<0.3.0" ], @@ -99118,9 +100067,9 @@ }, { "advisory": "Opsml 0.3.0 updates its dependency 'tensorflow' to v2.11.1 to include several security fixes affecting Confidentiality, Integrity and Availability.", - "cve": "CVE-2023-27579", - "id": "pyup.io-61336", - "more_info_path": "/vulnerabilities/CVE-2023-27579/61336", + "cve": "CVE-2023-25663", + "id": "pyup.io-61333", + "more_info_path": "/vulnerabilities/CVE-2023-25663/61333", "specs": [ "<0.3.0" ], @@ -99128,9 +100077,9 @@ }, { "advisory": "Opsml 0.3.0 updates its dependency 'tensorflow' to v2.11.1 to include several security fixes affecting Confidentiality, Integrity and Availability.", - "cve": "CVE-2023-25667", - "id": "pyup.io-61335", - "more_info_path": "/vulnerabilities/CVE-2023-25667/61335", + "cve": "CVE-2023-27579", + "id": "pyup.io-61336", + "more_info_path": "/vulnerabilities/CVE-2023-27579/61336", "specs": [ "<0.3.0" ], @@ -99403,6 +100352,28 @@ "v": "<3.8.1,>=3.9.0,<3.19.1,>=3.20.0,<3.23.1" } ], + "oss-red-flag-checker": [ + { + "advisory": "Version 0.1.5 of Oss-red-flag-checker updates the `black` package from version 23.11.0 to 24.3.0 in response to CVE-2024-21503. This upgrade addresses specific vulnerabilities identified in the earlier version of `black`.", + "cve": "CVE-2024-21503", + "id": "pyup.io-70864", + "more_info_path": "/vulnerabilities/CVE-2024-21503/70864", + "specs": [ + "<0.1.5" + ], + "v": "<0.1.5" + }, + { + "advisory": "Version 0.1.5 of Oss-red-flag-checker updates the `cryptography` package from version 42.0.2 to 42.0.4 in response to CVE-2024-26130. This upgrade addresses specific vulnerabilities identified in the earlier version of `cryptography`.", + "cve": "CVE-2024-26130", + "id": "pyup.io-70865", + "more_info_path": "/vulnerabilities/CVE-2024-26130/70865", + "specs": [ + "<0.1.5" + ], + "v": "<0.1.5" + } + ], "ostorlab": [ { "advisory": "Ostorlab version 1.0.5 updates its base image to python:3.10.14-alpine3.19 from python:3.9-bullseye to address vulnerabilities, enhancing the security and reliability of the docker environment.", @@ -99726,6 +100697,16 @@ ], "v": "<1.4.0" }, + { + "advisory": "A vulnerability classified as problematic was found in pacparser up to 1.3.x. Affected by this vulnerability is the function pacparser_find_proxy of the file src/pacparser.c. The manipulation of the argument url leads to buffer overflow. Attacking locally is a requirement. Upgrading to version 1.4.0 is able to address this issue. The name of the patch is 853e8f45607cb07b877ffd270c63dbcdd5201ad9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215443.", + "cve": "CVE-2019-25078", + "id": "pyup.io-70777", + "more_info_path": "/vulnerabilities/CVE-2019-25078/70777", + "specs": [ + "<1.4.0" + ], + "v": "<1.4.0" + }, { "advisory": "Pacparser 1.4.2 fixes a vulnerability: JavaScript Injection in pacparser_find_proxy().\r\nhttps://github.com/manugarg/pacparser/security/advisories/GHSA-62q6-v997-f7v9", "cve": "PVE-2023-58807", @@ -100160,6 +101141,16 @@ ], "v": "<1.2.2" }, + { + "advisory": "Palladium 1.2.2 updates its dependency 'numpy' to v1.17.0 to include a security fix.", + "cve": "CVE-2019-6446", + "id": "pyup.io-44628", + "more_info_path": "/vulnerabilities/CVE-2019-6446/44628", + "specs": [ + "<1.2.2" + ], + "v": "<1.2.2" + }, { "advisory": "Palladium 1.2.2 updates its dependency 'jinja2' to v2.10.1 to include a security fix.", "cve": "CVE-2019-10906", @@ -100180,16 +101171,6 @@ ], "v": "<1.2.2" }, - { - "advisory": "Palladium 1.2.2 updates its dependency 'numpy' to v1.17.0 to include a security fix.", - "cve": "CVE-2019-6446", - "id": "pyup.io-44628", - "more_info_path": "/vulnerabilities/CVE-2019-6446/44628", - "specs": [ - "<1.2.2" - ], - "v": "<1.2.2" - }, { "advisory": "Palladium 1.2.2 updates its dependency 'urllib3' to v1.25.3 to include security fixes.", "cve": "CVE-2019-11324", @@ -100611,7 +101592,7 @@ "v": "<1.7.2" }, { - "advisory": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms.", + "advisory": "Paramiko's core implementation of the SSH transport protocol, including certain OpenSSH extensions used before OpenSSH 9.6, is vulnerable to a \"Terrapin attack.\" This vulnerability allows remote attackers to manipulate packet integrity during the handshake phase, potentially leading to security downgrades or disabled features in SSH connections. Specific attacks target the use of ChaCha20-Poly1305 and CBC with Encrypt-then-MAC, where sequence numbers and integrity checks are improperly managed. This issue particularly affects the chacha20-poly1305@openssh.com and -etm@openssh.com MAC algorithms.", "cve": "CVE-2023-48795", "id": "pyup.io-65193", "more_info_path": "/vulnerabilities/CVE-2023-48795/65193", @@ -100694,10 +101675,10 @@ ], "parso": [ { - "advisory": "A deserialization vulnerability has been identified in various versions of parso up to 0.4.0, stemming from how grammar parsing from the cache is handled. It involves the potential for arbitrary code execution if a maliciously crafted pickle file is written to a cache grammar file and subsequently parsed. It's important to note that exploitation of this vulnerability hinges on the attacker's ability to write to the cache directory, a scenario considered unlikely in common configurations.", - "cve": null, + "advisory": "** Disputed ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because \"the cache directory is not under control of the attacker in any common configuration.", + "cve": "CVE-2019-12760", "id": "pyup.io-69622", - "more_info_path": "/vulnerabilities/None/69622", + "more_info_path": "/vulnerabilities/CVE-2019-12760/69622", "specs": [ ">=0,<0.5.0" ], @@ -100768,6 +101749,18 @@ "v": "<0.9.6" } ], + "pass-operator": [ + { + "advisory": "Pass-operator 0.3.1 fixes a security vulnerability related to git push commands. The flaw allowed unauthorized users to execute push operations to the repository. This update enhances the authentication and authorization mechanisms, ensuring that only authorized users can perform git push operations, thereby securing the repository from unauthorized modifications.", + "cve": "PVE-2024-71078", + "id": "pyup.io-71078", + "more_info_path": "/vulnerabilities/PVE-2024-71078/71078", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + } + ], "passeo": [ { "advisory": "Passeo 1.0.5 includes a fix for CVE-2022-23472: Versions prior to 1.0.5 rely on the python 'random' library for random value selection. The python 'random' library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator. As a result a motivated attacker may be able to guess generated passwords.\r\nhttps://github.com/ArjunSharda/Passeo/security/advisories/GHSA-mhhf-vgwh-fw9h", @@ -101309,9 +102302,9 @@ "pdfreader": [ { "advisory": "Pdfreader 0.1.6 updates its dependency 'pillow' to a version >= 7.1.0 to include security fixes.", - "cve": "CVE-2020-10378", - "id": "pyup.io-43477", - "more_info_path": "/vulnerabilities/CVE-2020-10378/43477", + "cve": "CVE-2020-10994", + "id": "pyup.io-43476", + "more_info_path": "/vulnerabilities/CVE-2020-10994/43476", "specs": [ "<0.1.6" ], @@ -101319,9 +102312,9 @@ }, { "advisory": "Pdfreader 0.1.6 updates its dependency 'pillow' to a version >= 7.1.0 to include security fixes.", - "cve": "CVE-2020-10994", - "id": "pyup.io-43476", - "more_info_path": "/vulnerabilities/CVE-2020-10994/43476", + "cve": "CVE-2020-10378", + "id": "pyup.io-43477", + "more_info_path": "/vulnerabilities/CVE-2020-10378/43477", "specs": [ "<0.1.6" ], @@ -101751,6 +102744,36 @@ ], "v": "<7.7" }, + { + "advisory": "Affected versions of Pgadmin4 are vulnerable to Remote Code Execution (RCE) through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data.", + "cve": "CVE-2024-3116", + "id": "pyup.io-71204", + "more_info_path": "/vulnerabilities/CVE-2024-3116/71204", + "specs": [ + "<=8.4" + ], + "v": "<=8.4" + }, + { + "advisory": "Affected versions of Pgadmin4 are vulnerable to a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account\u2019s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account\u2019s MFA enrollment status.", + "cve": "CVE-2024-4215", + "id": "pyup.io-71203", + "more_info_path": "/vulnerabilities/CVE-2024-4215/71203", + "specs": [ + "<=8.5" + ], + "v": "<=8.5" + }, + { + "advisory": "Affected versions of Pgadmin4 are vulnerable to Cross-site Scripting (XSS) via the /settings/store API. An attacker can execute malicious script at the client end by injecting script content into the JSON response.", + "cve": "CVE-2024-4216", + "id": "pyup.io-71202", + "more_info_path": "/vulnerabilities/CVE-2024-4216/71202", + "specs": [ + "<=8.5" + ], + "v": "<=8.5" + }, { "advisory": "Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.", "cve": "CVE-2023-22298", @@ -102230,6 +103253,16 @@ "<0.9.1" ], "v": "<0.9.1" + }, + { + "advisory": "Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Piccolo's admin panel allows media files to be uploaded. As a default, SVG is an allowed file type for upload. An attacker can upload an SVG which when loaded can allow arbitrary access to the admin page. This vulnerability was patched in version 1.3.2. See CVE-2024-30248.", + "cve": "CVE-2024-30248", + "id": "pyup.io-70646", + "more_info_path": "/vulnerabilities/CVE-2024-30248/70646", + "specs": [ + "<=1.2.0" + ], + "v": "<=1.2.0" } ], "picklescan": [ @@ -103175,6 +104208,18 @@ "v": "<2.2.2" } ], + "pinscrape": [ + { + "advisory": "Pinscrape version 3.0.4 has upgraded the tqdm library to version 4.66.3 due to CVE-2024-34062.", + "cve": "CVE-2024-34062", + "id": "pyup.io-70988", + "more_info_path": "/vulnerabilities/CVE-2024-34062/70988", + "specs": [ + "<3.0.4" + ], + "v": "<3.0.4" + } + ], "pioreactor": [ { "advisory": "Pioreactor 23.11.15rc0 includes a fix for a command injection vulnerability.\r\nhttps://github.com/Pioreactor/pioreactor/commit/c40d2c67a2e49c6d6a395c0789cb35711af2f70d", @@ -103239,10 +104284,10 @@ "v": "<19.2" }, { - "advisory": "A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.", - "cve": "CVE-2021-3572", - "id": "pyup.io-42559", - "more_info_path": "/vulnerabilities/CVE-2021-3572/42559", + "advisory": "An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1.\r\nNOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.", + "cve": "CVE-2018-20225", + "id": "pyup.io-67599", + "more_info_path": "/vulnerabilities/CVE-2018-20225/67599", "specs": [ "<21.1" ], @@ -103258,6 +104303,16 @@ ], "v": "<21.1" }, + { + "advisory": "A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.", + "cve": "CVE-2021-3572", + "id": "pyup.io-42559", + "more_info_path": "/vulnerabilities/CVE-2021-3572/42559", + "specs": [ + "<21.1" + ], + "v": "<21.1" + }, { "advisory": "Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie \"pip install hg+...\") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the \"hg clone\" call (ie \"--config\"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.", "cve": "CVE-2023-5752", @@ -103287,16 +104342,6 @@ "<6.1.0" ], "v": "<6.1.0" - }, - { - "advisory": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.", - "cve": "CVE-2018-20225", - "id": "pyup.io-67599", - "more_info_path": "/vulnerabilities/CVE-2018-20225/67599", - "specs": [ - ">=0" - ], - "v": ">=0" } ], "pipenv": [ @@ -103505,6 +104550,18 @@ "v": "<1.6.0" } ], + "pkgconf": [ + { + "advisory": "Affected versions of Pkgconf are vulnerable to buffer overflow. Variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes.", + "cve": "CVE-2023-24056", + "id": "pyup.io-71263", + "more_info_path": "/vulnerabilities/CVE-2023-24056/71263", + "specs": [ + "<1.9.4" + ], + "v": "<1.9.4" + } + ], "pkgcore": [ { "advisory": "pkgcore 0.4.7.12 includes a security fix; force cwd to something controlled for ebuild env. This blocks an attack detailed in glsa 200810-02; namely that an ebuild invoking python -c (which looks in cwd for modules to load) allows for an attacker to slip something in.", @@ -105693,9 +106750,9 @@ }, { "advisory": "Pm4py 2.2.19.1 updates its dependency 'numpy' to v1.22.2 to include security fixes.", - "cve": "CVE-2021-41495", - "id": "pyup.io-44946", - "more_info_path": "/vulnerabilities/CVE-2021-41495/44946", + "cve": "CVE-2021-34141", + "id": "pyup.io-44944", + "more_info_path": "/vulnerabilities/CVE-2021-34141/44944", "specs": [ "<2.2.19.1" ], @@ -105703,9 +106760,9 @@ }, { "advisory": "Pm4py 2.2.19.1 updates its dependency 'numpy' to v1.22.2 to include security fixes.", - "cve": "CVE-2021-34141", - "id": "pyup.io-44944", - "more_info_path": "/vulnerabilities/CVE-2021-34141/44944", + "cve": "CVE-2021-41495", + "id": "pyup.io-44946", + "more_info_path": "/vulnerabilities/CVE-2021-41495/44946", "specs": [ "<2.2.19.1" ], @@ -105892,6 +106949,16 @@ } ], "polyaxon": [ + { + "advisory": "Polyaxon 0.4.1 updates its NPM dependency 'bootstrap' to v3.4.1 to include a security fix.", + "cve": "CVE-2019-8331", + "id": "pyup.io-49097", + "more_info_path": "/vulnerabilities/CVE-2019-8331/49097", + "specs": [ + "<0.4.1" + ], + "v": "<0.4.1" + }, { "advisory": "Polyaxon 0.4.1 updates its NPM dependency 'lodash' to v4.17.11 to include security fixes.", "cve": "CVE-2018-16487", @@ -105912,16 +106979,6 @@ ], "v": "<0.4.1" }, - { - "advisory": "Polyaxon 0.4.1 updates its NPM dependency 'bootstrap' to v3.4.1 to include a security fix.", - "cve": "CVE-2019-8331", - "id": "pyup.io-49097", - "more_info_path": "/vulnerabilities/CVE-2019-8331/49097", - "specs": [ - "<0.4.1" - ], - "v": "<0.4.1" - }, { "advisory": "Polyaxon 0.5.1 updates its NPM dependency 'lodash' to v4.17.14: vulnerability issue.", "cve": "CVE-2019-10744", @@ -105934,9 +106991,9 @@ }, { "advisory": "Polyaxon 0.5.5 updates its dependency 'django' to v2.2.4 to include security fixes.", - "cve": "CVE-2019-14232", - "id": "pyup.io-45017", - "more_info_path": "/vulnerabilities/CVE-2019-14232/45017", + "cve": "CVE-2019-14234", + "id": "pyup.io-45019", + "more_info_path": "/vulnerabilities/CVE-2019-14234/45019", "specs": [ "<0.5.5" ], @@ -105954,9 +107011,9 @@ }, { "advisory": "Polyaxon 0.5.5 updates its dependency 'django' to v2.2.4 to include security fixes.", - "cve": "CVE-2019-14235", - "id": "pyup.io-45020", - "more_info_path": "/vulnerabilities/CVE-2019-14235/45020", + "cve": "CVE-2019-14232", + "id": "pyup.io-45017", + "more_info_path": "/vulnerabilities/CVE-2019-14232/45017", "specs": [ "<0.5.5" ], @@ -105974,9 +107031,9 @@ }, { "advisory": "Polyaxon 0.5.5 updates its dependency 'django' to v2.2.4 to include security fixes.", - "cve": "CVE-2019-14234", - "id": "pyup.io-45019", - "more_info_path": "/vulnerabilities/CVE-2019-14234/45019", + "cve": "CVE-2019-14235", + "id": "pyup.io-45020", + "more_info_path": "/vulnerabilities/CVE-2019-14235/45020", "specs": [ "<0.5.5" ], @@ -106373,6 +107430,18 @@ "v": "<1.2.50" } ], + "powergenome": [ + { + "advisory": "Powergenome version 0.6.1 enhances SQL input handling to mitigate the risk of SQL injection attacks.", + "cve": "PVE-2024-70869", + "id": "pyup.io-70869", + "more_info_path": "/vulnerabilities/PVE-2024-70869/70869", + "specs": [ + "<0.6.1" + ], + "v": "<0.6.1" + } + ], "powerline-gitstatus": [ { "advisory": "powerline-gitstatus (aka Powerline Gitstatus) before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory to one controlled by the attacker, such as in a shared filesystem or extracted archive, powerline-gitstatus will run arbitrary commands under the attacker's control. NOTE: this is similar to CVE-2022-20001.\n\nAffected functions:\npowerline_gitstatus.segments.GitStatusSegment.get_base_command", @@ -106693,9 +107762,9 @@ "pretix": [ { "advisory": "pretix before 2024.1.1 mishandles file validation.", - "cve": "CVE-2023-52228", + "cve": "CVE-2024-27447", "id": "pyup.io-68476", - "more_info_path": "/vulnerabilities/CVE-2023-52228/68476", + "more_info_path": "/vulnerabilities/CVE-2024-27447/68476", "specs": [ "<2024.1.1" ], @@ -106738,6 +107807,18 @@ "v": ">=4.17.0,<4.17.1,>=4.16.0,<4.16.1,>=0,<4.15.1" } ], + "pretzelai": [ + { + "advisory": "Pretzelai version 4.1.0b2 is impacted by CVE-2024-22421, which affects JupyterLab, the original package from which Pretzelai is forked. This vulnerability can expose Authorization and XSRFToken tokens to a third party if users click on a malicious link while using an older version of jupyter-server.", + "cve": "CVE-2024-22421", + "id": "pyup.io-71067", + "more_info_path": "/vulnerabilities/CVE-2024-22421/71067", + "specs": [ + "<4.1.0b2" + ], + "v": "<4.1.0b2" + } + ], "primerdriver": [ { "advisory": "Primerdriver 1.1.1 updates its NPM dependency 'lodash' to v4.17.19 to include a security fix.\r\nhttps://hackerone.com/reports/864701", @@ -106808,7 +107889,7 @@ ], "pritunl": [ { - "advisory": "Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely. Note: This has been disputed by the vendor as not a vulnerability. They argue that this is an intended design.", + "advisory": "** DISPUTED ** Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely. Note: This has been disputed by the vendor as not a vulnerability. They argue that this is an intended design.", "cve": "CVE-2020-25200", "id": "pyup.io-62854", "more_info_path": "/vulnerabilities/CVE-2020-25200/62854", @@ -108984,18 +110065,6 @@ "v": "<2.7.5,>=2.8.0,<2.8.4,>=2.9.0,<2.9.3,>=2.10.0,<2.10.2" } ], - "pulumi": [ - { - "advisory": "Pulumi 3.33.1 updates versions of its DotNet dependencies 'semver' and 'OneOf' to fix vulnerabilities.\r\nhttps://github.com/pulumi/pulumi/pull/9591", - "cve": "CVE-2017-0247", - "id": "pyup.io-48596", - "more_info_path": "/vulnerabilities/CVE-2017-0247/48596", - "specs": [ - "<3.33.1" - ], - "v": "<3.33.1" - } - ], "pulumi-aws": [ { "advisory": "Pulumi-aws 5.34.0 updates its GO dependency 'golang.org/x/crypto' to v0.7.0 to include a security fix.", @@ -109121,9 +110190,9 @@ "pupyl": [ { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15197", - "id": "pyup.io-44998", - "more_info_path": "/vulnerabilities/CVE-2020-15197/44998", + "cve": "CVE-2020-15191", + "id": "pyup.io-44992", + "more_info_path": "/vulnerabilities/CVE-2020-15191/44992", "specs": [ "<0.10.4" ], @@ -109131,9 +110200,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15196", - "id": "pyup.io-44997", - "more_info_path": "/vulnerabilities/CVE-2020-15196/44997", + "cve": "CVE-2020-15199", + "id": "pyup.io-45000", + "more_info_path": "/vulnerabilities/CVE-2020-15199/45000", "specs": [ "<0.10.4" ], @@ -109141,9 +110210,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15203", - "id": "pyup.io-45004", - "more_info_path": "/vulnerabilities/CVE-2020-15203/45004", + "cve": "CVE-2020-15213", + "id": "pyup.io-45014", + "more_info_path": "/vulnerabilities/CVE-2020-15213/45014", "specs": [ "<0.10.4" ], @@ -109151,9 +110220,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15200", - "id": "pyup.io-45001", - "more_info_path": "/vulnerabilities/CVE-2020-15200/45001", + "cve": "CVE-2020-15192", + "id": "pyup.io-44993", + "more_info_path": "/vulnerabilities/CVE-2020-15192/44993", "specs": [ "<0.10.4" ], @@ -109161,9 +110230,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15194", - "id": "pyup.io-44995", - "more_info_path": "/vulnerabilities/CVE-2020-15194/44995", + "cve": "CVE-2020-15193", + "id": "pyup.io-44994", + "more_info_path": "/vulnerabilities/CVE-2020-15193/44994", "specs": [ "<0.10.4" ], @@ -109171,9 +110240,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15207", - "id": "pyup.io-45008", - "more_info_path": "/vulnerabilities/CVE-2020-15207/45008", + "cve": "CVE-2020-15194", + "id": "pyup.io-44995", + "more_info_path": "/vulnerabilities/CVE-2020-15194/44995", "specs": [ "<0.10.4" ], @@ -109191,9 +110260,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15190", - "id": "pyup.io-39208", - "more_info_path": "/vulnerabilities/CVE-2020-15190/39208", + "cve": "CVE-2020-15208", + "id": "pyup.io-45009", + "more_info_path": "/vulnerabilities/CVE-2020-15208/45009", "specs": [ "<0.10.4" ], @@ -109201,9 +110270,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15210", - "id": "pyup.io-45011", - "more_info_path": "/vulnerabilities/CVE-2020-15210/45011", + "cve": "CVE-2020-15206", + "id": "pyup.io-45007", + "more_info_path": "/vulnerabilities/CVE-2020-15206/45007", "specs": [ "<0.10.4" ], @@ -109211,9 +110280,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15208", - "id": "pyup.io-45009", - "more_info_path": "/vulnerabilities/CVE-2020-15208/45009", + "cve": "CVE-2020-15202", + "id": "pyup.io-45003", + "more_info_path": "/vulnerabilities/CVE-2020-15202/45003", "specs": [ "<0.10.4" ], @@ -109221,9 +110290,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15201", - "id": "pyup.io-45002", - "more_info_path": "/vulnerabilities/CVE-2020-15201/45002", + "cve": "CVE-2020-15209", + "id": "pyup.io-45010", + "more_info_path": "/vulnerabilities/CVE-2020-15209/45010", "specs": [ "<0.10.4" ], @@ -109231,9 +110300,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15206", - "id": "pyup.io-45007", - "more_info_path": "/vulnerabilities/CVE-2020-15206/45007", + "cve": "CVE-2020-15195", + "id": "pyup.io-44996", + "more_info_path": "/vulnerabilities/CVE-2020-15195/44996", "specs": [ "<0.10.4" ], @@ -109241,9 +110310,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15202", - "id": "pyup.io-45003", - "more_info_path": "/vulnerabilities/CVE-2020-15202/45003", + "cve": "CVE-2020-15204", + "id": "pyup.io-45005", + "more_info_path": "/vulnerabilities/CVE-2020-15204/45005", "specs": [ "<0.10.4" ], @@ -109251,9 +110320,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15212", - "id": "pyup.io-45013", - "more_info_path": "/vulnerabilities/CVE-2020-15212/45013", + "cve": "CVE-2020-15197", + "id": "pyup.io-44998", + "more_info_path": "/vulnerabilities/CVE-2020-15197/44998", "specs": [ "<0.10.4" ], @@ -109261,9 +110330,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15209", - "id": "pyup.io-45010", - "more_info_path": "/vulnerabilities/CVE-2020-15209/45010", + "cve": "CVE-2020-15196", + "id": "pyup.io-44997", + "more_info_path": "/vulnerabilities/CVE-2020-15196/44997", "specs": [ "<0.10.4" ], @@ -109271,9 +110340,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15211", - "id": "pyup.io-45012", - "more_info_path": "/vulnerabilities/CVE-2020-15211/45012", + "cve": "CVE-2020-15203", + "id": "pyup.io-45004", + "more_info_path": "/vulnerabilities/CVE-2020-15203/45004", "specs": [ "<0.10.4" ], @@ -109281,9 +110350,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15198", - "id": "pyup.io-44999", - "more_info_path": "/vulnerabilities/CVE-2020-15198/44999", + "cve": "CVE-2020-15200", + "id": "pyup.io-45001", + "more_info_path": "/vulnerabilities/CVE-2020-15200/45001", "specs": [ "<0.10.4" ], @@ -109291,9 +110360,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15195", - "id": "pyup.io-44996", - "more_info_path": "/vulnerabilities/CVE-2020-15195/44996", + "cve": "CVE-2020-15207", + "id": "pyup.io-45008", + "more_info_path": "/vulnerabilities/CVE-2020-15207/45008", "specs": [ "<0.10.4" ], @@ -109301,9 +110370,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15358", - "id": "pyup.io-45016", - "more_info_path": "/vulnerabilities/CVE-2020-15358/45016", + "cve": "CVE-2020-15190", + "id": "pyup.io-39208", + "more_info_path": "/vulnerabilities/CVE-2020-15190/39208", "specs": [ "<0.10.4" ], @@ -109311,9 +110380,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15204", - "id": "pyup.io-45005", - "more_info_path": "/vulnerabilities/CVE-2020-15204/45005", + "cve": "CVE-2020-15210", + "id": "pyup.io-45011", + "more_info_path": "/vulnerabilities/CVE-2020-15210/45011", "specs": [ "<0.10.4" ], @@ -109321,9 +110390,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15205", - "id": "pyup.io-45006", - "more_info_path": "/vulnerabilities/CVE-2020-15205/45006", + "cve": "CVE-2020-15201", + "id": "pyup.io-45002", + "more_info_path": "/vulnerabilities/CVE-2020-15201/45002", "specs": [ "<0.10.4" ], @@ -109331,9 +110400,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15191", - "id": "pyup.io-44992", - "more_info_path": "/vulnerabilities/CVE-2020-15191/44992", + "cve": "CVE-2020-15212", + "id": "pyup.io-45013", + "more_info_path": "/vulnerabilities/CVE-2020-15212/45013", "specs": [ "<0.10.4" ], @@ -109341,9 +110410,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15199", - "id": "pyup.io-45000", - "more_info_path": "/vulnerabilities/CVE-2020-15199/45000", + "cve": "CVE-2020-15211", + "id": "pyup.io-45012", + "more_info_path": "/vulnerabilities/CVE-2020-15211/45012", "specs": [ "<0.10.4" ], @@ -109351,9 +110420,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15213", - "id": "pyup.io-45014", - "more_info_path": "/vulnerabilities/CVE-2020-15213/45014", + "cve": "CVE-2020-15198", + "id": "pyup.io-44999", + "more_info_path": "/vulnerabilities/CVE-2020-15198/44999", "specs": [ "<0.10.4" ], @@ -109361,9 +110430,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15192", - "id": "pyup.io-44993", - "more_info_path": "/vulnerabilities/CVE-2020-15192/44993", + "cve": "CVE-2020-15358", + "id": "pyup.io-45016", + "more_info_path": "/vulnerabilities/CVE-2020-15358/45016", "specs": [ "<0.10.4" ], @@ -109371,9 +110440,9 @@ }, { "advisory": "Pupyl 0.10.4 updates its dependency 'tensorflow' to v2.3.1 to include security fixes.", - "cve": "CVE-2020-15193", - "id": "pyup.io-44994", - "more_info_path": "/vulnerabilities/CVE-2020-15193/44994", + "cve": "CVE-2020-15205", + "id": "pyup.io-45006", + "more_info_path": "/vulnerabilities/CVE-2020-15205/45006", "specs": [ "<0.10.4" ], @@ -109381,9 +110450,9 @@ }, { "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", - "cve": "CVE-2020-26270", - "id": "pyup.io-44983", - "more_info_path": "/vulnerabilities/CVE-2020-26270/44983", + "cve": "CVE-2020-15266", + "id": "pyup.io-44991", + "more_info_path": "/vulnerabilities/CVE-2020-15266/44991", "specs": [ "<0.10.5" ], @@ -109411,9 +110480,9 @@ }, { "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", - "cve": "CVE-2020-26271", - "id": "pyup.io-44984", - "more_info_path": "/vulnerabilities/CVE-2020-26271/44984", + "cve": "CVE-2020-26268", + "id": "pyup.io-44982", + "more_info_path": "/vulnerabilities/CVE-2020-26268/44982", "specs": [ "<0.10.5" ], @@ -109421,9 +110490,9 @@ }, { "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", - "cve": "CVE-2020-26268", - "id": "pyup.io-44982", - "more_info_path": "/vulnerabilities/CVE-2020-26268/44982", + "cve": "CVE-2020-15265", + "id": "pyup.io-44990", + "more_info_path": "/vulnerabilities/CVE-2020-15265/44990", "specs": [ "<0.10.5" ], @@ -109431,9 +110500,9 @@ }, { "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", - "cve": "CVE-2020-15265", - "id": "pyup.io-44990", - "more_info_path": "/vulnerabilities/CVE-2020-15265/44990", + "cve": "CVE-2020-26270", + "id": "pyup.io-44983", + "more_info_path": "/vulnerabilities/CVE-2020-26270/44983", "specs": [ "<0.10.5" ], @@ -109441,9 +110510,9 @@ }, { "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", - "cve": "CVE-2020-26266", - "id": "pyup.io-44985", - "more_info_path": "/vulnerabilities/CVE-2020-26266/44985", + "cve": "CVE-2020-26271", + "id": "pyup.io-44984", + "more_info_path": "/vulnerabilities/CVE-2020-26271/44984", "specs": [ "<0.10.5" ], @@ -109451,9 +110520,9 @@ }, { "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", - "cve": "CVE-2020-26267", - "id": "pyup.io-39392", - "more_info_path": "/vulnerabilities/CVE-2020-26267/39392", + "cve": "CVE-2020-26266", + "id": "pyup.io-44985", + "more_info_path": "/vulnerabilities/CVE-2020-26266/44985", "specs": [ "<0.10.5" ], @@ -109461,9 +110530,9 @@ }, { "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", - "cve": "CVE-2020-15266", - "id": "pyup.io-44991", - "more_info_path": "/vulnerabilities/CVE-2020-15266/44991", + "cve": "CVE-2019-20838", + "id": "pyup.io-44986", + "more_info_path": "/vulnerabilities/CVE-2019-20838/44986", "specs": [ "<0.10.5" ], @@ -109481,9 +110550,9 @@ }, { "advisory": "Pupyl 0.10.5 updates its dependency 'tensorflow' to v2.4.0 to include security fixes.", - "cve": "CVE-2019-20838", - "id": "pyup.io-44986", - "more_info_path": "/vulnerabilities/CVE-2019-20838/44986", + "cve": "CVE-2020-26267", + "id": "pyup.io-39392", + "more_info_path": "/vulnerabilities/CVE-2020-26267/39392", "specs": [ "<0.10.5" ], @@ -109509,6 +110578,16 @@ ], "v": "<0.11.1" }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", + "cve": "CVE-2020-8285", + "id": "pyup.io-43969", + "more_info_path": "/vulnerabilities/CVE-2020-8285/43969", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "cve": "CVE-2021-29613", @@ -109579,86 +110658,6 @@ ], "v": "<0.11.1" }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29547", - "id": "pyup.io-43868", - "more_info_path": "/vulnerabilities/CVE-2021-29547/43868", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", - "cve": "CVE-2021-29560", - "id": "pyup.io-43876", - "more_info_path": "/vulnerabilities/CVE-2021-29560/43876", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29589", - "id": "pyup.io-43882", - "more_info_path": "/vulnerabilities/CVE-2021-29589/43882", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29545", - "id": "pyup.io-43878", - "more_info_path": "/vulnerabilities/CVE-2021-29545/43878", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29537", - "id": "pyup.io-43879", - "more_info_path": "/vulnerabilities/CVE-2021-29537/43879", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29528", - "id": "pyup.io-43912", - "more_info_path": "/vulnerabilities/CVE-2021-29528/43912", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29598", - "id": "pyup.io-43917", - "more_info_path": "/vulnerabilities/CVE-2021-29598/43917", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", - "cve": "CVE-2021-29539", - "id": "pyup.io-40931", - "more_info_path": "/vulnerabilities/CVE-2021-29539/40931", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "cve": "CVE-2021-29557", @@ -109669,16 +110668,6 @@ ], "v": "<0.11.1" }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29605", - "id": "pyup.io-43924", - "more_info_path": "/vulnerabilities/CVE-2021-29605/43924", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "cve": "CVE-2021-29577", @@ -109689,26 +110678,6 @@ ], "v": "<0.11.1" }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29574", - "id": "pyup.io-43964", - "more_info_path": "/vulnerabilities/CVE-2021-29574/43964", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", - "cve": "CVE-2020-8284", - "id": "pyup.io-43946", - "more_info_path": "/vulnerabilities/CVE-2020-8284/43946", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "cve": "CVE-2021-29600", @@ -109771,9 +110740,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29594", - "id": "pyup.io-43909", - "more_info_path": "/vulnerabilities/CVE-2021-29594/43909", + "cve": "CVE-2021-29568", + "id": "pyup.io-43873", + "more_info_path": "/vulnerabilities/CVE-2021-29568/43873", "specs": [ "<0.11.1" ], @@ -109799,16 +110768,6 @@ ], "v": "<0.11.1" }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29568", - "id": "pyup.io-43873", - "more_info_path": "/vulnerabilities/CVE-2021-29568/43873", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "cve": "CVE-2021-29531", @@ -109849,16 +110808,6 @@ ], "v": "<0.11.1" }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29578", - "id": "pyup.io-43895", - "more_info_path": "/vulnerabilities/CVE-2021-29578/43895", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "cve": "CVE-2021-29616", @@ -109919,16 +110868,6 @@ ], "v": "<0.11.1" }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29559", - "id": "pyup.io-43950", - "more_info_path": "/vulnerabilities/CVE-2021-29559/43950", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", "cve": "CVE-2021-29591", @@ -109939,16 +110878,6 @@ ], "v": "<0.11.1" }, - { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29570", - "id": "pyup.io-43960", - "more_info_path": "/vulnerabilities/CVE-2021-29570/43960", - "specs": [ - "<0.11.1" - ], - "v": "<0.11.1" - }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", "cve": "CVE-2021-29527", @@ -109980,10 +110909,10 @@ "v": "<0.11.1" }, { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", - "cve": "CVE-2021-29612", - "id": "pyup.io-43932", - "more_info_path": "/vulnerabilities/CVE-2021-29612/43932", + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29533", + "id": "pyup.io-43884", + "more_info_path": "/vulnerabilities/CVE-2021-29533/43884", "specs": [ "<0.11.1" ], @@ -109991,9 +110920,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29584", - "id": "pyup.io-43900", - "more_info_path": "/vulnerabilities/CVE-2021-29584/43900", + "cve": "CVE-2021-29522", + "id": "pyup.io-43859", + "more_info_path": "/vulnerabilities/CVE-2021-29522/43859", "specs": [ "<0.11.1" ], @@ -110001,9 +110930,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29553", - "id": "pyup.io-43939", - "more_info_path": "/vulnerabilities/CVE-2021-29553/43939", + "cve": "CVE-2021-29566", + "id": "pyup.io-43874", + "more_info_path": "/vulnerabilities/CVE-2021-29566/43874", "specs": [ "<0.11.1" ], @@ -110011,9 +110940,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29523", - "id": "pyup.io-43856", - "more_info_path": "/vulnerabilities/CVE-2021-29523/43856", + "cve": "CVE-2021-29534", + "id": "pyup.io-43870", + "more_info_path": "/vulnerabilities/CVE-2021-29534/43870", "specs": [ "<0.11.1" ], @@ -110021,9 +110950,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29586", - "id": "pyup.io-43903", - "more_info_path": "/vulnerabilities/CVE-2021-29586/43903", + "cve": "CVE-2021-29597", + "id": "pyup.io-43914", + "more_info_path": "/vulnerabilities/CVE-2021-29597/43914", "specs": [ "<0.11.1" ], @@ -110031,9 +110960,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29609", - "id": "pyup.io-43929", - "more_info_path": "/vulnerabilities/CVE-2021-29609/43929", + "cve": "CVE-2021-29541", + "id": "pyup.io-43928", + "more_info_path": "/vulnerabilities/CVE-2021-29541/43928", "specs": [ "<0.11.1" ], @@ -110041,9 +110970,19 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29573", - "id": "pyup.io-43962", - "more_info_path": "/vulnerabilities/CVE-2021-29573/43962", + "cve": "CVE-2021-29619", + "id": "pyup.io-43941", + "more_info_path": "/vulnerabilities/CVE-2021-29619/43941", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", + "cve": "CVE-2021-29575", + "id": "pyup.io-43961", + "more_info_path": "/vulnerabilities/CVE-2021-29575/43961", "specs": [ "<0.11.1" ], @@ -110051,9 +110990,19 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29549", - "id": "pyup.io-43936", - "more_info_path": "/vulnerabilities/CVE-2021-29549/43936", + "cve": "CVE-2021-29603", + "id": "pyup.io-43925", + "more_info_path": "/vulnerabilities/CVE-2021-29603/43925", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", + "cve": "CVE-2021-29614", + "id": "pyup.io-43968", + "more_info_path": "/vulnerabilities/CVE-2021-29614/43968", "specs": [ "<0.11.1" ], @@ -110061,9 +111010,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29617", - "id": "pyup.io-43938", - "more_info_path": "/vulnerabilities/CVE-2021-29617/43938", + "cve": "CVE-2021-29516", + "id": "pyup.io-43955", + "more_info_path": "/vulnerabilities/CVE-2021-29516/43955", "specs": [ "<0.11.1" ], @@ -110071,9 +111020,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29555", - "id": "pyup.io-43944", - "more_info_path": "/vulnerabilities/CVE-2021-29555/43944", + "cve": "CVE-2021-29592", + "id": "pyup.io-43906", + "more_info_path": "/vulnerabilities/CVE-2021-29592/43906", "specs": [ "<0.11.1" ], @@ -110081,9 +111030,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29543", - "id": "pyup.io-43867", - "more_info_path": "/vulnerabilities/CVE-2021-29543/43867", + "cve": "CVE-2021-29582", + "id": "pyup.io-43899", + "more_info_path": "/vulnerabilities/CVE-2021-29582/43899", "specs": [ "<0.11.1" ], @@ -110091,9 +111040,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29533", - "id": "pyup.io-43884", - "more_info_path": "/vulnerabilities/CVE-2021-29533/43884", + "cve": "CVE-2021-29588", + "id": "pyup.io-43904", + "more_info_path": "/vulnerabilities/CVE-2021-29588/43904", "specs": [ "<0.11.1" ], @@ -110101,9 +111050,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29540", - "id": "pyup.io-43889", - "more_info_path": "/vulnerabilities/CVE-2021-29540/43889", + "cve": "CVE-2021-29519", + "id": "pyup.io-43858", + "more_info_path": "/vulnerabilities/CVE-2021-29519/43858", "specs": [ "<0.11.1" ], @@ -110111,9 +111060,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29522", - "id": "pyup.io-43859", - "more_info_path": "/vulnerabilities/CVE-2021-29522/43859", + "cve": "CVE-2021-29546", + "id": "pyup.io-43933", + "more_info_path": "/vulnerabilities/CVE-2021-29546/43933", "specs": [ "<0.11.1" ], @@ -110121,9 +111070,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29566", - "id": "pyup.io-43874", - "more_info_path": "/vulnerabilities/CVE-2021-29566/43874", + "cve": "CVE-2021-29562", + "id": "pyup.io-43958", + "more_info_path": "/vulnerabilities/CVE-2021-29562/43958", "specs": [ "<0.11.1" ], @@ -110131,9 +111080,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29534", - "id": "pyup.io-43870", - "more_info_path": "/vulnerabilities/CVE-2021-29534/43870", + "cve": "CVE-2021-29569", + "id": "pyup.io-43957", + "more_info_path": "/vulnerabilities/CVE-2021-29569/43957", "specs": [ "<0.11.1" ], @@ -110141,9 +111090,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29581", - "id": "pyup.io-43898", - "more_info_path": "/vulnerabilities/CVE-2021-29581/43898", + "cve": "CVE-2021-29564", + "id": "pyup.io-43862", + "more_info_path": "/vulnerabilities/CVE-2021-29564/43862", "specs": [ "<0.11.1" ], @@ -110151,9 +111100,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29596", - "id": "pyup.io-43911", - "more_info_path": "/vulnerabilities/CVE-2021-29596/43911", + "cve": "CVE-2021-29607", + "id": "pyup.io-43930", + "more_info_path": "/vulnerabilities/CVE-2021-29607/43930", "specs": [ "<0.11.1" ], @@ -110161,9 +111110,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29597", - "id": "pyup.io-43914", - "more_info_path": "/vulnerabilities/CVE-2021-29597/43914", + "cve": "CVE-2021-29532", + "id": "pyup.io-43865", + "more_info_path": "/vulnerabilities/CVE-2021-29532/43865", "specs": [ "<0.11.1" ], @@ -110171,9 +111120,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29541", - "id": "pyup.io-43928", - "more_info_path": "/vulnerabilities/CVE-2021-29541/43928", + "cve": "CVE-2021-29521", + "id": "pyup.io-43863", + "more_info_path": "/vulnerabilities/CVE-2021-29521/43863", "specs": [ "<0.11.1" ], @@ -110181,19 +111130,19 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29619", - "id": "pyup.io-43941", - "more_info_path": "/vulnerabilities/CVE-2021-29619/43941", + "cve": "CVE-2021-29567", + "id": "pyup.io-43881", + "more_info_path": "/vulnerabilities/CVE-2021-29567/43881", "specs": [ "<0.11.1" ], "v": "<0.11.1" }, { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", - "cve": "CVE-2021-29575", - "id": "pyup.io-43961", - "more_info_path": "/vulnerabilities/CVE-2021-29575/43961", + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29602", + "id": "pyup.io-43921", + "more_info_path": "/vulnerabilities/CVE-2021-29602/43921", "specs": [ "<0.11.1" ], @@ -110201,19 +111150,19 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29603", - "id": "pyup.io-43925", - "more_info_path": "/vulnerabilities/CVE-2021-29603/43925", + "cve": "CVE-2021-29611", + "id": "pyup.io-43931", + "more_info_path": "/vulnerabilities/CVE-2021-29611/43931", "specs": [ "<0.11.1" ], "v": "<0.11.1" }, { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", - "cve": "CVE-2021-29614", - "id": "pyup.io-43968", - "more_info_path": "/vulnerabilities/CVE-2021-29614/43968", + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29590", + "id": "pyup.io-43905", + "more_info_path": "/vulnerabilities/CVE-2021-29590/43905", "specs": [ "<0.11.1" ], @@ -110221,9 +111170,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29552", - "id": "pyup.io-43940", - "more_info_path": "/vulnerabilities/CVE-2021-29552/43940", + "cve": "CVE-2021-29565", + "id": "pyup.io-43952", + "more_info_path": "/vulnerabilities/CVE-2021-29565/43952", "specs": [ "<0.11.1" ], @@ -110231,9 +111180,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29516", - "id": "pyup.io-43955", - "more_info_path": "/vulnerabilities/CVE-2021-29516/43955", + "cve": "CVE-2021-29558", + "id": "pyup.io-43949", + "more_info_path": "/vulnerabilities/CVE-2021-29558/43949", "specs": [ "<0.11.1" ], @@ -110241,9 +111190,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29592", - "id": "pyup.io-43906", - "more_info_path": "/vulnerabilities/CVE-2021-29592/43906", + "cve": "CVE-2021-29554", + "id": "pyup.io-43942", + "more_info_path": "/vulnerabilities/CVE-2021-29554/43942", "specs": [ "<0.11.1" ], @@ -110251,9 +111200,29 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29582", - "id": "pyup.io-43899", - "more_info_path": "/vulnerabilities/CVE-2021-29582/43899", + "cve": "CVE-2021-29618", + "id": "pyup.io-43937", + "more_info_path": "/vulnerabilities/CVE-2021-29618/43937", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", + "cve": "CVE-2020-8177", + "id": "pyup.io-43943", + "more_info_path": "/vulnerabilities/CVE-2020-8177/43943", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", + "cve": "CVE-2021-29610", + "id": "pyup.io-43871", + "more_info_path": "/vulnerabilities/CVE-2021-29610/43871", "specs": [ "<0.11.1" ], @@ -110261,9 +111230,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29588", - "id": "pyup.io-43904", - "more_info_path": "/vulnerabilities/CVE-2021-29588/43904", + "cve": "CVE-2021-29571", + "id": "pyup.io-43966", + "more_info_path": "/vulnerabilities/CVE-2021-29571/43966", "specs": [ "<0.11.1" ], @@ -110271,9 +111240,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29519", - "id": "pyup.io-43858", - "more_info_path": "/vulnerabilities/CVE-2021-29519/43858", + "cve": "CVE-2021-29556", + "id": "pyup.io-43948", + "more_info_path": "/vulnerabilities/CVE-2021-29556/43948", "specs": [ "<0.11.1" ], @@ -110281,9 +111250,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29561", - "id": "pyup.io-43959", - "more_info_path": "/vulnerabilities/CVE-2021-29561/43959", + "cve": "CVE-2021-29551", + "id": "pyup.io-43891", + "more_info_path": "/vulnerabilities/CVE-2021-29551/43891", "specs": [ "<0.11.1" ], @@ -110291,9 +111260,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29515", - "id": "pyup.io-43963", - "more_info_path": "/vulnerabilities/CVE-2021-29515/43963", + "cve": "CVE-2021-29585", + "id": "pyup.io-43902", + "more_info_path": "/vulnerabilities/CVE-2021-29585/43902", "specs": [ "<0.11.1" ], @@ -110301,9 +111270,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", - "cve": "CVE-2021-29520", - "id": "pyup.io-43861", - "more_info_path": "/vulnerabilities/CVE-2021-29520/43861", + "cve": "CVE-2021-29583", + "id": "pyup.io-43901", + "more_info_path": "/vulnerabilities/CVE-2021-29583/43901", "specs": [ "<0.11.1" ], @@ -110311,9 +111280,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29546", - "id": "pyup.io-43933", - "more_info_path": "/vulnerabilities/CVE-2021-29546/43933", + "cve": "CVE-2021-29542", + "id": "pyup.io-43927", + "more_info_path": "/vulnerabilities/CVE-2021-29542/43927", "specs": [ "<0.11.1" ], @@ -110321,9 +111290,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29562", - "id": "pyup.io-43958", - "more_info_path": "/vulnerabilities/CVE-2021-29562/43958", + "cve": "CVE-2021-29587", + "id": "pyup.io-43872", + "more_info_path": "/vulnerabilities/CVE-2021-29587/43872", "specs": [ "<0.11.1" ], @@ -110331,9 +111300,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29569", - "id": "pyup.io-43957", - "more_info_path": "/vulnerabilities/CVE-2021-29569/43957", + "cve": "CVE-2021-29579", + "id": "pyup.io-43896", + "more_info_path": "/vulnerabilities/CVE-2021-29579/43896", "specs": [ "<0.11.1" ], @@ -110341,9 +111310,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29564", - "id": "pyup.io-43862", - "more_info_path": "/vulnerabilities/CVE-2021-29564/43862", + "cve": "CVE-2021-29538", + "id": "pyup.io-43888", + "more_info_path": "/vulnerabilities/CVE-2021-29538/43888", "specs": [ "<0.11.1" ], @@ -110351,9 +111320,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29521", - "id": "pyup.io-43863", - "more_info_path": "/vulnerabilities/CVE-2021-29521/43863", + "cve": "CVE-2021-29595", + "id": "pyup.io-43908", + "more_info_path": "/vulnerabilities/CVE-2021-29595/43908", "specs": [ "<0.11.1" ], @@ -110361,19 +111330,19 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29567", - "id": "pyup.io-43881", - "more_info_path": "/vulnerabilities/CVE-2021-29567/43881", + "cve": "CVE-2021-29599", + "id": "pyup.io-43919", + "more_info_path": "/vulnerabilities/CVE-2021-29599/43919", "specs": [ "<0.11.1" ], "v": "<0.11.1" }, { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29602", - "id": "pyup.io-43921", - "more_info_path": "/vulnerabilities/CVE-2021-29602/43921", + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", + "cve": "CVE-2021-29560", + "id": "pyup.io-43876", + "more_info_path": "/vulnerabilities/CVE-2021-29560/43876", "specs": [ "<0.11.1" ], @@ -110381,9 +111350,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29607", - "id": "pyup.io-43930", - "more_info_path": "/vulnerabilities/CVE-2021-29607/43930", + "cve": "CVE-2021-29547", + "id": "pyup.io-43868", + "more_info_path": "/vulnerabilities/CVE-2021-29547/43868", "specs": [ "<0.11.1" ], @@ -110391,9 +111360,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29532", - "id": "pyup.io-43865", - "more_info_path": "/vulnerabilities/CVE-2021-29532/43865", + "cve": "CVE-2021-29545", + "id": "pyup.io-43878", + "more_info_path": "/vulnerabilities/CVE-2021-29545/43878", "specs": [ "<0.11.1" ], @@ -110401,9 +111370,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29611", - "id": "pyup.io-43931", - "more_info_path": "/vulnerabilities/CVE-2021-29611/43931", + "cve": "CVE-2021-29537", + "id": "pyup.io-43879", + "more_info_path": "/vulnerabilities/CVE-2021-29537/43879", "specs": [ "<0.11.1" ], @@ -110411,9 +111380,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29590", - "id": "pyup.io-43905", - "more_info_path": "/vulnerabilities/CVE-2021-29590/43905", + "cve": "CVE-2021-29589", + "id": "pyup.io-43882", + "more_info_path": "/vulnerabilities/CVE-2021-29589/43882", "specs": [ "<0.11.1" ], @@ -110421,9 +111390,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29565", - "id": "pyup.io-43952", - "more_info_path": "/vulnerabilities/CVE-2021-29565/43952", + "cve": "CVE-2021-29528", + "id": "pyup.io-43912", + "more_info_path": "/vulnerabilities/CVE-2021-29528/43912", "specs": [ "<0.11.1" ], @@ -110431,9 +111400,19 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29558", - "id": "pyup.io-43949", - "more_info_path": "/vulnerabilities/CVE-2021-29558/43949", + "cve": "CVE-2021-29598", + "id": "pyup.io-43917", + "more_info_path": "/vulnerabilities/CVE-2021-29598/43917", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", + "cve": "CVE-2021-29539", + "id": "pyup.io-40931", + "more_info_path": "/vulnerabilities/CVE-2021-29539/40931", "specs": [ "<0.11.1" ], @@ -110441,9 +111420,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29554", - "id": "pyup.io-43942", - "more_info_path": "/vulnerabilities/CVE-2021-29554/43942", + "cve": "CVE-2021-29605", + "id": "pyup.io-43924", + "more_info_path": "/vulnerabilities/CVE-2021-29605/43924", "specs": [ "<0.11.1" ], @@ -110451,9 +111430,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29618", - "id": "pyup.io-43937", - "more_info_path": "/vulnerabilities/CVE-2021-29618/43937", + "cve": "CVE-2021-29574", + "id": "pyup.io-43964", + "more_info_path": "/vulnerabilities/CVE-2021-29574/43964", "specs": [ "<0.11.1" ], @@ -110461,9 +111440,49 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", - "cve": "CVE-2020-8177", - "id": "pyup.io-43943", - "more_info_path": "/vulnerabilities/CVE-2020-8177/43943", + "cve": "CVE-2020-8284", + "id": "pyup.io-43946", + "more_info_path": "/vulnerabilities/CVE-2020-8284/43946", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29594", + "id": "pyup.io-43909", + "more_info_path": "/vulnerabilities/CVE-2021-29594/43909", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29578", + "id": "pyup.io-43895", + "more_info_path": "/vulnerabilities/CVE-2021-29578/43895", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29559", + "id": "pyup.io-43950", + "more_info_path": "/vulnerabilities/CVE-2021-29559/43950", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29570", + "id": "pyup.io-43960", + "more_info_path": "/vulnerabilities/CVE-2021-29570/43960", "specs": [ "<0.11.1" ], @@ -110471,9 +111490,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", - "cve": "CVE-2021-29610", - "id": "pyup.io-43871", - "more_info_path": "/vulnerabilities/CVE-2021-29610/43871", + "cve": "CVE-2021-29612", + "id": "pyup.io-43932", + "more_info_path": "/vulnerabilities/CVE-2021-29612/43932", "specs": [ "<0.11.1" ], @@ -110481,9 +111500,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29571", - "id": "pyup.io-43966", - "more_info_path": "/vulnerabilities/CVE-2021-29571/43966", + "cve": "CVE-2021-29584", + "id": "pyup.io-43900", + "more_info_path": "/vulnerabilities/CVE-2021-29584/43900", "specs": [ "<0.11.1" ], @@ -110491,9 +111510,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29556", - "id": "pyup.io-43948", - "more_info_path": "/vulnerabilities/CVE-2021-29556/43948", + "cve": "CVE-2021-29553", + "id": "pyup.io-43939", + "more_info_path": "/vulnerabilities/CVE-2021-29553/43939", "specs": [ "<0.11.1" ], @@ -110501,9 +111520,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29551", - "id": "pyup.io-43891", - "more_info_path": "/vulnerabilities/CVE-2021-29551/43891", + "cve": "CVE-2021-29523", + "id": "pyup.io-43856", + "more_info_path": "/vulnerabilities/CVE-2021-29523/43856", "specs": [ "<0.11.1" ], @@ -110511,9 +111530,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29585", - "id": "pyup.io-43902", - "more_info_path": "/vulnerabilities/CVE-2021-29585/43902", + "cve": "CVE-2021-29586", + "id": "pyup.io-43903", + "more_info_path": "/vulnerabilities/CVE-2021-29586/43903", "specs": [ "<0.11.1" ], @@ -110521,9 +111540,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29513", - "id": "pyup.io-43892", - "more_info_path": "/vulnerabilities/CVE-2021-29513/43892", + "cve": "CVE-2021-29609", + "id": "pyup.io-43929", + "more_info_path": "/vulnerabilities/CVE-2021-29609/43929", "specs": [ "<0.11.1" ], @@ -110531,19 +111550,19 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-37686", - "id": "pyup.io-43970", - "more_info_path": "/vulnerabilities/CVE-2021-37686/43970", + "cve": "CVE-2021-29573", + "id": "pyup.io-43962", + "more_info_path": "/vulnerabilities/CVE-2021-29573/43962", "specs": [ "<0.11.1" ], "v": "<0.11.1" }, { - "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", - "cve": "CVE-2021-29583", - "id": "pyup.io-43901", - "more_info_path": "/vulnerabilities/CVE-2021-29583/43901", + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29549", + "id": "pyup.io-43936", + "more_info_path": "/vulnerabilities/CVE-2021-29549/43936", "specs": [ "<0.11.1" ], @@ -110551,9 +111570,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29579", - "id": "pyup.io-43896", - "more_info_path": "/vulnerabilities/CVE-2021-29579/43896", + "cve": "CVE-2021-29617", + "id": "pyup.io-43938", + "more_info_path": "/vulnerabilities/CVE-2021-29617/43938", "specs": [ "<0.11.1" ], @@ -110561,9 +111580,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29587", - "id": "pyup.io-43872", - "more_info_path": "/vulnerabilities/CVE-2021-29587/43872", + "cve": "CVE-2021-29555", + "id": "pyup.io-43944", + "more_info_path": "/vulnerabilities/CVE-2021-29555/43944", "specs": [ "<0.11.1" ], @@ -110571,9 +111590,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29542", - "id": "pyup.io-43927", - "more_info_path": "/vulnerabilities/CVE-2021-29542/43927", + "cve": "CVE-2021-29543", + "id": "pyup.io-43867", + "more_info_path": "/vulnerabilities/CVE-2021-29543/43867", "specs": [ "<0.11.1" ], @@ -110581,9 +111600,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29563", - "id": "pyup.io-43875", - "more_info_path": "/vulnerabilities/CVE-2021-29563/43875", + "cve": "CVE-2021-29540", + "id": "pyup.io-43889", + "more_info_path": "/vulnerabilities/CVE-2021-29540/43889", "specs": [ "<0.11.1" ], @@ -110591,9 +111610,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29593", - "id": "pyup.io-43913", - "more_info_path": "/vulnerabilities/CVE-2021-29593/43913", + "cve": "CVE-2021-29581", + "id": "pyup.io-43898", + "more_info_path": "/vulnerabilities/CVE-2021-29581/43898", "specs": [ "<0.11.1" ], @@ -110601,9 +111620,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29538", - "id": "pyup.io-43888", - "more_info_path": "/vulnerabilities/CVE-2021-29538/43888", + "cve": "CVE-2021-29596", + "id": "pyup.io-43911", + "more_info_path": "/vulnerabilities/CVE-2021-29596/43911", "specs": [ "<0.11.1" ], @@ -110611,9 +111630,9 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29595", - "id": "pyup.io-43908", - "more_info_path": "/vulnerabilities/CVE-2021-29595/43908", + "cve": "CVE-2021-29552", + "id": "pyup.io-43940", + "more_info_path": "/vulnerabilities/CVE-2021-29552/43940", "specs": [ "<0.11.1" ], @@ -110621,9 +111640,19 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", - "cve": "CVE-2021-29599", - "id": "pyup.io-43919", - "more_info_path": "/vulnerabilities/CVE-2021-29599/43919", + "cve": "CVE-2021-29561", + "id": "pyup.io-43959", + "more_info_path": "/vulnerabilities/CVE-2021-29561/43959", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29515", + "id": "pyup.io-43963", + "more_info_path": "/vulnerabilities/CVE-2021-29515/43963", "specs": [ "<0.11.1" ], @@ -110631,9 +111660,49 @@ }, { "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes.", - "cve": "CVE-2020-8285", - "id": "pyup.io-43969", - "more_info_path": "/vulnerabilities/CVE-2020-8285/43969", + "cve": "CVE-2021-29520", + "id": "pyup.io-43861", + "more_info_path": "/vulnerabilities/CVE-2021-29520/43861", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29513", + "id": "pyup.io-43892", + "more_info_path": "/vulnerabilities/CVE-2021-29513/43892", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-37686", + "id": "pyup.io-43970", + "more_info_path": "/vulnerabilities/CVE-2021-37686/43970", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29563", + "id": "pyup.io-43875", + "more_info_path": "/vulnerabilities/CVE-2021-29563/43875", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Pupyl 0.11.1 updates 'Tensorflow' to v2.5.0 to include security fixes", + "cve": "CVE-2021-29593", + "id": "pyup.io-43913", + "more_info_path": "/vulnerabilities/CVE-2021-29593/43913", "specs": [ "<0.11.1" ], @@ -110651,9 +111720,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37685", - "id": "pyup.io-46292", - "more_info_path": "/vulnerabilities/CVE-2021-37685/46292", + "cve": "CVE-2021-37684", + "id": "pyup.io-46291", + "more_info_path": "/vulnerabilities/CVE-2021-37684/46291", "specs": [ "<0.12.1" ], @@ -110661,9 +111730,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37643", - "id": "pyup.io-46250", - "more_info_path": "/vulnerabilities/CVE-2021-37643/46250", + "cve": "CVE-2021-22876", + "id": "pyup.io-46238", + "more_info_path": "/vulnerabilities/CVE-2021-22876/46238", "specs": [ "<0.12.1" ], @@ -110671,9 +111740,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37650", - "id": "pyup.io-46257", - "more_info_path": "/vulnerabilities/CVE-2021-37650/46257", + "cve": "CVE-2021-22897", + "id": "pyup.io-46239", + "more_info_path": "/vulnerabilities/CVE-2021-22897/46239", "specs": [ "<0.12.1" ], @@ -110681,9 +111750,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37662", - "id": "pyup.io-46269", - "more_info_path": "/vulnerabilities/CVE-2021-37662/46269", + "cve": "CVE-2021-37685", + "id": "pyup.io-46292", + "more_info_path": "/vulnerabilities/CVE-2021-37685/46292", "specs": [ "<0.12.1" ], @@ -110691,9 +111760,19 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37672", - "id": "pyup.io-46279", - "more_info_path": "/vulnerabilities/CVE-2021-37672/46279", + "cve": "CVE-2021-37643", + "id": "pyup.io-46250", + "more_info_path": "/vulnerabilities/CVE-2021-37643/46250", + "specs": [ + "<0.12.1" + ], + "v": "<0.12.1" + }, + { + "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", + "cve": "CVE-2021-37650", + "id": "pyup.io-46257", + "more_info_path": "/vulnerabilities/CVE-2021-37650/46257", "specs": [ "<0.12.1" ], @@ -110789,16 +111868,6 @@ ], "v": "<0.12.1" }, - { - "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37659", - "id": "pyup.io-46266", - "more_info_path": "/vulnerabilities/CVE-2021-37659/46266", - "specs": [ - "<0.12.1" - ], - "v": "<0.12.1" - }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", "cve": "CVE-2021-37638", @@ -110821,9 +111890,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37637", - "id": "pyup.io-46244", - "more_info_path": "/vulnerabilities/CVE-2021-37637/46244", + "cve": "CVE-2021-37636", + "id": "pyup.io-46243", + "more_info_path": "/vulnerabilities/CVE-2021-37636/46243", "specs": [ "<0.12.1" ], @@ -110831,9 +111900,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37688", - "id": "pyup.io-46295", - "more_info_path": "/vulnerabilities/CVE-2021-37688/46295", + "cve": "CVE-2021-37666", + "id": "pyup.io-46273", + "more_info_path": "/vulnerabilities/CVE-2021-37666/46273", "specs": [ "<0.12.1" ], @@ -110841,9 +111910,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37645", - "id": "pyup.io-46252", - "more_info_path": "/vulnerabilities/CVE-2021-37645/46252", + "cve": "CVE-2021-37660", + "id": "pyup.io-46267", + "more_info_path": "/vulnerabilities/CVE-2021-37660/46267", "specs": [ "<0.12.1" ], @@ -110851,9 +111920,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37669", - "id": "pyup.io-46276", - "more_info_path": "/vulnerabilities/CVE-2021-37669/46276", + "cve": "CVE-2021-22898", + "id": "pyup.io-46240", + "more_info_path": "/vulnerabilities/CVE-2021-22898/46240", "specs": [ "<0.12.1" ], @@ -110861,9 +111930,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37668", - "id": "pyup.io-46275", - "more_info_path": "/vulnerabilities/CVE-2021-37668/46275", + "cve": "CVE-2021-37667", + "id": "pyup.io-46274", + "more_info_path": "/vulnerabilities/CVE-2021-37667/46274", "specs": [ "<0.12.1" ], @@ -110871,9 +111940,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37636", - "id": "pyup.io-46243", - "more_info_path": "/vulnerabilities/CVE-2021-37636/46243", + "cve": "CVE-2021-37644", + "id": "pyup.io-46251", + "more_info_path": "/vulnerabilities/CVE-2021-37644/46251", "specs": [ "<0.12.1" ], @@ -110881,9 +111950,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37673", - "id": "pyup.io-46280", - "more_info_path": "/vulnerabilities/CVE-2021-37673/46280", + "cve": "CVE-2021-37680", + "id": "pyup.io-46287", + "more_info_path": "/vulnerabilities/CVE-2021-37680/46287", "specs": [ "<0.12.1" ], @@ -110891,9 +111960,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37675", - "id": "pyup.io-46282", - "more_info_path": "/vulnerabilities/CVE-2021-37675/46282", + "cve": "CVE-2021-37692", + "id": "pyup.io-46299", + "more_info_path": "/vulnerabilities/CVE-2021-37692/46299", "specs": [ "<0.12.1" ], @@ -110901,9 +111970,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37666", - "id": "pyup.io-46273", - "more_info_path": "/vulnerabilities/CVE-2021-37666/46273", + "cve": "CVE-2021-37661", + "id": "pyup.io-46268", + "more_info_path": "/vulnerabilities/CVE-2021-37661/46268", "specs": [ "<0.12.1" ], @@ -110911,9 +111980,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37656", - "id": "pyup.io-46263", - "more_info_path": "/vulnerabilities/CVE-2021-37656/46263", + "cve": "CVE-2021-37641", + "id": "pyup.io-46248", + "more_info_path": "/vulnerabilities/CVE-2021-37641/46248", "specs": [ "<0.12.1" ], @@ -110921,9 +111990,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37660", - "id": "pyup.io-46267", - "more_info_path": "/vulnerabilities/CVE-2021-37660/46267", + "cve": "CVE-2021-37647", + "id": "pyup.io-46254", + "more_info_path": "/vulnerabilities/CVE-2021-37647/46254", "specs": [ "<0.12.1" ], @@ -110931,9 +112000,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37681", - "id": "pyup.io-46288", - "more_info_path": "/vulnerabilities/CVE-2021-37681/46288", + "cve": "CVE-2021-37646", + "id": "pyup.io-46253", + "more_info_path": "/vulnerabilities/CVE-2021-37646/46253", "specs": [ "<0.12.1" ], @@ -110941,9 +112010,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-22898", - "id": "pyup.io-46240", - "more_info_path": "/vulnerabilities/CVE-2021-22898/46240", + "cve": "CVE-2021-37640", + "id": "pyup.io-46247", + "more_info_path": "/vulnerabilities/CVE-2021-37640/46247", "specs": [ "<0.12.1" ], @@ -110951,9 +112020,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37667", - "id": "pyup.io-46274", - "more_info_path": "/vulnerabilities/CVE-2021-37667/46274", + "cve": "CVE-2021-37676", + "id": "pyup.io-46283", + "more_info_path": "/vulnerabilities/CVE-2021-37676/46283", "specs": [ "<0.12.1" ], @@ -110961,9 +112030,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37644", - "id": "pyup.io-46251", - "more_info_path": "/vulnerabilities/CVE-2021-37644/46251", + "cve": "CVE-2021-37691", + "id": "pyup.io-46298", + "more_info_path": "/vulnerabilities/CVE-2021-37691/46298", "specs": [ "<0.12.1" ], @@ -110971,9 +112040,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37683", - "id": "pyup.io-46290", - "more_info_path": "/vulnerabilities/CVE-2021-37683/46290", + "cve": "CVE-2021-37651", + "id": "pyup.io-46258", + "more_info_path": "/vulnerabilities/CVE-2021-37651/46258", "specs": [ "<0.12.1" ], @@ -110981,9 +112050,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37680", - "id": "pyup.io-46287", - "more_info_path": "/vulnerabilities/CVE-2021-37680/46287", + "cve": "CVE-2021-37671", + "id": "pyup.io-46278", + "more_info_path": "/vulnerabilities/CVE-2021-37671/46278", "specs": [ "<0.12.1" ], @@ -110991,9 +112060,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37692", - "id": "pyup.io-46299", - "more_info_path": "/vulnerabilities/CVE-2021-37692/46299", + "cve": "CVE-2021-37654", + "id": "pyup.io-46261", + "more_info_path": "/vulnerabilities/CVE-2021-37654/46261", "specs": [ "<0.12.1" ], @@ -111001,9 +112070,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37641", - "id": "pyup.io-46248", - "more_info_path": "/vulnerabilities/CVE-2021-37641/46248", + "cve": "CVE-2021-37665", + "id": "pyup.io-46272", + "more_info_path": "/vulnerabilities/CVE-2021-37665/46272", "specs": [ "<0.12.1" ], @@ -111011,9 +112080,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37661", - "id": "pyup.io-46268", - "more_info_path": "/vulnerabilities/CVE-2021-37661/46268", + "cve": "CVE-2021-37655", + "id": "pyup.io-46262", + "more_info_path": "/vulnerabilities/CVE-2021-37655/46262", "specs": [ "<0.12.1" ], @@ -111021,9 +112090,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37677", - "id": "pyup.io-46284", - "more_info_path": "/vulnerabilities/CVE-2021-37677/46284", + "cve": "CVE-2021-37674", + "id": "pyup.io-46281", + "more_info_path": "/vulnerabilities/CVE-2021-37674/46281", "specs": [ "<0.12.1" ], @@ -111031,9 +112100,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37640", - "id": "pyup.io-46247", - "more_info_path": "/vulnerabilities/CVE-2021-37640/46247", + "cve": "CVE-2021-37639", + "id": "pyup.io-46246", + "more_info_path": "/vulnerabilities/CVE-2021-37639/46246", "specs": [ "<0.12.1" ], @@ -111041,9 +112110,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37647", - "id": "pyup.io-46254", - "more_info_path": "/vulnerabilities/CVE-2021-37647/46254", + "cve": "CVE-2021-37652", + "id": "pyup.io-46259", + "more_info_path": "/vulnerabilities/CVE-2021-37652/46259", "specs": [ "<0.12.1" ], @@ -111051,9 +112120,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37646", - "id": "pyup.io-46253", - "more_info_path": "/vulnerabilities/CVE-2021-37646/46253", + "cve": "CVE-2021-37670", + "id": "pyup.io-46277", + "more_info_path": "/vulnerabilities/CVE-2021-37670/46277", "specs": [ "<0.12.1" ], @@ -111061,9 +112130,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37676", - "id": "pyup.io-46283", - "more_info_path": "/vulnerabilities/CVE-2021-37676/46283", + "cve": "CVE-2021-37648", + "id": "pyup.io-46255", + "more_info_path": "/vulnerabilities/CVE-2021-37648/46255", "specs": [ "<0.12.1" ], @@ -111071,9 +112140,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37689", - "id": "pyup.io-46296", - "more_info_path": "/vulnerabilities/CVE-2021-37689/46296", + "cve": "CVE-2021-37653", + "id": "pyup.io-46260", + "more_info_path": "/vulnerabilities/CVE-2021-37653/46260", "specs": [ "<0.12.1" ], @@ -111081,9 +112150,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37642", - "id": "pyup.io-46249", - "more_info_path": "/vulnerabilities/CVE-2021-37642/46249", + "cve": "CVE-2021-37662", + "id": "pyup.io-46269", + "more_info_path": "/vulnerabilities/CVE-2021-37662/46269", "specs": [ "<0.12.1" ], @@ -111091,9 +112160,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37691", - "id": "pyup.io-46298", - "more_info_path": "/vulnerabilities/CVE-2021-37691/46298", + "cve": "CVE-2021-37672", + "id": "pyup.io-46279", + "more_info_path": "/vulnerabilities/CVE-2021-37672/46279", "specs": [ "<0.12.1" ], @@ -111101,9 +112170,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37651", - "id": "pyup.io-46258", - "more_info_path": "/vulnerabilities/CVE-2021-37651/46258", + "cve": "CVE-2021-37659", + "id": "pyup.io-46266", + "more_info_path": "/vulnerabilities/CVE-2021-37659/46266", "specs": [ "<0.12.1" ], @@ -111111,9 +112180,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37671", - "id": "pyup.io-46278", - "more_info_path": "/vulnerabilities/CVE-2021-37671/46278", + "cve": "CVE-2021-37637", + "id": "pyup.io-46244", + "more_info_path": "/vulnerabilities/CVE-2021-37637/46244", "specs": [ "<0.12.1" ], @@ -111121,9 +112190,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37654", - "id": "pyup.io-46261", - "more_info_path": "/vulnerabilities/CVE-2021-37654/46261", + "cve": "CVE-2021-37688", + "id": "pyup.io-46295", + "more_info_path": "/vulnerabilities/CVE-2021-37688/46295", "specs": [ "<0.12.1" ], @@ -111131,9 +112200,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37665", - "id": "pyup.io-46272", - "more_info_path": "/vulnerabilities/CVE-2021-37665/46272", + "cve": "CVE-2021-37645", + "id": "pyup.io-46252", + "more_info_path": "/vulnerabilities/CVE-2021-37645/46252", "specs": [ "<0.12.1" ], @@ -111141,9 +112210,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37655", - "id": "pyup.io-46262", - "more_info_path": "/vulnerabilities/CVE-2021-37655/46262", + "cve": "CVE-2021-37669", + "id": "pyup.io-46276", + "more_info_path": "/vulnerabilities/CVE-2021-37669/46276", "specs": [ "<0.12.1" ], @@ -111151,9 +112220,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37674", - "id": "pyup.io-46281", - "more_info_path": "/vulnerabilities/CVE-2021-37674/46281", + "cve": "CVE-2021-37668", + "id": "pyup.io-46275", + "more_info_path": "/vulnerabilities/CVE-2021-37668/46275", "specs": [ "<0.12.1" ], @@ -111161,9 +112230,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37658", - "id": "pyup.io-46265", - "more_info_path": "/vulnerabilities/CVE-2021-37658/46265", + "cve": "CVE-2021-37673", + "id": "pyup.io-46280", + "more_info_path": "/vulnerabilities/CVE-2021-37673/46280", "specs": [ "<0.12.1" ], @@ -111171,9 +112240,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37649", - "id": "pyup.io-46256", - "more_info_path": "/vulnerabilities/CVE-2021-37649/46256", + "cve": "CVE-2021-37675", + "id": "pyup.io-46282", + "more_info_path": "/vulnerabilities/CVE-2021-37675/46282", "specs": [ "<0.12.1" ], @@ -111181,9 +112250,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37639", - "id": "pyup.io-46246", - "more_info_path": "/vulnerabilities/CVE-2021-37639/46246", + "cve": "CVE-2021-37656", + "id": "pyup.io-46263", + "more_info_path": "/vulnerabilities/CVE-2021-37656/46263", "specs": [ "<0.12.1" ], @@ -111191,9 +112260,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37652", - "id": "pyup.io-46259", - "more_info_path": "/vulnerabilities/CVE-2021-37652/46259", + "cve": "CVE-2021-37681", + "id": "pyup.io-46288", + "more_info_path": "/vulnerabilities/CVE-2021-37681/46288", "specs": [ "<0.12.1" ], @@ -111201,9 +112270,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37670", - "id": "pyup.io-46277", - "more_info_path": "/vulnerabilities/CVE-2021-37670/46277", + "cve": "CVE-2021-37683", + "id": "pyup.io-46290", + "more_info_path": "/vulnerabilities/CVE-2021-37683/46290", "specs": [ "<0.12.1" ], @@ -111211,9 +112280,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37648", - "id": "pyup.io-46255", - "more_info_path": "/vulnerabilities/CVE-2021-37648/46255", + "cve": "CVE-2021-37677", + "id": "pyup.io-46284", + "more_info_path": "/vulnerabilities/CVE-2021-37677/46284", "specs": [ "<0.12.1" ], @@ -111221,9 +112290,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37684", - "id": "pyup.io-46291", - "more_info_path": "/vulnerabilities/CVE-2021-37684/46291", + "cve": "CVE-2021-37689", + "id": "pyup.io-46296", + "more_info_path": "/vulnerabilities/CVE-2021-37689/46296", "specs": [ "<0.12.1" ], @@ -111231,9 +112300,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-37653", - "id": "pyup.io-46260", - "more_info_path": "/vulnerabilities/CVE-2021-37653/46260", + "cve": "CVE-2021-37642", + "id": "pyup.io-46249", + "more_info_path": "/vulnerabilities/CVE-2021-37642/46249", "specs": [ "<0.12.1" ], @@ -111241,9 +112310,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-22876", - "id": "pyup.io-46238", - "more_info_path": "/vulnerabilities/CVE-2021-22876/46238", + "cve": "CVE-2021-37658", + "id": "pyup.io-46265", + "more_info_path": "/vulnerabilities/CVE-2021-37658/46265", "specs": [ "<0.12.1" ], @@ -111251,9 +112320,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-22901", - "id": "pyup.io-46241", - "more_info_path": "/vulnerabilities/CVE-2021-22901/46241", + "cve": "CVE-2021-37649", + "id": "pyup.io-46256", + "more_info_path": "/vulnerabilities/CVE-2021-37649/46256", "specs": [ "<0.12.1" ], @@ -111261,9 +112330,9 @@ }, { "advisory": "Pupyl 0.12.1 updates its dependency 'TensorFlow' to v2.6.0 to include security fixes.", - "cve": "CVE-2021-22897", - "id": "pyup.io-46239", - "more_info_path": "/vulnerabilities/CVE-2021-22897/46239", + "cve": "CVE-2021-22901", + "id": "pyup.io-46241", + "more_info_path": "/vulnerabilities/CVE-2021-22901/46241", "specs": [ "<0.12.1" ], @@ -111271,9 +112340,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41222", - "id": "pyup.io-46333", - "more_info_path": "/vulnerabilities/CVE-2021-41222/46333", + "cve": "CVE-2021-41208", + "id": "pyup.io-46319", + "more_info_path": "/vulnerabilities/CVE-2021-41208/46319", "specs": [ "<0.12.4" ], @@ -111281,9 +112350,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41220", - "id": "pyup.io-46331", - "more_info_path": "/vulnerabilities/CVE-2021-41220/46331", + "cve": "CVE-2021-41211", + "id": "pyup.io-46322", + "more_info_path": "/vulnerabilities/CVE-2021-41211/46322", "specs": [ "<0.12.4" ], @@ -111291,9 +112360,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41216", - "id": "pyup.io-46327", - "more_info_path": "/vulnerabilities/CVE-2021-41216/46327", + "cve": "CVE-2021-41215", + "id": "pyup.io-46326", + "more_info_path": "/vulnerabilities/CVE-2021-41215/46326", "specs": [ "<0.12.4" ], @@ -111301,9 +112370,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41213", - "id": "pyup.io-46324", - "more_info_path": "/vulnerabilities/CVE-2021-41213/46324", + "cve": "CVE-2021-22925", + "id": "pyup.io-46304", + "more_info_path": "/vulnerabilities/CVE-2021-22925/46304", "specs": [ "<0.12.4" ], @@ -111311,9 +112380,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41226", - "id": "pyup.io-46337", - "more_info_path": "/vulnerabilities/CVE-2021-41226/46337", + "cve": "CVE-2021-22922", + "id": "pyup.io-46300", + "more_info_path": "/vulnerabilities/CVE-2021-22922/46300", "specs": [ "<0.12.4" ], @@ -111321,9 +112390,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41219", - "id": "pyup.io-46330", - "more_info_path": "/vulnerabilities/CVE-2021-41219/46330", + "cve": "CVE-2021-41216", + "id": "pyup.io-46327", + "more_info_path": "/vulnerabilities/CVE-2021-41216/46327", "specs": [ "<0.12.4" ], @@ -111331,9 +112400,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41205", - "id": "pyup.io-46316", - "more_info_path": "/vulnerabilities/CVE-2021-41205/46316", + "cve": "CVE-2021-41213", + "id": "pyup.io-46324", + "more_info_path": "/vulnerabilities/CVE-2021-41213/46324", "specs": [ "<0.12.4" ], @@ -111341,9 +112410,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-22923", - "id": "pyup.io-46302", - "more_info_path": "/vulnerabilities/CVE-2021-22923/46302", + "cve": "CVE-2021-41205", + "id": "pyup.io-46316", + "more_info_path": "/vulnerabilities/CVE-2021-41205/46316", "specs": [ "<0.12.4" ], @@ -111351,9 +112420,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41209", - "id": "pyup.io-46320", - "more_info_path": "/vulnerabilities/CVE-2021-41209/46320", + "cve": "CVE-2021-41204", + "id": "pyup.io-46315", + "more_info_path": "/vulnerabilities/CVE-2021-41204/46315", "specs": [ "<0.12.4" ], @@ -111361,9 +112430,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41201", - "id": "pyup.io-46312", - "more_info_path": "/vulnerabilities/CVE-2021-41201/46312", + "cve": "CVE-2021-41202", + "id": "pyup.io-46313", + "more_info_path": "/vulnerabilities/CVE-2021-41202/46313", "specs": [ "<0.12.4" ], @@ -111371,9 +112440,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41214", - "id": "pyup.io-46325", - "more_info_path": "/vulnerabilities/CVE-2021-41214/46325", + "cve": "CVE-2021-41210", + "id": "pyup.io-46321", + "more_info_path": "/vulnerabilities/CVE-2021-41210/46321", "specs": [ "<0.12.4" ], @@ -111381,9 +112450,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41203", - "id": "pyup.io-46314", - "more_info_path": "/vulnerabilities/CVE-2021-41203/46314", + "cve": "CVE-2021-41227", + "id": "pyup.io-46338", + "more_info_path": "/vulnerabilities/CVE-2021-41227/46338", "specs": [ "<0.12.4" ], @@ -111391,9 +112460,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41204", - "id": "pyup.io-46315", - "more_info_path": "/vulnerabilities/CVE-2021-41204/46315", + "cve": "CVE-2021-41200", + "id": "pyup.io-46311", + "more_info_path": "/vulnerabilities/CVE-2021-41200/46311", "specs": [ "<0.12.4" ], @@ -111401,9 +112470,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41228", - "id": "pyup.io-46339", - "more_info_path": "/vulnerabilities/CVE-2021-41228/46339", + "cve": "CVE-2021-41217", + "id": "pyup.io-46328", + "more_info_path": "/vulnerabilities/CVE-2021-41217/46328", "specs": [ "<0.12.4" ], @@ -111411,9 +112480,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-22926", - "id": "pyup.io-46305", - "more_info_path": "/vulnerabilities/CVE-2021-22926/46305", + "cve": "CVE-2021-41212", + "id": "pyup.io-46323", + "more_info_path": "/vulnerabilities/CVE-2021-41212/46323", "specs": [ "<0.12.4" ], @@ -111421,9 +112490,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41207", - "id": "pyup.io-46318", - "more_info_path": "/vulnerabilities/CVE-2021-41207/46318", + "cve": "CVE-2021-41225", + "id": "pyup.io-46336", + "more_info_path": "/vulnerabilities/CVE-2021-41225/46336", "specs": [ "<0.12.4" ], @@ -111431,9 +112500,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41198", - "id": "pyup.io-46309", - "more_info_path": "/vulnerabilities/CVE-2021-41198/46309", + "cve": "CVE-2021-41195", + "id": "pyup.io-46306", + "more_info_path": "/vulnerabilities/CVE-2021-41195/46306", "specs": [ "<0.12.4" ], @@ -111441,9 +112510,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41202", - "id": "pyup.io-46313", - "more_info_path": "/vulnerabilities/CVE-2021-41202/46313", + "cve": "CVE-2021-41196", + "id": "pyup.io-46307", + "more_info_path": "/vulnerabilities/CVE-2021-41196/46307", "specs": [ "<0.12.4" ], @@ -111451,9 +112520,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41206", - "id": "pyup.io-46317", - "more_info_path": "/vulnerabilities/CVE-2021-41206/46317", + "cve": "CVE-2021-41197", + "id": "pyup.io-46308", + "more_info_path": "/vulnerabilities/CVE-2021-41197/46308", "specs": [ "<0.12.4" ], @@ -111461,9 +112530,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41223", - "id": "pyup.io-46334", - "more_info_path": "/vulnerabilities/CVE-2021-41223/46334", + "cve": "CVE-2021-41221", + "id": "pyup.io-46332", + "more_info_path": "/vulnerabilities/CVE-2021-41221/46332", "specs": [ "<0.12.4" ], @@ -111471,9 +112540,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41199", - "id": "pyup.io-46310", - "more_info_path": "/vulnerabilities/CVE-2021-41199/46310", + "cve": "CVE-2021-41224", + "id": "pyup.io-46335", + "more_info_path": "/vulnerabilities/CVE-2021-41224/46335", "specs": [ "<0.12.4" ], @@ -111481,9 +112550,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41210", - "id": "pyup.io-46321", - "more_info_path": "/vulnerabilities/CVE-2021-41210/46321", + "cve": "CVE-2021-41218", + "id": "pyup.io-46329", + "more_info_path": "/vulnerabilities/CVE-2021-41218/46329", "specs": [ "<0.12.4" ], @@ -111491,9 +112560,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41227", - "id": "pyup.io-46338", - "more_info_path": "/vulnerabilities/CVE-2021-41227/46338", + "cve": "CVE-2021-41222", + "id": "pyup.io-46333", + "more_info_path": "/vulnerabilities/CVE-2021-41222/46333", "specs": [ "<0.12.4" ], @@ -111501,9 +112570,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41200", - "id": "pyup.io-46311", - "more_info_path": "/vulnerabilities/CVE-2021-41200/46311", + "cve": "CVE-2021-41220", + "id": "pyup.io-46331", + "more_info_path": "/vulnerabilities/CVE-2021-41220/46331", "specs": [ "<0.12.4" ], @@ -111511,9 +112580,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41217", - "id": "pyup.io-46328", - "more_info_path": "/vulnerabilities/CVE-2021-41217/46328", + "cve": "CVE-2021-41226", + "id": "pyup.io-46337", + "more_info_path": "/vulnerabilities/CVE-2021-41226/46337", "specs": [ "<0.12.4" ], @@ -111521,9 +112590,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41212", - "id": "pyup.io-46323", - "more_info_path": "/vulnerabilities/CVE-2021-41212/46323", + "cve": "CVE-2021-41219", + "id": "pyup.io-46330", + "more_info_path": "/vulnerabilities/CVE-2021-41219/46330", "specs": [ "<0.12.4" ], @@ -111531,9 +112600,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41225", - "id": "pyup.io-46336", - "more_info_path": "/vulnerabilities/CVE-2021-41225/46336", + "cve": "CVE-2021-22923", + "id": "pyup.io-46302", + "more_info_path": "/vulnerabilities/CVE-2021-22923/46302", "specs": [ "<0.12.4" ], @@ -111541,9 +112610,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41196", - "id": "pyup.io-46307", - "more_info_path": "/vulnerabilities/CVE-2021-41196/46307", + "cve": "CVE-2021-41209", + "id": "pyup.io-46320", + "more_info_path": "/vulnerabilities/CVE-2021-41209/46320", "specs": [ "<0.12.4" ], @@ -111551,9 +112620,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41195", - "id": "pyup.io-46306", - "more_info_path": "/vulnerabilities/CVE-2021-41195/46306", + "cve": "CVE-2021-41201", + "id": "pyup.io-46312", + "more_info_path": "/vulnerabilities/CVE-2021-41201/46312", "specs": [ "<0.12.4" ], @@ -111561,9 +112630,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41197", - "id": "pyup.io-46308", - "more_info_path": "/vulnerabilities/CVE-2021-41197/46308", + "cve": "CVE-2021-41214", + "id": "pyup.io-46325", + "more_info_path": "/vulnerabilities/CVE-2021-41214/46325", "specs": [ "<0.12.4" ], @@ -111571,9 +112640,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41221", - "id": "pyup.io-46332", - "more_info_path": "/vulnerabilities/CVE-2021-41221/46332", + "cve": "CVE-2021-41203", + "id": "pyup.io-46314", + "more_info_path": "/vulnerabilities/CVE-2021-41203/46314", "specs": [ "<0.12.4" ], @@ -111581,9 +112650,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41224", - "id": "pyup.io-46335", - "more_info_path": "/vulnerabilities/CVE-2021-41224/46335", + "cve": "CVE-2021-41228", + "id": "pyup.io-46339", + "more_info_path": "/vulnerabilities/CVE-2021-41228/46339", "specs": [ "<0.12.4" ], @@ -111591,9 +112660,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41208", - "id": "pyup.io-46319", - "more_info_path": "/vulnerabilities/CVE-2021-41208/46319", + "cve": "CVE-2021-22926", + "id": "pyup.io-46305", + "more_info_path": "/vulnerabilities/CVE-2021-22926/46305", "specs": [ "<0.12.4" ], @@ -111601,9 +112670,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41211", - "id": "pyup.io-46322", - "more_info_path": "/vulnerabilities/CVE-2021-41211/46322", + "cve": "CVE-2021-41207", + "id": "pyup.io-46318", + "more_info_path": "/vulnerabilities/CVE-2021-41207/46318", "specs": [ "<0.12.4" ], @@ -111611,9 +112680,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41215", - "id": "pyup.io-46326", - "more_info_path": "/vulnerabilities/CVE-2021-41215/46326", + "cve": "CVE-2021-41198", + "id": "pyup.io-46309", + "more_info_path": "/vulnerabilities/CVE-2021-41198/46309", "specs": [ "<0.12.4" ], @@ -111621,9 +112690,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-41218", - "id": "pyup.io-46329", - "more_info_path": "/vulnerabilities/CVE-2021-41218/46329", + "cve": "CVE-2021-41206", + "id": "pyup.io-46317", + "more_info_path": "/vulnerabilities/CVE-2021-41206/46317", "specs": [ "<0.12.4" ], @@ -111631,9 +112700,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-22925", - "id": "pyup.io-46304", - "more_info_path": "/vulnerabilities/CVE-2021-22925/46304", + "cve": "CVE-2021-41223", + "id": "pyup.io-46334", + "more_info_path": "/vulnerabilities/CVE-2021-41223/46334", "specs": [ "<0.12.4" ], @@ -111641,9 +112710,9 @@ }, { "advisory": "Pupyl 0.12.4 updates its dependency 'TensorFlow' to v2.6.1 to include security fixes.", - "cve": "CVE-2021-22922", - "id": "pyup.io-46300", - "more_info_path": "/vulnerabilities/CVE-2021-22922/46300", + "cve": "CVE-2021-41199", + "id": "pyup.io-46310", + "more_info_path": "/vulnerabilities/CVE-2021-41199/46310", "specs": [ "<0.12.4" ], @@ -111661,29 +112730,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21735", - "id": "pyup.io-46351", - "more_info_path": "/vulnerabilities/CVE-2022-21735/46351", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23571", - "id": "pyup.io-46372", - "more_info_path": "/vulnerabilities/CVE-2022-23571/46372", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23563", - "id": "pyup.io-46364", - "more_info_path": "/vulnerabilities/CVE-2022-23563/46364", + "cve": "CVE-2022-23567", + "id": "pyup.io-46368", + "more_info_path": "/vulnerabilities/CVE-2022-23567/46368", "specs": [ "<0.13.2" ], @@ -111691,9 +112740,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23576", - "id": "pyup.io-46377", - "more_info_path": "/vulnerabilities/CVE-2022-23576/46377", + "cve": "CVE-2022-21726", + "id": "pyup.io-46342", + "more_info_path": "/vulnerabilities/CVE-2022-21726/46342", "specs": [ "<0.13.2" ], @@ -111731,9 +112780,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23565", - "id": "pyup.io-46366", - "more_info_path": "/vulnerabilities/CVE-2022-23565/46366", + "cve": "CVE-2022-23576", + "id": "pyup.io-46377", + "more_info_path": "/vulnerabilities/CVE-2022-23576/46377", "specs": [ "<0.13.2" ], @@ -111741,9 +112790,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23595", - "id": "pyup.io-46396", - "more_info_path": "/vulnerabilities/CVE-2022-23595/46396", + "cve": "CVE-2022-23565", + "id": "pyup.io-46366", + "more_info_path": "/vulnerabilities/CVE-2022-23565/46366", "specs": [ "<0.13.2" ], @@ -111791,9 +112840,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23591", - "id": "pyup.io-46392", - "more_info_path": "/vulnerabilities/CVE-2022-23591/46392", + "cve": "CVE-2022-23582", + "id": "pyup.io-46383", + "more_info_path": "/vulnerabilities/CVE-2022-23582/46383", "specs": [ "<0.13.2" ], @@ -111801,9 +112850,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23594", - "id": "pyup.io-46395", - "more_info_path": "/vulnerabilities/CVE-2022-23594/46395", + "cve": "CVE-2022-23569", + "id": "pyup.io-46370", + "more_info_path": "/vulnerabilities/CVE-2022-23569/46370", "specs": [ "<0.13.2" ], @@ -111811,9 +112860,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23582", - "id": "pyup.io-46383", - "more_info_path": "/vulnerabilities/CVE-2022-23582/46383", + "cve": "CVE-2022-23558", + "id": "pyup.io-46359", + "more_info_path": "/vulnerabilities/CVE-2022-23558/46359", "specs": [ "<0.13.2" ], @@ -111821,9 +112870,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21734", - "id": "pyup.io-46350", - "more_info_path": "/vulnerabilities/CVE-2022-21734/46350", + "cve": "CVE-2022-21729", + "id": "pyup.io-46345", + "more_info_path": "/vulnerabilities/CVE-2022-21729/46345", "specs": [ "<0.13.2" ], @@ -111831,9 +112880,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23569", - "id": "pyup.io-46370", - "more_info_path": "/vulnerabilities/CVE-2022-23569/46370", + "cve": "CVE-2022-21730", + "id": "pyup.io-46346", + "more_info_path": "/vulnerabilities/CVE-2022-21730/46346", "specs": [ "<0.13.2" ], @@ -111841,9 +112890,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23572", - "id": "pyup.io-46373", - "more_info_path": "/vulnerabilities/CVE-2022-23572/46373", + "cve": "CVE-2022-21733", + "id": "pyup.io-46349", + "more_info_path": "/vulnerabilities/CVE-2022-21733/46349", "specs": [ "<0.13.2" ], @@ -111851,9 +112900,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23560", - "id": "pyup.io-46361", - "more_info_path": "/vulnerabilities/CVE-2022-23560/46361", + "cve": "CVE-2022-23566", + "id": "pyup.io-46367", + "more_info_path": "/vulnerabilities/CVE-2022-23566/46367", "specs": [ "<0.13.2" ], @@ -111861,9 +112910,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23558", - "id": "pyup.io-46359", - "more_info_path": "/vulnerabilities/CVE-2022-23558/46359", + "cve": "CVE-2022-23557", + "id": "pyup.io-46358", + "more_info_path": "/vulnerabilities/CVE-2022-23557/46358", "specs": [ "<0.13.2" ], @@ -111871,9 +112920,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23579", - "id": "pyup.io-46380", - "more_info_path": "/vulnerabilities/CVE-2022-23579/46380", + "cve": "CVE-2022-23590", + "id": "pyup.io-46391", + "more_info_path": "/vulnerabilities/CVE-2022-23590/46391", "specs": [ "<0.13.2" ], @@ -111881,9 +112930,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21740", - "id": "pyup.io-46356", - "more_info_path": "/vulnerabilities/CVE-2022-21740/46356", + "cve": "CVE-2022-23584", + "id": "pyup.io-46385", + "more_info_path": "/vulnerabilities/CVE-2022-23584/46385", "specs": [ "<0.13.2" ], @@ -111891,9 +112940,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23561", - "id": "pyup.io-46362", - "more_info_path": "/vulnerabilities/CVE-2022-23561/46362", + "cve": "CVE-2022-23577", + "id": "pyup.io-46378", + "more_info_path": "/vulnerabilities/CVE-2022-23577/46378", "specs": [ "<0.13.2" ], @@ -111901,9 +112950,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21731", - "id": "pyup.io-46347", - "more_info_path": "/vulnerabilities/CVE-2022-21731/46347", + "cve": "CVE-2022-21741", + "id": "pyup.io-46357", + "more_info_path": "/vulnerabilities/CVE-2022-21741/46357", "specs": [ "<0.13.2" ], @@ -111911,9 +112960,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21729", - "id": "pyup.io-46345", - "more_info_path": "/vulnerabilities/CVE-2022-21729/46345", + "cve": "CVE-2022-21728", + "id": "pyup.io-46344", + "more_info_path": "/vulnerabilities/CVE-2022-21728/46344", "specs": [ "<0.13.2" ], @@ -111921,9 +112970,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23570", - "id": "pyup.io-46371", - "more_info_path": "/vulnerabilities/CVE-2022-23570/46371", + "cve": "CVE-2022-21737", + "id": "pyup.io-46353", + "more_info_path": "/vulnerabilities/CVE-2022-21737/46353", "specs": [ "<0.13.2" ], @@ -111931,9 +112980,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21730", - "id": "pyup.io-46346", - "more_info_path": "/vulnerabilities/CVE-2022-21730/46346", + "cve": "CVE-2022-23575", + "id": "pyup.io-46376", + "more_info_path": "/vulnerabilities/CVE-2022-23575/46376", "specs": [ "<0.13.2" ], @@ -111941,9 +112990,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23557", - "id": "pyup.io-46358", - "more_info_path": "/vulnerabilities/CVE-2022-23557/46358", + "cve": "CVE-2022-23587", + "id": "pyup.io-46388", + "more_info_path": "/vulnerabilities/CVE-2022-23587/46388", "specs": [ "<0.13.2" ], @@ -111951,9 +113000,9 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21733", - "id": "pyup.io-46349", - "more_info_path": "/vulnerabilities/CVE-2022-21733/46349", + "cve": "CVE-2022-23588", + "id": "pyup.io-46389", + "more_info_path": "/vulnerabilities/CVE-2022-23588/46389", "specs": [ "<0.13.2" ], @@ -111961,9 +113010,219 @@ }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23566", - "id": "pyup.io-46367", - "more_info_path": "/vulnerabilities/CVE-2022-23566/46367", + "cve": "CVE-2022-23592", + "id": "pyup.io-46393", + "more_info_path": "/vulnerabilities/CVE-2022-23592/46393", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23568", + "id": "pyup.io-46369", + "more_info_path": "/vulnerabilities/CVE-2022-23568/46369", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23564", + "id": "pyup.io-46365", + "more_info_path": "/vulnerabilities/CVE-2022-23564/46365", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-21736", + "id": "pyup.io-46352", + "more_info_path": "/vulnerabilities/CVE-2022-21736/46352", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-21738", + "id": "pyup.io-46354", + "more_info_path": "/vulnerabilities/CVE-2022-21738/46354", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-21727", + "id": "pyup.io-46343", + "more_info_path": "/vulnerabilities/CVE-2022-21727/46343", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23583", + "id": "pyup.io-46384", + "more_info_path": "/vulnerabilities/CVE-2022-23583/46384", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23593", + "id": "pyup.io-46394", + "more_info_path": "/vulnerabilities/CVE-2022-23593/46394", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-21735", + "id": "pyup.io-46351", + "more_info_path": "/vulnerabilities/CVE-2022-21735/46351", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23571", + "id": "pyup.io-46372", + "more_info_path": "/vulnerabilities/CVE-2022-23571/46372", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23563", + "id": "pyup.io-46364", + "more_info_path": "/vulnerabilities/CVE-2022-23563/46364", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23595", + "id": "pyup.io-46396", + "more_info_path": "/vulnerabilities/CVE-2022-23595/46396", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23591", + "id": "pyup.io-46392", + "more_info_path": "/vulnerabilities/CVE-2022-23591/46392", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23594", + "id": "pyup.io-46395", + "more_info_path": "/vulnerabilities/CVE-2022-23594/46395", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-21734", + "id": "pyup.io-46350", + "more_info_path": "/vulnerabilities/CVE-2022-21734/46350", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23572", + "id": "pyup.io-46373", + "more_info_path": "/vulnerabilities/CVE-2022-23572/46373", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23560", + "id": "pyup.io-46361", + "more_info_path": "/vulnerabilities/CVE-2022-23560/46361", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23579", + "id": "pyup.io-46380", + "more_info_path": "/vulnerabilities/CVE-2022-23579/46380", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-21740", + "id": "pyup.io-46356", + "more_info_path": "/vulnerabilities/CVE-2022-21740/46356", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23561", + "id": "pyup.io-46362", + "more_info_path": "/vulnerabilities/CVE-2022-23561/46362", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-21731", + "id": "pyup.io-46347", + "more_info_path": "/vulnerabilities/CVE-2022-21731/46347", + "specs": [ + "<0.13.2" + ], + "v": "<0.13.2" + }, + { + "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", + "cve": "CVE-2022-23570", + "id": "pyup.io-46371", + "more_info_path": "/vulnerabilities/CVE-2022-23570/46371", "specs": [ "<0.13.2" ], @@ -112009,86 +113268,6 @@ ], "v": "<0.13.2" }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23590", - "id": "pyup.io-46391", - "more_info_path": "/vulnerabilities/CVE-2022-23590/46391", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23584", - "id": "pyup.io-46385", - "more_info_path": "/vulnerabilities/CVE-2022-23584/46385", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23577", - "id": "pyup.io-46378", - "more_info_path": "/vulnerabilities/CVE-2022-23577/46378", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21741", - "id": "pyup.io-46357", - "more_info_path": "/vulnerabilities/CVE-2022-21741/46357", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21728", - "id": "pyup.io-46344", - "more_info_path": "/vulnerabilities/CVE-2022-21728/46344", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21737", - "id": "pyup.io-46353", - "more_info_path": "/vulnerabilities/CVE-2022-21737/46353", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23575", - "id": "pyup.io-46376", - "more_info_path": "/vulnerabilities/CVE-2022-23575/46376", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23587", - "id": "pyup.io-46388", - "more_info_path": "/vulnerabilities/CVE-2022-23587/46388", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23562", @@ -112099,86 +113278,6 @@ ], "v": "<0.13.2" }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23588", - "id": "pyup.io-46389", - "more_info_path": "/vulnerabilities/CVE-2022-23588/46389", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23592", - "id": "pyup.io-46393", - "more_info_path": "/vulnerabilities/CVE-2022-23592/46393", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23568", - "id": "pyup.io-46369", - "more_info_path": "/vulnerabilities/CVE-2022-23568/46369", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23564", - "id": "pyup.io-46365", - "more_info_path": "/vulnerabilities/CVE-2022-23564/46365", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21736", - "id": "pyup.io-46352", - "more_info_path": "/vulnerabilities/CVE-2022-21736/46352", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21727", - "id": "pyup.io-46343", - "more_info_path": "/vulnerabilities/CVE-2022-21727/46343", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21738", - "id": "pyup.io-46354", - "more_info_path": "/vulnerabilities/CVE-2022-21738/46354", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23583", - "id": "pyup.io-46384", - "more_info_path": "/vulnerabilities/CVE-2022-23583/46384", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, { "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", "cve": "CVE-2022-23580", @@ -112198,36 +113297,6 @@ "<0.13.2" ], "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23567", - "id": "pyup.io-46368", - "more_info_path": "/vulnerabilities/CVE-2022-23567/46368", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-21726", - "id": "pyup.io-46342", - "more_info_path": "/vulnerabilities/CVE-2022-21726/46342", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" - }, - { - "advisory": "Pupyl 0.13.2 updates its dependency 'TensorFlow' to v2.8.0 to include security fixes.", - "cve": "CVE-2022-23593", - "id": "pyup.io-46394", - "more_info_path": "/vulnerabilities/CVE-2022-23593/46394", - "specs": [ - "<0.13.2" - ], - "v": "<0.13.2" } ], "purdy": [ @@ -112454,6 +113523,16 @@ "<1.0.1" ], "v": "<1.0.1" + }, + { + "advisory": "Py-ms version 2.8.0 updates its anyconfig dependency from \"anyconfig>=0.9.11\" to \"anyconfig>=0.10.0\" to address a security issue related to unsafe loading in PyYAML.", + "cve": "PVE-2024-71186", + "id": "pyup.io-71186", + "more_info_path": "/vulnerabilities/PVE-2024-71186/71186", + "specs": [ + "<2.8.0" + ], + "v": "<2.8.0" } ], "py-pure-client": [ @@ -112479,6 +113558,16 @@ } ], "py-quantaq": [ + { + "advisory": "Py-quantaq 1.2.0a0 updates its dependency 'numpy' to v1.23.2 to include security fixes.", + "cve": "CVE-2021-41496", + "id": "pyup.io-50904", + "more_info_path": "/vulnerabilities/CVE-2021-41496/50904", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, { "advisory": "Py-quantaq 1.2.0a0 updates its dependency 'numpy' to v1.23.2 to include security fixes.", "cve": "CVE-2021-41495", @@ -112559,16 +113648,6 @@ ], "v": "<1.2.0a0" }, - { - "advisory": "Py-quantaq 1.2.0a0 updates its dependency 'numpy' to v1.23.2 to include security fixes.", - "cve": "CVE-2021-41496", - "id": "pyup.io-50904", - "more_info_path": "/vulnerabilities/CVE-2021-41496/50904", - "specs": [ - "<1.2.0a0" - ], - "v": "<1.2.0a0" - }, { "advisory": "Py-quantaq 1.3.0 updates its dependency 'urllib3' to v1.26.12 to include security fixes.", "cve": "CVE-2020-26137", @@ -113020,10 +114099,10 @@ ], "pyanchor": [ { - "advisory": "Pyanchor version 0.5.1 updates its dependency 'lxml' to v4.6.3 to include security fixes.", - "cve": "CVE-2021-28957", - "id": "pyup.io-49120", - "more_info_path": "/vulnerabilities/CVE-2021-28957/49120", + "advisory": "Pyanchor version 0.5.1 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", + "cve": "CVE-2021-33503", + "id": "pyup.io-49122", + "more_info_path": "/vulnerabilities/CVE-2021-33503/49122", "specs": [ "<0.5.1" ], @@ -113050,10 +114129,10 @@ "v": "<0.5.1" }, { - "advisory": "Pyanchor version 0.5.1 updates its dependency 'urllib3' to v1.26.5 to include a security fix.", - "cve": "CVE-2021-33503", - "id": "pyup.io-49122", - "more_info_path": "/vulnerabilities/CVE-2021-33503/49122", + "advisory": "Pyanchor version 0.5.1 updates its dependency 'lxml' to v4.6.3 to include security fixes.", + "cve": "CVE-2021-28957", + "id": "pyup.io-49120", + "more_info_path": "/vulnerabilities/CVE-2021-28957/49120", "specs": [ "<0.5.1" ], @@ -114015,9 +115094,9 @@ "pydbtools": [ { "advisory": "Pydbtools 5.3.0 updates its dependency 'numpy' to v1.23.1 to include security fixes.", - "cve": "CVE-2021-41495", - "id": "pyup.io-50125", - "more_info_path": "/vulnerabilities/CVE-2021-41495/50125", + "cve": "CVE-2021-41496", + "id": "pyup.io-50124", + "more_info_path": "/vulnerabilities/CVE-2021-41496/50124", "specs": [ "<5.3.0" ], @@ -114025,9 +115104,9 @@ }, { "advisory": "Pydbtools 5.3.0 updates its dependency 'numpy' to v1.23.1 to include security fixes.", - "cve": "CVE-2021-34141", - "id": "pyup.io-50121", - "more_info_path": "/vulnerabilities/CVE-2021-34141/50121", + "cve": "CVE-2021-41495", + "id": "pyup.io-50125", + "more_info_path": "/vulnerabilities/CVE-2021-41495/50125", "specs": [ "<5.3.0" ], @@ -114035,9 +115114,9 @@ }, { "advisory": "Pydbtools 5.3.0 updates its dependency 'numpy' to v1.23.1 to include security fixes.", - "cve": "CVE-2021-41496", - "id": "pyup.io-50124", - "more_info_path": "/vulnerabilities/CVE-2021-41496/50124", + "cve": "CVE-2021-34141", + "id": "pyup.io-50121", + "more_info_path": "/vulnerabilities/CVE-2021-34141/50121", "specs": [ "<5.3.0" ], @@ -114673,9 +115752,9 @@ }, { "advisory": "Pyinstaller 3.5 updates the bundled zlib library to version 1.2.11 to address vulnerabilities.", - "cve": "CVE-2016-9841", - "id": "pyup.io-45787", - "more_info_path": "/vulnerabilities/CVE-2016-9841/45787", + "cve": "CVE-2016-9843", + "id": "pyup.io-45789", + "more_info_path": "/vulnerabilities/CVE-2016-9843/45789", "specs": [ "<3.5" ], @@ -114683,9 +115762,9 @@ }, { "advisory": "Pyinstaller 3.5 updates the bundled zlib library to version 1.2.11 to address vulnerabilities.", - "cve": "CVE-2016-9843", - "id": "pyup.io-45789", - "more_info_path": "/vulnerabilities/CVE-2016-9843/45789", + "cve": "CVE-2016-9841", + "id": "pyup.io-45787", + "more_info_path": "/vulnerabilities/CVE-2016-9841/45787", "specs": [ "<3.5" ], @@ -114882,6 +115961,18 @@ "v": "<0.2.0" } ], + "pyload": [ + { + "advisory": "pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication. See CVE-2024-32880.", + "cve": "CVE-2024-32880", + "id": "pyup.io-70714", + "more_info_path": "/vulnerabilities/CVE-2024-32880/70714", + "specs": [ + "<=5.0" + ], + "v": "<=5.0" + } + ], "pyload-ng": [ { "advisory": "Pyload-ng 0.5.0b3.dev31 includes a fix for CVE-2023-0297: Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.", @@ -115184,20 +116275,20 @@ ], "pymatgen": [ { - "advisory": "Pymatgen 2024.2.20 addresses a critical vulnerability, CVE-2024-23346, allowing arbitrary code execution via a malicious CIF file. This issue stems from the insecure use of eval() in processing CIF file content, potentially leading to system compromise if exploited.\r\nhttps://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f", - "cve": "CVE-2022-42964", - "id": "pyup.io-65638", - "more_info_path": "/vulnerabilities/CVE-2022-42964/65638", + "advisory": "Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library before version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling the execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue. See CVE-2024-23346.", + "cve": "CVE-2024-23346", + "id": "pyup.io-65694", + "more_info_path": "/vulnerabilities/CVE-2024-23346/65694", "specs": [ "<2024.2.20" ], "v": "<2024.2.20" }, { - "advisory": "Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library before version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling the execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue. See CVE-2024-23346.", - "cve": "CVE-2024-23346", - "id": "pyup.io-65694", - "more_info_path": "/vulnerabilities/CVE-2024-23346/65694", + "advisory": "Pymatgen 2024.2.20 addresses a critical vulnerability, CVE-2024-23346, allowing arbitrary code execution via a malicious CIF file. This issue stems from the insecure use of eval() in processing CIF file content, potentially leading to system compromise if exploited.\r\nhttps://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f", + "cve": "CVE-2022-42964", + "id": "pyup.io-65638", + "more_info_path": "/vulnerabilities/CVE-2022-42964/65638", "specs": [ "<2024.2.20" ], @@ -115352,6 +116443,28 @@ "<2.5.2" ], "v": "<2.5.2" + }, + { + "advisory": "Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte. See CVE-2024-21506.", + "cve": "CVE-2024-21506", + "id": "pyup.io-70626", + "more_info_path": "/vulnerabilities/CVE-2024-21506/70626", + "specs": [ + "<4.6.3" + ], + "v": "<4.6.3" + } + ], + "pymysql": [ + { + "advisory": "PyMySQL 1.1.1 addresses CVE-2024-36039, a critical SQL injection vulnerability present in versions up to 1.1.0. This vulnerability occurs when the library is used with untrusted JSON input because keys are not properly escaped by escape_dict, allowing attackers to inject malicious SQL queries.", + "cve": "CVE-2024-36039", + "id": "pyup.io-71083", + "more_info_path": "/vulnerabilities/CVE-2024-36039/71083", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" } ], "pynecone": [ @@ -116032,6 +117145,28 @@ "v": ">0" } ], + "pypx800v5": [ + { + "advisory": "Pypx800v5 version 1.2.1 updates its `aiohttp` dependency from 3.9.3 to 3.9.5 to address several security vulnerabilities, including CVE-2024-27306. This update ensures the application remains secure by incorporating the necessary fixes provided in the latest version of the `aiohttp` library.", + "cve": "CVE-2024-30251", + "id": "pyup.io-71177", + "more_info_path": "/vulnerabilities/CVE-2024-30251/71177", + "specs": [ + "<1.2.1" + ], + "v": "<1.2.1" + }, + { + "advisory": "Pypx800v5 version 1.2.1 updates its `requests` dependency from 2.31.0 to 2.32.2 to address multiple security vulnerabilities, including CVE-2024-35195. This update ensures the application is protected against known issues in the older version of the `requests` library.", + "cve": "CVE-2024-35195", + "id": "pyup.io-71169", + "more_info_path": "/vulnerabilities/CVE-2024-35195/71169", + "specs": [ + "<1.2.1" + ], + "v": "<1.2.1" + } + ], "pyqlib": [ { "advisory": "This affects all versions of package pyqlib. The workflow function in cli part of pyqlib was using an unsafe YAML load function. See CVE-2021-23338.", @@ -116356,32 +117491,32 @@ ], "pyrdfa3": [ { - "advisory": "A vulnerability was found in RDFlib pyrdfa3 and classified as problematic. This issue affects the function _get_option of the file pyRdfa/__init__.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is ffd1d62dd50d5f4190013b39cedcdfbd81f3ce3e. It is recommended to apply a patch to fix this issue. The identifier VDB-215249 was assigned to this vulnerability. \r\nNOTE: RDFlib is no longer being developed and is looking for a new maintainer \r\nhttps://github.com/RDFLib/pyrdfa3/issues/38", + "advisory": "A vulnerability was found in RDFlib pyrdfa3 and classified as problematic. This issue affects the function _get_option of the file pyRdfa/__init__.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is ffd1d62dd50d5f4190013b39cedcdfbd81f3ce3e. It is recommended to apply a patch to fix this issue. The identifier VDB-215249 was assigned to this vulnerability.", "cve": "CVE-2022-4396", "id": "pyup.io-54597", "more_info_path": "/vulnerabilities/CVE-2022-4396/54597", "specs": [ - ">=0" + "<3.6.2" ], - "v": ">=0" + "v": "<3.6.2" } ], "pyrit": [ { - "advisory": "Pyrit version 0.1.0 has upgraded its notebook dependency to version 7.0.7 in response to the security issue outlined in CVE-2024-22421.", - "cve": "CVE-2024-22421", - "id": "pyup.io-66903", - "more_info_path": "/vulnerabilities/CVE-2024-22421/66903", + "advisory": "Pyrit version 0.1.0 has upgraded its notebook dependency to version 7.0.7 in response to the security issue outlined in CVE-2024-22420.\r\nhttps://github.com/Azure/PyRIT/pull/26/commits/e9322551a6842f73e6e232b469579374d2915290", + "cve": "CVE-2024-22420", + "id": "pyup.io-66865", + "more_info_path": "/vulnerabilities/CVE-2024-22420/66865", "specs": [ "<0.1.0" ], "v": "<0.1.0" }, { - "advisory": "Pyrit version 0.1.0 has upgraded its notebook dependency to version 7.0.7 in response to the security issue outlined in CVE-2024-22420.\r\nhttps://github.com/Azure/PyRIT/pull/26/commits/e9322551a6842f73e6e232b469579374d2915290", - "cve": "CVE-2024-22420", - "id": "pyup.io-66865", - "more_info_path": "/vulnerabilities/CVE-2024-22420/66865", + "advisory": "Pyrit version 0.1.0 has upgraded its notebook dependency to version 7.0.7 in response to the security issue outlined in CVE-2024-22421.", + "cve": "CVE-2024-22421", + "id": "pyup.io-66903", + "more_info_path": "/vulnerabilities/CVE-2024-22421/66903", "specs": [ "<0.1.0" ], @@ -116752,20 +117887,20 @@ ], "pysnc": [ { - "advisory": "Pysnc version 1.1.6 upgrades its pip requirement to \"^23.3.1\" to address the security concerns outlined in CVE-2023-5752.", - "cve": "CVE-2023-5752", - "id": "pyup.io-66998", - "more_info_path": "/vulnerabilities/CVE-2023-5752/66998", + "advisory": "Pysnc version 1.1.6 has updated its urllib3 dependency to version \"^2.0.7\" in response to security vulnerability CVE-2023-45803.", + "cve": "CVE-2023-45803", + "id": "pyup.io-67143", + "more_info_path": "/vulnerabilities/CVE-2023-45803/67143", "specs": [ "<1.1.6" ], "v": "<1.1.6" }, { - "advisory": "Pysnc version 1.1.6 has updated its urllib3 dependency to version \"^2.0.7\" in response to security vulnerability CVE-2023-45803.", - "cve": "CVE-2023-45803", - "id": "pyup.io-67143", - "more_info_path": "/vulnerabilities/CVE-2023-45803/67143", + "advisory": "Pysnc version 1.1.6 upgrades its pip requirement to \"^23.3.1\" to address the security concerns outlined in CVE-2023-5752.", + "cve": "CVE-2023-5752", + "id": "pyup.io-66998", + "more_info_path": "/vulnerabilities/CVE-2023-5752/66998", "specs": [ "<1.1.6" ], @@ -118304,7 +119439,7 @@ "v": "<2.7.9,>=3.2.0a0,<3.2.6,>=3.3.0a0,<3.3.6,>=3.4.0a0,<3.4.3" }, { - "advisory": "An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.\r\n\r\nWhen using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.\r\n\r\nThis issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).", + "advisory": "An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).", "cve": "CVE-2023-6507", "id": "pyup.io-70382", "more_info_path": "/vulnerabilities/CVE-2023-6507/70382", @@ -118902,7 +120037,7 @@ "v": "<=2.6.6,>=3.1.0,<3.1.3" }, { - "advisory": "** DISPUTED ** The MSI installer for Python through 2.7.16 on Windows defaults to the C:\\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\\Python27 access control or choose a different directory, because backwards compatibility requires that C:\\Python27 remain the default for 2.7.x.", + "advisory": "The MSI installer for Python through 2.7.16 on Windows defaults to the C:\\Python27 directory, which makes it easier for local users to deploy Trojan horse code: a privilege escalation vulnerability. This issue also affects old 3.x releases before 3.5.\r\nNOTE: the vendor's position is that it is the user's responsibility to ensure C:\\Python27 access control or choose a different directory, because backwards compatibility requires that C:\\Python27 remain the default for 2.7.x.", "cve": "CVE-2019-13404", "id": "pyup.io-70573", "more_info_path": "/vulnerabilities/CVE-2019-13404/70573", @@ -118913,7 +120048,7 @@ "v": "<=2.7.16,>=3.0.0,<3.5.0" }, { - "advisory": "The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \"RecursionError: maximum recursion depth exceeded while calling a Python object\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.", + "advisory": "** DISPUTED ** The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \"RecursionError: maximum recursion depth exceeded while calling a Python object\" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.", "cve": "CVE-2023-36632", "id": "pyup.io-65051", "more_info_path": "/vulnerabilities/CVE-2023-36632/65051", @@ -118942,26 +120077,6 @@ ], "v": "<=3.5.0" }, - { - "advisory": "** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=false setting.", - "cve": "CVE-2017-17522", - "id": "pyup.io-67539", - "more_info_path": "/vulnerabilities/CVE-2017-17522/67539", - "specs": [ - "<=3.6.3" - ], - "v": "<=3.6.3" - }, - { - "advisory": "** DISPUTED ** The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications \"need to be prepared to handle a wide variety of exceptions.\"", - "cve": "CVE-2017-18207", - "id": "pyup.io-67441", - "more_info_path": "/vulnerabilities/CVE-2017-18207/67441", - "specs": [ - "<=3.6.4" - ], - "v": "<=3.6.4" - }, { "advisory": "Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument.", "cve": "CVE-2007-1657", @@ -118982,6 +120097,19 @@ ], "v": "==3.12.0a7" }, + { + "advisory": "Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.", + "cve": "CVE-2018-1000117", + "id": "pyup.io-70750", + "more_info_path": "/vulnerabilities/CVE-2018-1000117/70750", + "specs": [ + "==3.7.0", + ">=3.2.0,<3.4.9", + ">=3.5.0,<3.5.6", + ">=3.6.0,<3.6.5" + ], + "v": "==3.7.0,>=3.2.0,<3.4.9,>=3.5.0,<3.5.6,>=3.6.0,<3.6.5" + }, { "advisory": "This is a dummy vulnerability only.", "cve": "CVE-2023-0593", @@ -119151,6 +120279,20 @@ ], "v": ">=2.7.0,<2.7.12,>=3.3.0,<3.3.7,>=3.4.0,<3.4.5,>=3.5.0,<3.5.2" }, + { + "advisory": "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.", + "cve": "CVE-2017-9233", + "id": "pyup.io-70736", + "more_info_path": "/vulnerabilities/CVE-2017-9233/70736", + "specs": [ + ">=2.7.0,<2.7.15", + ">=3.3.0,<3.3.7", + ">=3.4.0,<3.4.7", + ">=3.5.0,<3.5.4", + ">=3.6.0,<3.6.2" + ], + "v": ">=2.7.0,<2.7.15,>=3.3.0,<3.3.7,>=3.4.0,<3.4.7,>=3.5.0,<3.5.4,>=3.6.0,<3.6.2" + }, { "advisory": "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the \"CCS Injection\" vulnerability.", "cve": "CVE-2014-0224", @@ -119300,10 +120442,10 @@ "v": ">=3.12.0a1,<=3.12.0rc1,>=3.11.0a1,<3.11.5,>=3.10.0a1,<3.10.13,>=3.9.0a1,<3.9.18,<3.8.18" }, { - "advisory": "An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to \u201cquoted-overlap\u201d zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", - "cve": "CVE-2024-0450", - "id": "pyup.io-66951", - "more_info_path": "/vulnerabilities/CVE-2024-0450/66951", + "advisory": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", + "cve": "CVE-2023-6597", + "id": "pyup.io-66949", + "more_info_path": "/vulnerabilities/CVE-2023-6597/66949", "specs": [ ">=3.12.0a1,<=3.12.2", ">=3.11.0a1,<=3.11.8", @@ -119314,10 +120456,10 @@ "v": ">=3.12.0a1,<=3.12.2,>=3.11.0a1,<=3.11.8,>=3.10.0a1,<=3.10.13,>=3.9.0a1,<=3.9.18,>=0,<=3.8.18" }, { - "advisory": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", - "cve": "CVE-2023-6597", - "id": "pyup.io-66949", - "more_info_path": "/vulnerabilities/CVE-2023-6597/66949", + "advisory": "An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to \u201cquoted-overlap\u201d zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", + "cve": "CVE-2024-0450", + "id": "pyup.io-66951", + "more_info_path": "/vulnerabilities/CVE-2024-0450/66951", "specs": [ ">=3.12.0a1,<=3.12.2", ">=3.11.0a1,<=3.11.8", @@ -119442,6 +120584,17 @@ ], "v": ">=3.7.0,<3.7.10,>=3.8.0,<3.8.8,>=3.9.0,<3.9.2,>=3.0.0a0,<3.6.13" }, + { + "advisory": "In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected.", + "cve": "CVE-2020-15801", + "id": "pyup.io-70751", + "more_info_path": "/vulnerabilities/CVE-2020-15801/70751", + "specs": [ + ">=3.7.0,<3.7.9", + ">=3.8.0,<3.8.5" + ], + "v": ">=3.7.0,<3.7.9,>=3.8.0,<3.8.5" + }, { "advisory": "Python version 3.7.0b3 hardens ssl module against CVE-2018-8970.\r\nhttps://bugs.python.org/issue33136", "cve": "CVE-2018-8970", @@ -119584,6 +120737,18 @@ "v": "<0.2.25" } ], + "python-bitvavo-api": [ + { + "advisory": "Python-bitvavo-api version 1.4.2 updates its requests dependency from 'requests==2.31.0' to 'requests>=2.31.0,<3.0.0' to address vulnerabilities such as CVE-2023-32681.", + "cve": "CVE-2023-32681", + "id": "pyup.io-71295", + "more_info_path": "/vulnerabilities/CVE-2023-32681/71295", + "specs": [ + "<1.4.2" + ], + "v": "<1.4.2" + } + ], "python-bugzilla": [ { "advisory": "python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate.", @@ -119843,6 +121008,36 @@ "<4.4.0" ], "v": "<4.4.0" + }, + { + "advisory": "Python-gitlab version 4.5.0 updates its dependency on `jinja2` from version 3.1.3 to 3.1.4 due to the security vulnerability identified in CVE-2024-22195.", + "cve": "CVE-2024-22195", + "id": "pyup.io-70982", + "more_info_path": "/vulnerabilities/CVE-2024-22195/70982", + "specs": [ + "<4.5.0" + ], + "v": "<4.5.0" + }, + { + "advisory": "Python-gitlab version 4.5.0 updates its dependency on the `black` package from version 24.2.0 to 24.3.0 in response to CVE-2024-21503.", + "cve": "CVE-2024-21503", + "id": "pyup.io-70993", + "more_info_path": "/vulnerabilities/CVE-2024-21503/70993", + "specs": [ + "<4.5.0" + ], + "v": "<4.5.0" + }, + { + "advisory": "Python-gitlab version 4.6.0 updates its requests dependency from 2.31.0 to 2.32.0 to address the security vulnerability identified as CVE-2024-35195.", + "cve": "CVE-2024-35195", + "id": "pyup.io-71219", + "more_info_path": "/vulnerabilities/CVE-2024-35195/71219", + "specs": [ + "<4.6.0" + ], + "v": "<4.6.0" } ], "python-glanceclient": [ @@ -119912,10 +121107,10 @@ ], "python-homewizard-energy": [ { - "advisory": "Python-homewizard-energy 2.1.2 updates its dependency 'urllib3' to include a security fix.", - "cve": "CVE-2023-43804", - "id": "pyup.io-61779", - "more_info_path": "/vulnerabilities/CVE-2023-43804/61779", + "advisory": "Python-homewizard-energy 2.1.2 updates its dependency 'gitpython' to include a security fix.", + "cve": "CVE-2023-40590", + "id": "pyup.io-61780", + "more_info_path": "/vulnerabilities/CVE-2023-40590/61780", "specs": [ "<2.1.2" ], @@ -119932,10 +121127,10 @@ "v": "<2.1.2" }, { - "advisory": "Python-homewizard-energy 2.1.2 updates its dependency 'gitpython' to include a security fix.", - "cve": "CVE-2023-40590", - "id": "pyup.io-61780", - "more_info_path": "/vulnerabilities/CVE-2023-40590/61780", + "advisory": "Python-homewizard-energy 2.1.2 updates its dependency 'urllib3' to include a security fix.", + "cve": "CVE-2023-43804", + "id": "pyup.io-61779", + "more_info_path": "/vulnerabilities/CVE-2023-43804/61779", "specs": [ "<2.1.2" ], @@ -120016,6 +121211,26 @@ "<1.3.2" ], "v": "<1.3.2" + }, + { + "advisory": "python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a \"JWT bomb.\" This is similar to CVE-2024-21319. See CVE-2024-33664.", + "cve": "CVE-2024-33664", + "id": "pyup.io-70716", + "more_info_path": "/vulnerabilities/CVE-2024-33664/70716", + "specs": [ + "<3.3.0" + ], + "v": "<3.3.0" + }, + { + "advisory": "python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. See CVE-2024-33663.", + "cve": "CVE-2024-33663", + "id": "pyup.io-70715", + "more_info_path": "/vulnerabilities/CVE-2024-33663/70715", + "specs": [ + "<3.3.0" + ], + "v": "<3.3.0" } ], "python-jsonlogic": [ @@ -120982,20 +122197,20 @@ "v": "<1.6.0" }, { - "advisory": "Pytorch-lightning before 1.6.0 is vulnerable to Deserialization of Untrusted Data.", - "cve": "CVE-2021-4118", - "id": "pyup.io-54698", - "more_info_path": "/vulnerabilities/CVE-2021-4118/54698", + "advisory": "PyTorch Lightning version 1.5.10 and prior is vulnerable to code injection. An attacker could execute commands on the target OS running the operating system by setting the `PL_TRAINER_GPUS` when using the `Trainer` module. A [patch](https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae) is included in the `1.6.0` release.\r\nAffected functions:\r\npytorch_lightning.utilities.argparse.parse_env_variables", + "cve": "CVE-2022-0845", + "id": "pyup.io-54685", + "more_info_path": "/vulnerabilities/CVE-2022-0845/54685", "specs": [ ">=0,<1.6.0" ], "v": ">=0,<1.6.0" }, { - "advisory": "PyTorch Lightning version 1.5.10 and prior is vulnerable to code injection. An attacker could execute commands on the target OS running the operating system by setting the `PL_TRAINER_GPUS` when using the `Trainer` module. A [patch](https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae) is included in the `1.6.0` release.\r\nAffected functions:\r\npytorch_lightning.utilities.argparse.parse_env_variables", - "cve": "CVE-2022-0845", - "id": "pyup.io-54685", - "more_info_path": "/vulnerabilities/CVE-2022-0845/54685", + "advisory": "Pytorch-lightning before 1.6.0 is vulnerable to Deserialization of Untrusted Data.", + "cve": "CVE-2021-4118", + "id": "pyup.io-54698", + "more_info_path": "/vulnerabilities/CVE-2021-4118/54698", "specs": [ ">=0,<1.6.0" ], @@ -121547,9 +122762,9 @@ }, { "advisory": "Pywikibot 6.1.0 updates its dependency 'Pillow' to versions >=8.1.1 to include security fixes.", - "cve": "CVE-2021-25291", - "id": "pyup.io-46440", - "more_info_path": "/vulnerabilities/CVE-2021-25291/46440", + "cve": "CVE-2021-27922", + "id": "pyup.io-46444", + "more_info_path": "/vulnerabilities/CVE-2021-27922/46444", "specs": [ "<6.1.0" ], @@ -121567,9 +122782,9 @@ }, { "advisory": "Pywikibot 6.1.0 updates its dependency 'Pillow' to versions >=8.1.1 to include security fixes.", - "cve": "CVE-2020-10994", - "id": "pyup.io-46449", - "more_info_path": "/vulnerabilities/CVE-2020-10994/46449", + "cve": "CVE-2021-25291", + "id": "pyup.io-46440", + "more_info_path": "/vulnerabilities/CVE-2021-25291/46440", "specs": [ "<6.1.0" ], @@ -121595,16 +122810,6 @@ ], "v": "<6.1.0" }, - { - "advisory": "Pywikibot 6.1.0 updates its dependency 'Pillow' to versions >=8.1.1 to include security fixes.", - "cve": "CVE-2020-15999", - "id": "pyup.io-46445", - "more_info_path": "/vulnerabilities/CVE-2020-15999/46445", - "specs": [ - "<6.1.0" - ], - "v": "<6.1.0" - }, { "advisory": "Pywikibot 6.1.0 updates its dependency 'Pillow' to versions >=8.1.1 to include security fixes.", "cve": "CVE-2020-11538", @@ -121655,6 +122860,26 @@ ], "v": "<6.1.0" }, + { + "advisory": "Pywikibot 6.1.0 updates its dependency 'Pillow' to versions >=8.1.1 to include security fixes.", + "cve": "CVE-2020-10994", + "id": "pyup.io-46449", + "more_info_path": "/vulnerabilities/CVE-2020-10994/46449", + "specs": [ + "<6.1.0" + ], + "v": "<6.1.0" + }, + { + "advisory": "Pywikibot 6.1.0 updates its dependency 'Pillow' to versions >=8.1.1 to include security fixes.", + "cve": "CVE-2020-15999", + "id": "pyup.io-46445", + "more_info_path": "/vulnerabilities/CVE-2020-15999/46445", + "specs": [ + "<6.1.0" + ], + "v": "<6.1.0" + }, { "advisory": "Pywikibot 6.1.0 updates its dependency 'Pillow' to versions >=8.1.1 to include security fixes.", "cve": "CVE-2021-27921", @@ -121684,16 +122909,6 @@ "<6.1.0" ], "v": "<6.1.0" - }, - { - "advisory": "Pywikibot 6.1.0 updates its dependency 'Pillow' to versions >=8.1.1 to include security fixes.", - "cve": "CVE-2021-27922", - "id": "pyup.io-46444", - "more_info_path": "/vulnerabilities/CVE-2021-27922/46444", - "specs": [ - "<6.1.0" - ], - "v": "<6.1.0" } ], "pywin32": [ @@ -122062,20 +123277,20 @@ "v": "<0.15.1" }, { - "advisory": "Qoqo-qryd 0.8.4 updates its CARGO dependency 'openssl' to v0.10.48 to include security fixes.\r\nhttps://rustsec.org/advisories/RUSTSEC-2023-0024.html", - "cve": "PVE-2023-53900", - "id": "pyup.io-53900", - "more_info_path": "/vulnerabilities/PVE-2023-53900/53900", + "advisory": "Qoqo-qryd 0.8.4 updates its CARGO dependency 'openssl' to v0.10.48 to include security fixes.\r\nhttps://rustsec.org/advisories/RUSTSEC-2023-0022.html", + "cve": "PVE-2023-53881", + "id": "pyup.io-53881", + "more_info_path": "/vulnerabilities/PVE-2023-53881/53881", "specs": [ "<0.8.4" ], "v": "<0.8.4" }, { - "advisory": "Qoqo-qryd 0.8.4 updates its CARGO dependency 'openssl' to v0.10.48 to include security fixes.\r\nhttps://rustsec.org/advisories/RUSTSEC-2023-0022.html", - "cve": "PVE-2023-53881", - "id": "pyup.io-53881", - "more_info_path": "/vulnerabilities/PVE-2023-53881/53881", + "advisory": "Qoqo-qryd 0.8.4 updates its CARGO dependency 'openssl' to v0.10.48 to include security fixes.\r\nhttps://rustsec.org/advisories/RUSTSEC-2023-0024.html", + "cve": "PVE-2023-53900", + "id": "pyup.io-53900", + "more_info_path": "/vulnerabilities/PVE-2023-53900/53900", "specs": [ "<0.8.4" ], @@ -122658,20 +123873,20 @@ "v": "<=1.0.1" }, { - "advisory": "The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name.", - "cve": "CVE-2015-8747", - "id": "pyup.io-54108", - "more_info_path": "/vulnerabilities/CVE-2015-8747/54108", + "advisory": "Radicale before 1.1 allows remote authenticated users to bypass owner_write and owner_only limitations via regex metacharacters in the user name, as demonstrated by \".*\".", + "cve": "CVE-2015-8748", + "id": "pyup.io-54109", + "more_info_path": "/vulnerabilities/CVE-2015-8748/54109", "specs": [ ">=0,<1.1" ], "v": ">=0,<1.1" }, { - "advisory": "Radicale before 1.1 allows remote authenticated users to bypass owner_write and owner_only limitations via regex metacharacters in the user name, as demonstrated by \".*\".", - "cve": "CVE-2015-8748", - "id": "pyup.io-54109", - "more_info_path": "/vulnerabilities/CVE-2015-8748/54109", + "advisory": "The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name.", + "cve": "CVE-2015-8747", + "id": "pyup.io-54108", + "more_info_path": "/vulnerabilities/CVE-2015-8747/54108", "specs": [ ">=0,<1.1" ], @@ -122759,26 +123974,6 @@ ], "v": "<2.0.2" }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15195", - "id": "pyup.io-48366", - "more_info_path": "/vulnerabilities/CVE-2020-15195/48366", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15203", - "id": "pyup.io-48368", - "more_info_path": "/vulnerabilities/CVE-2020-15203/48368", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", "cve": "CVE-2018-11770", @@ -122789,16 +123984,6 @@ ], "v": "<2.0.2" }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-20838", - "id": "pyup.io-48352", - "more_info_path": "/vulnerabilities/CVE-2019-20838/48352", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", "cve": "CVE-2020-15204", @@ -122831,9 +124016,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-26271", - "id": "pyup.io-48383", - "more_info_path": "/vulnerabilities/CVE-2020-26271/48383", + "cve": "CVE-2019-20838", + "id": "pyup.io-48352", + "more_info_path": "/vulnerabilities/CVE-2019-20838/48352", "specs": [ "<2.0.2" ], @@ -122859,16 +124044,6 @@ ], "v": "<2.0.2" }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15202", - "id": "pyup.io-48367", - "more_info_path": "/vulnerabilities/CVE-2020-15202/48367", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", "cve": "CVE-2020-15250", @@ -122879,16 +124054,6 @@ ], "v": "<2.0.2" }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2018-17190", - "id": "pyup.io-48341", - "more_info_path": "/vulnerabilities/CVE-2018-17190/48341", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", "cve": "CVE-2020-15207", @@ -122901,29 +124066,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15205", - "id": "pyup.io-48370", - "more_info_path": "/vulnerabilities/CVE-2020-15205/48370", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-13434", - "id": "pyup.io-48357", - "more_info_path": "/vulnerabilities/CVE-2020-13434/48357", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-16168", - "id": "pyup.io-48347", - "more_info_path": "/vulnerabilities/CVE-2019-16168/48347", + "cve": "CVE-2020-26271", + "id": "pyup.io-48383", + "more_info_path": "/vulnerabilities/CVE-2020-26271/48383", "specs": [ "<2.0.2" ], @@ -122939,26 +124084,6 @@ ], "v": "<2.0.2" }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15358", - "id": "pyup.io-48378", - "more_info_path": "/vulnerabilities/CVE-2020-15358/48378", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, - { - "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-14155", - "id": "pyup.io-48363", - "more_info_path": "/vulnerabilities/CVE-2020-14155/48363", - "specs": [ - "<2.0.2" - ], - "v": "<2.0.2" - }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", "cve": "CVE-2020-13790", @@ -122991,9 +124116,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-19244", - "id": "pyup.io-48348", - "more_info_path": "/vulnerabilities/CVE-2019-19244/48348", + "cve": "CVE-2020-11656", + "id": "pyup.io-48356", + "more_info_path": "/vulnerabilities/CVE-2020-11656/48356", "specs": [ "<2.0.2" ], @@ -123001,9 +124126,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-13960", - "id": "pyup.io-48345", - "more_info_path": "/vulnerabilities/CVE-2019-13960/48345", + "cve": "CVE-2019-19880", + "id": "pyup.io-48351", + "more_info_path": "/vulnerabilities/CVE-2019-19880/48351", "specs": [ "<2.0.2" ], @@ -123011,9 +124136,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-11656", - "id": "pyup.io-48356", - "more_info_path": "/vulnerabilities/CVE-2020-11656/48356", + "cve": "CVE-2019-5481", + "id": "pyup.io-48353", + "more_info_path": "/vulnerabilities/CVE-2019-5481/48353", "specs": [ "<2.0.2" ], @@ -123021,9 +124146,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-26268", - "id": "pyup.io-48381", - "more_info_path": "/vulnerabilities/CVE-2020-26268/48381", + "cve": "CVE-2020-15194", + "id": "pyup.io-48365", + "more_info_path": "/vulnerabilities/CVE-2020-15194/48365", "specs": [ "<2.0.2" ], @@ -123031,9 +124156,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-19880", - "id": "pyup.io-48351", - "more_info_path": "/vulnerabilities/CVE-2019-19880/48351", + "cve": "CVE-2019-5482", + "id": "pyup.io-48354", + "more_info_path": "/vulnerabilities/CVE-2019-5482/48354", "specs": [ "<2.0.2" ], @@ -123041,9 +124166,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-13630", - "id": "pyup.io-48359", - "more_info_path": "/vulnerabilities/CVE-2020-13630/48359", + "cve": "CVE-2020-15202", + "id": "pyup.io-48367", + "more_info_path": "/vulnerabilities/CVE-2020-15202/48367", "specs": [ "<2.0.2" ], @@ -123051,9 +124176,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15208", - "id": "pyup.io-48373", - "more_info_path": "/vulnerabilities/CVE-2020-15208/48373", + "cve": "CVE-2018-20330", + "id": "pyup.io-48343", + "more_info_path": "/vulnerabilities/CVE-2018-20330/48343", "specs": [ "<2.0.2" ], @@ -123061,9 +124186,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-26267", - "id": "pyup.io-48380", - "more_info_path": "/vulnerabilities/CVE-2020-26267/48380", + "cve": "CVE-2019-19646", + "id": "pyup.io-48350", + "more_info_path": "/vulnerabilities/CVE-2019-19646/48350", "specs": [ "<2.0.2" ], @@ -123071,9 +124196,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15211", - "id": "pyup.io-48376", - "more_info_path": "/vulnerabilities/CVE-2020-15211/48376", + "cve": "CVE-2019-10099", + "id": "pyup.io-48344", + "more_info_path": "/vulnerabilities/CVE-2019-10099/48344", "specs": [ "<2.0.2" ], @@ -123081,9 +124206,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-13631", - "id": "pyup.io-48360", - "more_info_path": "/vulnerabilities/CVE-2020-13631/48360", + "cve": "CVE-2019-19244", + "id": "pyup.io-48348", + "more_info_path": "/vulnerabilities/CVE-2019-19244/48348", "specs": [ "<2.0.2" ], @@ -123091,9 +124216,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-5481", - "id": "pyup.io-48353", - "more_info_path": "/vulnerabilities/CVE-2019-5481/48353", + "cve": "CVE-2020-15203", + "id": "pyup.io-48368", + "more_info_path": "/vulnerabilities/CVE-2020-15203/48368", "specs": [ "<2.0.2" ], @@ -123101,9 +124226,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15190", - "id": "pyup.io-48364", - "more_info_path": "/vulnerabilities/CVE-2020-15190/48364", + "cve": "CVE-2020-15195", + "id": "pyup.io-48366", + "more_info_path": "/vulnerabilities/CVE-2020-15195/48366", "specs": [ "<2.0.2" ], @@ -123111,9 +124236,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15194", - "id": "pyup.io-48365", - "more_info_path": "/vulnerabilities/CVE-2020-15194/48365", + "cve": "CVE-2019-13960", + "id": "pyup.io-48345", + "more_info_path": "/vulnerabilities/CVE-2019-13960/48345", "specs": [ "<2.0.2" ], @@ -123121,9 +124246,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-5482", - "id": "pyup.io-48354", - "more_info_path": "/vulnerabilities/CVE-2019-5482/48354", + "cve": "CVE-2018-17190", + "id": "pyup.io-48341", + "more_info_path": "/vulnerabilities/CVE-2018-17190/48341", "specs": [ "<2.0.2" ], @@ -123131,9 +124256,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2018-19664", - "id": "pyup.io-48342", - "more_info_path": "/vulnerabilities/CVE-2018-19664/48342", + "cve": "CVE-2020-15205", + "id": "pyup.io-48370", + "more_info_path": "/vulnerabilities/CVE-2020-15205/48370", "specs": [ "<2.0.2" ], @@ -123141,9 +124266,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-9327", - "id": "pyup.io-48385", - "more_info_path": "/vulnerabilities/CVE-2020-9327/48385", + "cve": "CVE-2020-14155", + "id": "pyup.io-48363", + "more_info_path": "/vulnerabilities/CVE-2020-14155/48363", "specs": [ "<2.0.2" ], @@ -123151,9 +124276,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2018-20330", - "id": "pyup.io-48343", - "more_info_path": "/vulnerabilities/CVE-2018-20330/48343", + "cve": "CVE-2020-13434", + "id": "pyup.io-48357", + "more_info_path": "/vulnerabilities/CVE-2020-13434/48357", "specs": [ "<2.0.2" ], @@ -123161,9 +124286,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-19646", - "id": "pyup.io-48350", - "more_info_path": "/vulnerabilities/CVE-2019-19646/48350", + "cve": "CVE-2019-16168", + "id": "pyup.io-48347", + "more_info_path": "/vulnerabilities/CVE-2019-16168/48347", "specs": [ "<2.0.2" ], @@ -123171,9 +124296,9 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2020-15209", - "id": "pyup.io-48374", - "more_info_path": "/vulnerabilities/CVE-2020-15209/48374", + "cve": "CVE-2020-15358", + "id": "pyup.io-48378", + "more_info_path": "/vulnerabilities/CVE-2020-15358/48378", "specs": [ "<2.0.2" ], @@ -123181,9 +124306,59 @@ }, { "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", - "cve": "CVE-2019-10099", - "id": "pyup.io-48344", - "more_info_path": "/vulnerabilities/CVE-2019-10099/48344", + "cve": "CVE-2020-26268", + "id": "pyup.io-48381", + "more_info_path": "/vulnerabilities/CVE-2020-26268/48381", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2020-13630", + "id": "pyup.io-48359", + "more_info_path": "/vulnerabilities/CVE-2020-13630/48359", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2020-15208", + "id": "pyup.io-48373", + "more_info_path": "/vulnerabilities/CVE-2020-15208/48373", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2020-15211", + "id": "pyup.io-48376", + "more_info_path": "/vulnerabilities/CVE-2020-15211/48376", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2020-13631", + "id": "pyup.io-48360", + "more_info_path": "/vulnerabilities/CVE-2020-13631/48360", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2020-15190", + "id": "pyup.io-48364", + "more_info_path": "/vulnerabilities/CVE-2020-15190/48364", "specs": [ "<2.0.2" ], @@ -123199,6 +124374,46 @@ ], "v": "<2.0.2" }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2020-26267", + "id": "pyup.io-48380", + "more_info_path": "/vulnerabilities/CVE-2020-26267/48380", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2018-19664", + "id": "pyup.io-48342", + "more_info_path": "/vulnerabilities/CVE-2018-19664/48342", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2020-9327", + "id": "pyup.io-48385", + "more_info_path": "/vulnerabilities/CVE-2020-9327/48385", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address security issues.", + "cve": "CVE-2020-15209", + "id": "pyup.io-48374", + "more_info_path": "/vulnerabilities/CVE-2020-15209/48374", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, { "advisory": "Rapidtide 2.6.5 updates its dependency 'urllib3' to v2.0.6 to include a security fix.", "cve": "CVE-2023-43804", @@ -124994,9 +126209,9 @@ }, { "advisory": "Rasa 3.3.1 updates its dependency 'numpy' to v1.23.4 to include security fixes.", - "cve": "CVE-2021-33430", - "id": "pyup.io-51878", - "more_info_path": "/vulnerabilities/CVE-2021-33430/51878", + "cve": "CVE-2021-41495", + "id": "pyup.io-51806", + "more_info_path": "/vulnerabilities/CVE-2021-41495/51806", "specs": [ "<3.3.1" ], @@ -125004,9 +126219,9 @@ }, { "advisory": "Rasa 3.3.1 updates its dependency 'numpy' to v1.23.4 to include security fixes.", - "cve": "CVE-2021-34141", - "id": "pyup.io-51877", - "more_info_path": "/vulnerabilities/CVE-2021-34141/51877", + "cve": "CVE-2021-33430", + "id": "pyup.io-51878", + "more_info_path": "/vulnerabilities/CVE-2021-33430/51878", "specs": [ "<3.3.1" ], @@ -125014,9 +126229,9 @@ }, { "advisory": "Rasa 3.3.1 updates its dependency 'numpy' to v1.23.4 to include security fixes.", - "cve": "CVE-2021-41495", - "id": "pyup.io-51806", - "more_info_path": "/vulnerabilities/CVE-2021-41495/51806", + "cve": "CVE-2021-34141", + "id": "pyup.io-51877", + "more_info_path": "/vulnerabilities/CVE-2021-34141/51877", "specs": [ "<3.3.1" ], @@ -125092,16 +126307,6 @@ ], "v": "<3.6.7" }, - { - "advisory": "Rasa 3.6.7 updates its dependency 'scipy' to version '1.10.1' to include a fix for a DoS vulnerability.\r\nhttps://github.com/RasaHQ/rasa/pull/12768", - "cve": "CVE-2023-25399", - "id": "pyup.io-60811", - "more_info_path": "/vulnerabilities/CVE-2023-25399/60811", - "specs": [ - "<3.6.7" - ], - "v": "<3.6.7" - }, { "advisory": "Rasa 3.6.7 updates its dependency 'cryptography' to version '41.0.3' to include a fix for a vulnerability.\r\nhttps://github.com/RasaHQ/rasa/pull/12768", "cve": "PVE-2023-60809", @@ -125122,6 +126327,16 @@ ], "v": "<3.6.7" }, + { + "advisory": "Rasa 3.6.7 updates its dependency 'scipy' to version '1.10.1' to include a fix for a DoS vulnerability.\r\nhttps://github.com/RasaHQ/rasa/pull/12768", + "cve": "CVE-2023-25399", + "id": "pyup.io-60811", + "more_info_path": "/vulnerabilities/CVE-2023-25399/60811", + "specs": [ + "<3.6.7" + ], + "v": "<3.6.7" + }, { "advisory": "Rasa 3.6.7 updates its dependency 'certifi' to version '2023.7.22' to include a fix for a vulnerability.\r\nhttps://github.com/RasaHQ/rasa/pull/12768", "cve": "CVE-2023-37920", @@ -125729,9 +126944,9 @@ }, { "advisory": "Rasa-sdk 3.6.2 updates its dependency 'wheel' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/RasaHQ/rasa-sdk/pull/1026", - "cve": "CVE-2022-40898", - "id": "pyup.io-60643", - "more_info_path": "/vulnerabilities/CVE-2022-40898/60643", + "cve": "PVE-2023-60638", + "id": "pyup.io-60638", + "more_info_path": "/vulnerabilities/PVE-2023-60638/60638", "specs": [ "<3.6.2" ], @@ -125739,9 +126954,9 @@ }, { "advisory": "Rasa-sdk 3.6.2 updates its dependency 'wheel' to include a fix for a ReDoS vulnerability.\r\nhttps://github.com/RasaHQ/rasa-sdk/pull/1026", - "cve": "PVE-2023-60638", - "id": "pyup.io-60638", - "more_info_path": "/vulnerabilities/PVE-2023-60638/60638", + "cve": "CVE-2022-40898", + "id": "pyup.io-60643", + "more_info_path": "/vulnerabilities/CVE-2022-40898/60643", "specs": [ "<3.6.2" ], @@ -125877,9 +127092,9 @@ }, { "advisory": "Ray 1.9.1 updates its dependency 'log4j' to v2.16.0 to include security fixes.\r\nhttps://github.com/ray-project/ray/commit/2cdbf974ea63caf4323aacbccaef2394a14a8562", - "cve": "CVE-2021-45046", - "id": "pyup.io-43415", - "more_info_path": "/vulnerabilities/CVE-2021-45046/43415", + "cve": "CVE-2021-44228", + "id": "pyup.io-43413", + "more_info_path": "/vulnerabilities/CVE-2021-44228/43413", "specs": [ "<1.9.1" ], @@ -125887,9 +127102,9 @@ }, { "advisory": "Ray 1.9.1 updates its dependency 'log4j' to v2.16.0 to include security fixes.\r\nhttps://github.com/ray-project/ray/commit/2cdbf974ea63caf4323aacbccaef2394a14a8562", - "cve": "CVE-2021-44228", - "id": "pyup.io-43413", - "more_info_path": "/vulnerabilities/CVE-2021-44228/43413", + "cve": "CVE-2021-45046", + "id": "pyup.io-43415", + "more_info_path": "/vulnerabilities/CVE-2021-45046/43415", "specs": [ "<1.9.1" ], @@ -125916,27 +127131,27 @@ "v": "<2.11.0" }, { - "advisory": "Ray 2.8.1 includes a fix for CVE-2023-6021: LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", - "cve": "CVE-2023-6021", - "id": "pyup.io-62650", - "more_info_path": "/vulnerabilities/CVE-2023-6021/62650", + "advisory": "Ray 2.8.1 includes a fix for CVE-2023-6020: LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", + "cve": "CVE-2023-6020", + "id": "pyup.io-62649", + "more_info_path": "/vulnerabilities/CVE-2023-6020/62649", "specs": [ "<2.8.1" ], "v": "<2.8.1" }, { - "advisory": "Ray 2.8.1 includes a fix for CVE-2023-6019: A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", - "cve": "CVE-2023-6019", - "id": "pyup.io-62632", - "more_info_path": "/vulnerabilities/CVE-2023-6019/62632", + "advisory": "Ray 2.8.1 includes a fix for CVE-2023-6021: LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", + "cve": "CVE-2023-6021", + "id": "pyup.io-62650", + "more_info_path": "/vulnerabilities/CVE-2023-6021/62650", "specs": [ "<2.8.1" ], "v": "<2.8.1" }, { - "advisory": "Ray 2.8.1 includes a fix for CVE-2023-48023: Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", + "advisory": "** DISPUTED ** Ray 2.8.1 includes a fix for CVE-2023-48023: Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", "cve": "CVE-2023-48023", "id": "pyup.io-62651", "more_info_path": "/vulnerabilities/CVE-2023-48023/62651", @@ -125946,10 +127161,10 @@ "v": "<2.8.1" }, { - "advisory": "Ray 2.8.1 includes a fix for CVE-2023-6020: LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", - "cve": "CVE-2023-6020", - "id": "pyup.io-62649", - "more_info_path": "/vulnerabilities/CVE-2023-6020/62649", + "advisory": "Ray 2.8.1 includes a fix for CVE-2023-6019: A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.\r\nhttps://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023", + "cve": "CVE-2023-6019", + "id": "pyup.io-62632", + "more_info_path": "/vulnerabilities/CVE-2023-6019/62632", "specs": [ "<2.8.1" ], @@ -127086,6 +128301,16 @@ "<0.1.33" ], "v": "<0.1.33" + }, + { + "advisory": "Reflex version 3.0 updates its gunicorn dependency from 21.2.0 to 22.0.0 in response to CVE-2024-1135.", + "cve": "CVE-2024-1135", + "id": "pyup.io-70983", + "more_info_path": "/vulnerabilities/CVE-2024-1135/70983", + "specs": [ + "<3.0" + ], + "v": "<3.0" } ], "regex": [ @@ -127115,9 +128340,9 @@ "rejected": [ { "advisory": "Rejected 3.20.7 updates its dependency 'pyyaml' to v5.3.1 to include security fixes.\r\nhttps://github.com/gmr/rejected/commit/3d0d600f2fec041d84f0255af51c8b46ea98815b", - "cve": "CVE-2019-20477", - "id": "pyup.io-44584", - "more_info_path": "/vulnerabilities/CVE-2019-20477/44584", + "cve": "CVE-2020-1747", + "id": "pyup.io-42627", + "more_info_path": "/vulnerabilities/CVE-2020-1747/42627", "specs": [ "<3.20.7" ], @@ -127125,9 +128350,9 @@ }, { "advisory": "Rejected 3.20.7 updates its dependency 'pyyaml' to v5.3.1 to include security fixes.\r\nhttps://github.com/gmr/rejected/commit/3d0d600f2fec041d84f0255af51c8b46ea98815b", - "cve": "CVE-2020-1747", - "id": "pyup.io-42627", - "more_info_path": "/vulnerabilities/CVE-2020-1747/42627", + "cve": "CVE-2019-20477", + "id": "pyup.io-44584", + "more_info_path": "/vulnerabilities/CVE-2019-20477/44584", "specs": [ "<3.20.7" ], @@ -127674,6 +128899,16 @@ } ], "requests": [ + { + "advisory": "Requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. This fixes CVE-2014-1830.", + "cve": "CVE-2014-1830", + "id": "pyup.io-39575", + "more_info_path": "/vulnerabilities/CVE-2014-1830/39575", + "specs": [ + "<2.3.0" + ], + "v": "<2.3.0" + }, { "advisory": "Requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. See: CVE-2014-1829.", "cve": "CVE-2014-1829", @@ -127685,14 +128920,14 @@ "v": "<2.3.0" }, { - "advisory": "Requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. This fixes CVE-2014-1830.", - "cve": "CVE-2014-1830", - "id": "pyup.io-39575", - "more_info_path": "/vulnerabilities/CVE-2014-1830/39575", + "advisory": "Requests 2.32.0 fixes CVE-2024-35195: Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.", + "cve": "CVE-2024-35195", + "id": "pyup.io-71064", + "more_info_path": "/vulnerabilities/CVE-2024-35195/71064", "specs": [ - "<2.3.0" + "<2.32.0" ], - "v": "<2.3.0" + "v": "<2.32.0" }, { "advisory": "If an incorrect password is used in conjunction with digest authentication in the `requests` package, it can lead to an infinite request retry cycle. This presents a Denial of Service (DoS) vulnerability.", @@ -128567,6 +129802,18 @@ "v": "<0.2.0" } ], + "rokuecp": [ + { + "advisory": "Rokuecp version 0.19.3 upgrades the dependency \"black\" from 24.2.0 to 24.3.0 in response to CVE-2024-21503, addressing a Regex-related denial of service vulnerability.", + "cve": "CVE-2024-21503", + "id": "pyup.io-70878", + "more_info_path": "/vulnerabilities/CVE-2024-21503/70878", + "specs": [ + "<0.19.3" + ], + "v": "<0.19.3" + } + ], "rolls-blockchain": [ { "advisory": "Rolls-blockchain 1.0beta14 adds peers gossiping to partially protect from eclipse attacks.\r\nhttps://github.com/strandedathome/rolls-blockchain/commit/5b17e1cf237247c767173c7c6f08ba70a22449b3", @@ -128772,6 +130019,16 @@ ], "v": "<1.4.17" }, + { + "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*. See: CVE-2012-6133.", + "cve": "CVE-2012-6133", + "id": "pyup.io-37744", + "more_info_path": "/vulnerabilities/CVE-2012-6133/37744", + "specs": [ + "<1.4.20" + ], + "v": "<1.4.20" + }, { "advisory": "Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.", "cve": "CVE-2012-6131", @@ -128792,16 +130049,6 @@ ], "v": "<1.4.20" }, - { - "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*. See: CVE-2012-6133.", - "cve": "CVE-2012-6133", - "id": "pyup.io-37744", - "more_info_path": "/vulnerabilities/CVE-2012-6133/37744", - "specs": [ - "<1.4.20" - ], - "v": "<1.4.20" - }, { "advisory": "Roundup 1.4.7 disables serving uploaded HTML files content as HTML by default.\r\nhttps://github.com/roundup-tracker/roundup/commit/27ef29f1a64e89ebd4c5a99838a575ad3d44f993", "cve": "PVE-2023-58872", @@ -128822,16 +130069,6 @@ ], "v": "<1.4.7" }, - { - "advisory": "Roundup 1.5.1 includes a fix for a XSS vulnerability.\r\nhttps://issues.roundup-tracker.org/issue2550817", - "cve": "PVE-2023-58867", - "id": "pyup.io-58867", - "more_info_path": "/vulnerabilities/PVE-2023-58867/58867", - "specs": [ - "<1.5.1" - ], - "v": "<1.5.1" - }, { "advisory": "Roundup 1.5.1 includes a security fix: HTML attachments should not be served as text/html.\r\nhttps://issues.roundup-tracker.org/issue2550848", "cve": "PVE-2023-58893", @@ -128843,14 +130080,14 @@ "v": "<1.5.1" }, { - "advisory": "Roundup 1.6.0 includes a security fix: Inadequate CSRF protection.\r\nhttps://issues.roundup-tracker.org/issue2550690", - "cve": "PVE-2023-58866", - "id": "pyup.io-58866", - "more_info_path": "/vulnerabilities/PVE-2023-58866/58866", + "advisory": "Roundup 1.5.1 includes a fix for a XSS vulnerability.\r\nhttps://issues.roundup-tracker.org/issue2550817", + "cve": "PVE-2023-58867", + "id": "pyup.io-58867", + "more_info_path": "/vulnerabilities/PVE-2023-58867/58867", "specs": [ - "<1.6.0" + "<1.5.1" ], - "v": "<1.6.0" + "v": "<1.5.1" }, { "advisory": "Roundup 1.6.0 includes a security fix: XSS on 404 page.\r\nhttps://issues.roundup-tracker.org/issue2551035", @@ -128862,6 +130099,16 @@ ], "v": "<1.6.0" }, + { + "advisory": "Roundup 1.6.0 includes a security fix: Inadequate CSRF protection.\r\nhttps://issues.roundup-tracker.org/issue2550690", + "cve": "PVE-2023-58866", + "id": "pyup.io-58866", + "more_info_path": "/vulnerabilities/PVE-2023-58866/58866", + "specs": [ + "<1.6.0" + ], + "v": "<1.6.0" + }, { "advisory": "Roundup 2.1.0b1 updates its dependency 'jquery' to v3.5.1 to include security fixes.\r\nhttps://issues.roundup-tracker.org/issue2551100\r\nhttps://github.com/roundup-tracker/roundup/commit/ac9b7768dc99b5951f5b1b42b0b4d10696d5e7c1", "cve": "CVE-2020-7656", @@ -129771,12 +131018,24 @@ "v": "<2.8.2" } ], + "sagemaker-python-sdk": [ + { + "advisory": "sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. In affected versions the capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module allows for potentially unsafe Operating System (OS) Command Injection if inappropriate command is passed as the \u201crequirements_path\u201d parameter. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity. This issue has been addressed in version 2.214.3. Users are advised to upgrade. Users unable to upgrade should not override the \u201crequirements_path\u201d parameter of capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils`, and instead use the default value. See CVE-2024-34073.", + "cve": "CVE-2024-34073", + "id": "pyup.io-71241", + "more_info_path": "/vulnerabilities/CVE-2024-34073/71241", + "specs": [ + "<2.214.3" + ], + "v": "<2.214.3" + } + ], "sagemaker-pytorch-inference": [ { "advisory": "Sagemaker-pytorch-inference 1.4.1 updates its dependency 'pillow' to v7.1.0 to include security fixes.", - "cve": "CVE-2019-19911", - "id": "pyup.io-45797", - "more_info_path": "/vulnerabilities/CVE-2019-19911/45797", + "cve": "CVE-2020-5310", + "id": "pyup.io-45793", + "more_info_path": "/vulnerabilities/CVE-2020-5310/45793", "specs": [ "<1.4.1" ], @@ -129784,9 +131043,9 @@ }, { "advisory": "Sagemaker-pytorch-inference 1.4.1 updates its dependency 'pillow' to v7.1.0 to include security fixes.", - "cve": "CVE-2020-5313", - "id": "pyup.io-45796", - "more_info_path": "/vulnerabilities/CVE-2020-5313/45796", + "cve": "CVE-2019-19911", + "id": "pyup.io-45797", + "more_info_path": "/vulnerabilities/CVE-2019-19911/45797", "specs": [ "<1.4.1" ], @@ -129804,9 +131063,9 @@ }, { "advisory": "Sagemaker-pytorch-inference 1.4.1 updates its dependency 'pillow' to v7.1.0 to include security fixes.", - "cve": "CVE-2020-5310", - "id": "pyup.io-45793", - "more_info_path": "/vulnerabilities/CVE-2020-5310/45793", + "cve": "CVE-2020-5313", + "id": "pyup.io-45796", + "more_info_path": "/vulnerabilities/CVE-2020-5313/45796", "specs": [ "<1.4.1" ], @@ -129843,6 +131102,18 @@ "v": "<1.4.1" } ], + "sagemath": [ + { + "advisory": "SageMath FlintQS 1.0 relies on pathnames under TMPDIR (typically world-writable), which (for example) allows a local user to overwrite files with the privileges of a different user (who is running FlintQS).", + "cve": "CVE-2023-29465", + "id": "pyup.io-70902", + "more_info_path": "/vulnerabilities/CVE-2023-29465/70902", + "specs": [ + "<=1.0" + ], + "v": "<=1.0" + } + ], "saleor": [ { "advisory": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront.", @@ -129969,10 +131240,10 @@ "v": "<0.15.0" }, { - "advisory": "An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", - "cve": "CVE-2021-25283", - "id": "pyup.io-41948", - "more_info_path": "/vulnerabilities/CVE-2021-25283/41948", + "advisory": "An issue was discovered in through SaltStack Salt before 3002.5, identified as CVE-2021-25282: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal. Several Salt versions were patched. https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25", + "cve": "CVE-2021-25282", + "id": "pyup.io-41947", + "more_info_path": "/vulnerabilities/CVE-2021-25282/41947", "specs": [ "<2015.8.10", ">=2015.8.11,<2015.8.13", @@ -129993,10 +131264,10 @@ "v": "<2015.8.10,>=2015.8.11,<2015.8.13,>=2016.3.0rc0,<2016.3.4,==2016.3.5,==2016.3.7,>=2016.3.9,<2016.11.3,==2016.11.4,>=2016.11.7,<2016.11.10,>=2017.5.0,<2017.7.8,>=2018.2.0,<=2018.3.5,>=2019.2.0rc0,<2019.2.5,>=2019.2.6,<2019.2.8,>=3000.0.0rc0,<3000.6,>=3001rc1,<3001.4,>=3002rc0,<3002.5" }, { - "advisory": "Salt versions 3002.5, 3001.4, 3000.6, 2019.2.8, 2019.2.5, 2018.3.5, 2017.7.8, 2016.11.10, 2016.11.6, 2016.11.5, 2016.11.3, 2016.3.8, 2016.3.6, 2016.3.4, 2015.8.13 and 2015.8.10 include a fix for CVE-2021-3197: An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.\r\nhttps://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", - "cve": "CVE-2021-3197", - "id": "pyup.io-41952", - "more_info_path": "/vulnerabilities/CVE-2021-3197/41952", + "advisory": "An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", + "cve": "CVE-2021-3148", + "id": "pyup.io-41951", + "more_info_path": "/vulnerabilities/CVE-2021-3148/41951", "specs": [ "<2015.8.10", ">=2015.8.11,<2015.8.13", @@ -130017,10 +131288,10 @@ "v": "<2015.8.10,>=2015.8.11,<2015.8.13,>=2016.3.0rc0,<2016.3.4,==2016.3.5,==2016.3.7,>=2016.3.9,<2016.11.3,==2016.11.4,>=2016.11.7,<2016.11.10,>=2017.5.0,<2017.7.8,>=2018.2.0,<=2018.3.5,>=2019.2.0rc0,<2019.2.5,>=2019.2.6,<2019.2.8,>=3000.0.0rc0,<3000.6,>=3001rc1,<3001.4,>=3002rc0,<3002.5" }, { - "advisory": "An issue was discovered in through SaltStack Salt before 3002.5. Salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", - "cve": "CVE-2021-25281", - "id": "pyup.io-41946", - "more_info_path": "/vulnerabilities/CVE-2021-25281/41946", + "advisory": "In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", + "cve": "CVE-2020-35662", + "id": "pyup.io-41945", + "more_info_path": "/vulnerabilities/CVE-2020-35662/41945", "specs": [ "<2015.8.10", ">=2015.8.11,<2015.8.13", @@ -130041,10 +131312,10 @@ "v": "<2015.8.10,>=2015.8.11,<2015.8.13,>=2016.3.0rc0,<2016.3.4,==2016.3.5,==2016.3.7,>=2016.3.9,<2016.11.3,==2016.11.4,>=2016.11.7,<2016.11.10,>=2017.5.0,<2017.7.8,>=2018.2.0,<=2018.3.5,>=2019.2.0rc0,<2019.2.5,>=2019.2.6,<2019.2.8,>=3000.0.0rc0,<3000.6,>=3001rc1,<3001.4,>=3002rc0,<3002.5" }, { - "advisory": "An issue was discovered in SaltStack Salt before 3002.5 identified as CVE-2021-25284: salt.modules.cmdmod can log credentials to the info or error log level.\r\nhttps://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25", - "cve": "CVE-2021-25284", - "id": "pyup.io-41949", - "more_info_path": "/vulnerabilities/CVE-2021-25284/41949", + "advisory": "In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. They might be used to run command against the salt master or minions. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", + "cve": "CVE-2021-3144", + "id": "pyup.io-41950", + "more_info_path": "/vulnerabilities/CVE-2021-3144/41950", "specs": [ "<2015.8.10", ">=2015.8.11,<2015.8.13", @@ -130065,10 +131336,10 @@ "v": "<2015.8.10,>=2015.8.11,<2015.8.13,>=2016.3.0rc0,<2016.3.4,==2016.3.5,==2016.3.7,>=2016.3.9,<2016.11.3,==2016.11.4,>=2016.11.7,<2016.11.10,>=2017.5.0,<2017.7.8,>=2018.2.0,<=2018.3.5,>=2019.2.0rc0,<2019.2.5,>=2019.2.6,<2019.2.8,>=3000.0.0rc0,<3000.6,>=3001rc1,<3001.4,>=3002rc0,<3002.5" }, { - "advisory": "In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", - "cve": "CVE-2020-28972", - "id": "pyup.io-41944", - "more_info_path": "/vulnerabilities/CVE-2020-28972/41944", + "advisory": "An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", + "cve": "CVE-2021-25283", + "id": "pyup.io-41948", + "more_info_path": "/vulnerabilities/CVE-2021-25283/41948", "specs": [ "<2015.8.10", ">=2015.8.11,<2015.8.13", @@ -130089,10 +131360,10 @@ "v": "<2015.8.10,>=2015.8.11,<2015.8.13,>=2016.3.0rc0,<2016.3.4,==2016.3.5,==2016.3.7,>=2016.3.9,<2016.11.3,==2016.11.4,>=2016.11.7,<2016.11.10,>=2017.5.0,<2017.7.8,>=2018.2.0,<=2018.3.5,>=2019.2.0rc0,<2019.2.5,>=2019.2.6,<2019.2.8,>=3000.0.0rc0,<3000.6,>=3001rc1,<3001.4,>=3002rc0,<3002.5" }, { - "advisory": "An issue was discovered in through SaltStack Salt before 3002.5, identified as CVE-2021-25282: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal. Several Salt versions were patched. https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25", - "cve": "CVE-2021-25282", - "id": "pyup.io-41947", - "more_info_path": "/vulnerabilities/CVE-2021-25282/41947", + "advisory": "Salt versions 3002.5, 3001.4, 3000.6, 2019.2.8, 2019.2.5, 2018.3.5, 2017.7.8, 2016.11.10, 2016.11.6, 2016.11.5, 2016.11.3, 2016.3.8, 2016.3.6, 2016.3.4, 2015.8.13 and 2015.8.10 include a fix for CVE-2021-3197: An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.\r\nhttps://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", + "cve": "CVE-2021-3197", + "id": "pyup.io-41952", + "more_info_path": "/vulnerabilities/CVE-2021-3197/41952", "specs": [ "<2015.8.10", ">=2015.8.11,<2015.8.13", @@ -130113,10 +131384,10 @@ "v": "<2015.8.10,>=2015.8.11,<2015.8.13,>=2016.3.0rc0,<2016.3.4,==2016.3.5,==2016.3.7,>=2016.3.9,<2016.11.3,==2016.11.4,>=2016.11.7,<2016.11.10,>=2017.5.0,<2017.7.8,>=2018.2.0,<=2018.3.5,>=2019.2.0rc0,<2019.2.5,>=2019.2.6,<2019.2.8,>=3000.0.0rc0,<3000.6,>=3001rc1,<3001.4,>=3002rc0,<3002.5" }, { - "advisory": "An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", - "cve": "CVE-2021-3148", - "id": "pyup.io-41951", - "more_info_path": "/vulnerabilities/CVE-2021-3148/41951", + "advisory": "An issue was discovered in through SaltStack Salt before 3002.5. Salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", + "cve": "CVE-2021-25281", + "id": "pyup.io-41946", + "more_info_path": "/vulnerabilities/CVE-2021-25281/41946", "specs": [ "<2015.8.10", ">=2015.8.11,<2015.8.13", @@ -130137,10 +131408,10 @@ "v": "<2015.8.10,>=2015.8.11,<2015.8.13,>=2016.3.0rc0,<2016.3.4,==2016.3.5,==2016.3.7,>=2016.3.9,<2016.11.3,==2016.11.4,>=2016.11.7,<2016.11.10,>=2017.5.0,<2017.7.8,>=2018.2.0,<=2018.3.5,>=2019.2.0rc0,<2019.2.5,>=2019.2.6,<2019.2.8,>=3000.0.0rc0,<3000.6,>=3001rc1,<3001.4,>=3002rc0,<3002.5" }, { - "advisory": "In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", - "cve": "CVE-2020-35662", - "id": "pyup.io-41945", - "more_info_path": "/vulnerabilities/CVE-2020-35662/41945", + "advisory": "An issue was discovered in SaltStack Salt before 3002.5 identified as CVE-2021-25284: salt.modules.cmdmod can log credentials to the info or error log level.\r\nhttps://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25", + "cve": "CVE-2021-25284", + "id": "pyup.io-41949", + "more_info_path": "/vulnerabilities/CVE-2021-25284/41949", "specs": [ "<2015.8.10", ">=2015.8.11,<2015.8.13", @@ -130161,10 +131432,10 @@ "v": "<2015.8.10,>=2015.8.11,<2015.8.13,>=2016.3.0rc0,<2016.3.4,==2016.3.5,==2016.3.7,>=2016.3.9,<2016.11.3,==2016.11.4,>=2016.11.7,<2016.11.10,>=2017.5.0,<2017.7.8,>=2018.2.0,<=2018.3.5,>=2019.2.0rc0,<2019.2.5,>=2019.2.6,<2019.2.8,>=3000.0.0rc0,<3000.6,>=3001rc1,<3001.4,>=3002rc0,<3002.5" }, { - "advisory": "An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory. Several Salt versions were patched. \r\nhttps://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25", - "cve": "CVE-2020-28243", - "id": "pyup.io-41929", - "more_info_path": "/vulnerabilities/CVE-2020-28243/41929", + "advisory": "In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", + "cve": "CVE-2020-28972", + "id": "pyup.io-41944", + "more_info_path": "/vulnerabilities/CVE-2020-28972/41944", "specs": [ "<2015.8.10", ">=2015.8.11,<2015.8.13", @@ -130185,10 +131456,10 @@ "v": "<2015.8.10,>=2015.8.11,<2015.8.13,>=2016.3.0rc0,<2016.3.4,==2016.3.5,==2016.3.7,>=2016.3.9,<2016.11.3,==2016.11.4,>=2016.11.7,<2016.11.10,>=2017.5.0,<2017.7.8,>=2018.2.0,<=2018.3.5,>=2019.2.0rc0,<2019.2.5,>=2019.2.6,<2019.2.8,>=3000.0.0rc0,<3000.6,>=3001rc1,<3001.4,>=3002rc0,<3002.5" }, { - "advisory": "In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. They might be used to run command against the salt master or minions. Several Salt versions were patched. See: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", - "cve": "CVE-2021-3144", - "id": "pyup.io-41950", - "more_info_path": "/vulnerabilities/CVE-2021-3144/41950", + "advisory": "An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory. Several Salt versions were patched. \r\nhttps://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25", + "cve": "CVE-2020-28243", + "id": "pyup.io-41929", + "more_info_path": "/vulnerabilities/CVE-2020-28243/41929", "specs": [ "<2015.8.10", ">=2015.8.11,<2015.8.13", @@ -130284,10 +131555,10 @@ "v": "<3002.8,>=3003rc0,<3003.4,>=3004rc0,<3004.1" }, { - "advisory": "Salt 3002.8, 3003.4 and 3004.1 include a fix for CVE-2022-22934: Salt Masters do not sign pillar data with the minion\u2019s public key, which can result in attackers substituting arbitrary pillar data.", - "cve": "CVE-2022-22934", - "id": "pyup.io-49570", - "more_info_path": "/vulnerabilities/CVE-2022-22934/49570", + "advisory": "Salt 3002.8, 3003.4 and 3004.1 include a fix for CVE-2022-22941: When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.", + "cve": "CVE-2022-22941", + "id": "pyup.io-49628", + "more_info_path": "/vulnerabilities/CVE-2022-22941/49628", "specs": [ "<3002.8", ">=3003rc0,<3003.4", @@ -130296,10 +131567,10 @@ "v": "<3002.8,>=3003rc0,<3003.4,>=3004rc0,<3004.1" }, { - "advisory": "Salt 3002.8, 3003.4 and 3004.1 include a fix for CVE-2022-22941: When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.", - "cve": "CVE-2022-22941", - "id": "pyup.io-49628", - "more_info_path": "/vulnerabilities/CVE-2022-22941/49628", + "advisory": "Salt 3002.8, 3003.4 and 3004.1 include a fix for CVE-2022-22934: Salt Masters do not sign pillar data with the minion\u2019s public key, which can result in attackers substituting arbitrary pillar data.", + "cve": "CVE-2022-22934", + "id": "pyup.io-49570", + "more_info_path": "/vulnerabilities/CVE-2022-22934/49570", "specs": [ "<3002.8", ">=3003rc0,<3003.4", @@ -130447,6 +131718,16 @@ ], "v": "<3005.5" }, + { + "advisory": "Salt 3006.0rc3 updates its dependency 'cryptography' to versions '>=39.0.1' to include security fixes.", + "cve": "CVE-2023-0286", + "id": "pyup.io-55066", + "more_info_path": "/vulnerabilities/CVE-2023-0286/55066", + "specs": [ + "<3006.0rc3" + ], + "v": "<3006.0rc3" + }, { "advisory": "Salt 3006.0rc3 updates its dependency 'markdown-it-py' to v2.2.0 to include security fixes.", "cve": "CVE-2023-26302", @@ -130477,16 +131758,6 @@ ], "v": "<3006.0rc3" }, - { - "advisory": "Salt 3006.0rc3 updates its dependency 'cryptography' to versions '>=39.0.1' to include security fixes.", - "cve": "CVE-2023-0286", - "id": "pyup.io-55066", - "more_info_path": "/vulnerabilities/CVE-2023-0286/55066", - "specs": [ - "<3006.0rc3" - ], - "v": "<3006.0rc3" - }, { "advisory": "Salt 3006.4 fixes CVE-2023-34049 to avoid impacting salt-ssg users using the pre-flight option and upgrades dependencies affected by vulnerabilities.\r\nhttps://github.com/saltstack/salt/commit/7a14112f2a16ce70e3c3e1862c92e37af5f2c7a4\r\nhttps://github.com/saltstack/salt/blob/master/CHANGELOG.md#30064-2023-10-16", "cve": "PVE-2023-62824", @@ -130547,6 +131818,86 @@ ], "v": "<3006.7" }, + { + "advisory": "Salt version 3006.8 upgrades its cryptography dependency to version 42.0.5 to address several security issues, including CVE-2024-26130.", + "cve": "PVE-2024-71128", + "id": "pyup.io-71128", + "more_info_path": "/vulnerabilities/PVE-2024-71128/71128", + "specs": [ + "<3006.8" + ], + "v": "<3006.8" + }, + { + "advisory": "Salt version 3006.8 upgrades its cryptography dependency to version 42.0.5 to address several security issues, including CVE-2023-50782.", + "cve": "CVE-2023-50782", + "id": "pyup.io-71142", + "more_info_path": "/vulnerabilities/CVE-2023-50782/71142", + "specs": [ + "<3006.8" + ], + "v": "<3006.8" + }, + { + "advisory": "Salt version 3006.8 upgrades its cryptography dependency to version 42.0.5 to address several security issues, including CVE-2024-0727.", + "cve": "CVE-2024-0727", + "id": "pyup.io-71143", + "more_info_path": "/vulnerabilities/CVE-2024-0727/71143", + "specs": [ + "<3006.8" + ], + "v": "<3006.8" + }, + { + "advisory": "Salt version 3006.8 updates its idna dependency to version 3.7 to address the security vulnerability identified as CVE-2024-3651.", + "cve": "CVE-2024-3651", + "id": "pyup.io-71144", + "more_info_path": "/vulnerabilities/CVE-2024-3651/71144", + "specs": [ + "<3006.8" + ], + "v": "<3006.8" + }, + { + "advisory": "Salt version 3006.8 updates its aiohttp dependency to version 3.9.4 to address the security vulnerability identified as CVE-2024-27306.", + "cve": "CVE-2024-27306", + "id": "pyup.io-71145", + "more_info_path": "/vulnerabilities/CVE-2024-27306/71145", + "specs": [ + "<3006.8" + ], + "v": "<3006.8" + }, + { + "advisory": "Salt version 3007.0 updates its GitPython dependency to version 3.1.35 or higher to address the security vulnerability identified in CVE-2023-40590.", + "cve": "CVE-2023-40590", + "id": "pyup.io-70737", + "more_info_path": "/vulnerabilities/CVE-2023-40590/70737", + "specs": [ + "<3007.0" + ], + "v": "<3007.0" + }, + { + "advisory": "Salt version 3007.0 updates its GitPython dependency to version 3.1.35 or higher to address the security vulnerability identified in CVE-2023-40590.", + "cve": "CVE-2023-41040", + "id": "pyup.io-70738", + "more_info_path": "/vulnerabilities/CVE-2023-41040/70738", + "specs": [ + "<3007.0" + ], + "v": "<3007.0" + }, + { + "advisory": "Salt version 3007.0 updates its Tornado library to version 6.3.3 or higher in response to the security advisory GHSA-qppv-j76h-2rpx.", + "cve": "PVE-2024-70600", + "id": "pyup.io-70600", + "more_info_path": "/vulnerabilities/PVE-2024-70600/70600", + "specs": [ + "<3007.0" + ], + "v": "<3007.0" + }, { "advisory": "Salt version 3007.0rc1 has updated its GitPython dependency to version 3.1.35 or higher in response to CVE-2023-40590\r\nhttps://github.com/saltstack/salt/pull/65137/commits/aaf493adba19ab96c5985eba6d8d471dd011115d", "cve": "CVE-2023-40590", @@ -130578,7 +131929,7 @@ "v": "<=3002" }, { - "advisory": "Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func variable in salt/salt/modules/status.py file. NOTE: this is disputed by third parties because an attacker cannot influence the eval input. Alias: PYSEC-2023-47", + "advisory": "** DISPUTED ** Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func variable in salt/salt/modules/status.py file. NOTE: this is disputed by third parties because an attacker cannot influence the eval input. Alias: PYSEC-2023-47", "cve": "CVE-2021-33226", "id": "pyup.io-62688", "more_info_path": "/vulnerabilities/CVE-2021-33226/62688", @@ -130618,20 +131969,20 @@ "v": ">=0,<2014.1.10" }, { - "advisory": "modules/serverdensity_device.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.", - "cve": "CVE-2015-1838", - "id": "pyup.io-54098", - "more_info_path": "/vulnerabilities/CVE-2015-1838/54098", + "advisory": "modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.", + "cve": "CVE-2015-1839", + "id": "pyup.io-54099", + "more_info_path": "/vulnerabilities/CVE-2015-1839/54099", "specs": [ ">=0,<2014.7.4" ], "v": ">=0,<2014.7.4" }, { - "advisory": "modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.", - "cve": "CVE-2015-1839", - "id": "pyup.io-54099", - "more_info_path": "/vulnerabilities/CVE-2015-1839/54099", + "advisory": "modules/serverdensity_device.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.", + "cve": "CVE-2015-1838", + "id": "pyup.io-54098", + "more_info_path": "/vulnerabilities/CVE-2015-1838/54098", "specs": [ ">=0,<2014.7.4" ], @@ -130679,10 +132030,10 @@ "v": ">=0,<2015.8.11" }, { - "advisory": "Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.", - "cve": "CVE-2017-5200", - "id": "pyup.io-53957", - "more_info_path": "/vulnerabilities/CVE-2017-5200/53957", + "advisory": "When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.", + "cve": "CVE-2017-5192", + "id": "pyup.io-53956", + "more_info_path": "/vulnerabilities/CVE-2017-5192/53956", "specs": [ ">=0,<2015.8.13", ">=2016.3,<2016.3.5", @@ -130691,10 +132042,10 @@ "v": ">=0,<2015.8.13,>=2016.3,<2016.3.5,>=2016.11,<2016.11.2" }, { - "advisory": "When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.", - "cve": "CVE-2017-5192", - "id": "pyup.io-53956", - "more_info_path": "/vulnerabilities/CVE-2017-5192/53956", + "advisory": "Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.", + "cve": "CVE-2017-5200", + "id": "pyup.io-53957", + "more_info_path": "/vulnerabilities/CVE-2017-5200/53957", "specs": [ ">=0,<2015.8.13", ">=2016.3,<2016.3.5", @@ -130789,10 +132140,10 @@ "v": ">=0,<2019.2.1" }, { - "advisory": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.", - "cve": "CVE-2020-11651", - "id": "pyup.io-54437", - "more_info_path": "/vulnerabilities/CVE-2020-11651/54437", + "advisory": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.", + "cve": "CVE-2020-11652", + "id": "pyup.io-54173", + "more_info_path": "/vulnerabilities/CVE-2020-11652/54173", "specs": [ ">=0,<2019.2.4", ">=3000,<3000.2" @@ -130800,10 +132151,10 @@ "v": ">=0,<2019.2.4,>=3000,<3000.2" }, { - "advisory": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.", - "cve": "CVE-2020-11652", - "id": "pyup.io-54173", - "more_info_path": "/vulnerabilities/CVE-2020-11652/54173", + "advisory": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.", + "cve": "CVE-2020-11651", + "id": "pyup.io-54437", + "more_info_path": "/vulnerabilities/CVE-2020-11651/54437", "specs": [ ">=0,<2019.2.4", ">=3000,<3000.2" @@ -131196,20 +132547,20 @@ "v": "<2.6.5" }, { - "advisory": "Sbp 2.7.0 updates requests to resolve security issue (https://github.com/swift-nav/libsbp/pull/708).", + "advisory": "Sbp 2.7.0 upgrades its requests dependency from version ~=2.8.1 to 2.20.* in response to the security vulnerability CVE-2018-18074.\r\nhttps://github.com/swift-nav/libsbp/pull/708/commits/d924fecd7969c8fecfb5d8741fada35e76ed363a", "cve": "CVE-2018-18074", - "id": "pyup.io-37937", - "more_info_path": "/vulnerabilities/CVE-2018-18074/37937", + "id": "pyup.io-64237", + "more_info_path": "/vulnerabilities/CVE-2018-18074/64237", "specs": [ "<2.7.0" ], "v": "<2.7.0" }, { - "advisory": "Sbp 2.7.0 upgrades its requests dependency from version ~=2.8.1 to 2.20.* in response to the security vulnerability CVE-2018-18074.\r\nhttps://github.com/swift-nav/libsbp/pull/708/commits/d924fecd7969c8fecfb5d8741fada35e76ed363a", + "advisory": "Sbp 2.7.0 updates requests to resolve security issue (https://github.com/swift-nav/libsbp/pull/708).", "cve": "CVE-2018-18074", - "id": "pyup.io-64237", - "more_info_path": "/vulnerabilities/CVE-2018-18074/64237", + "id": "pyup.io-37937", + "more_info_path": "/vulnerabilities/CVE-2018-18074/37937", "specs": [ "<2.7.0" ], @@ -131236,6 +132587,18 @@ "v": "<2.8.0" } ], + "scalecodec": [ + { + "advisory": "Scalecodec version 1.2.9 removes the py library from its dependencies to address the security vulnerability identified as CVE-2022-42969.", + "cve": "CVE-2022-42969", + "id": "pyup.io-71283", + "more_info_path": "/vulnerabilities/CVE-2022-42969/71283", + "specs": [ + "<1.2.9" + ], + "v": "<1.2.9" + } + ], "scalyr-agent-2": [ { "advisory": "Scalyr-agent-2 version 2.1.10 includes a fix for CVE-2020-24715: The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, native Python code is used that lacks a comparison of the hostname to commonName and subjectAltName.", @@ -131538,20 +132901,20 @@ ], "schemathesis": [ { - "advisory": "Schemathesis 3.18.4 updates its dependency 'werkzeug' to version '2.3.7' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/schemathesis/schemathesis/pull/1696", - "cve": "CVE-2023-25577", - "id": "pyup.io-60382", - "more_info_path": "/vulnerabilities/CVE-2023-25577/60382", + "advisory": "Schemathesis 3.18.4 updates its dependency 'werkzeug' to version '2.3.7' to include a fix for an Access Restriction Bypass vulnerability.\r\nhttps://github.com/schemathesis/schemathesis/pull/1696", + "cve": "CVE-2023-23934", + "id": "pyup.io-60397", + "more_info_path": "/vulnerabilities/CVE-2023-23934/60397", "specs": [ "<3.18.4" ], "v": "<3.18.4" }, { - "advisory": "Schemathesis 3.18.4 updates its dependency 'werkzeug' to version '2.3.7' to include a fix for an Access Restriction Bypass vulnerability.\r\nhttps://github.com/schemathesis/schemathesis/pull/1696", - "cve": "CVE-2023-23934", - "id": "pyup.io-60397", - "more_info_path": "/vulnerabilities/CVE-2023-23934/60397", + "advisory": "Schemathesis 3.18.4 updates its dependency 'werkzeug' to version '2.3.7' to include a fix for a Denial of Service vulnerability.\r\nhttps://github.com/schemathesis/schemathesis/pull/1696", + "cve": "CVE-2023-25577", + "id": "pyup.io-60382", + "more_info_path": "/vulnerabilities/CVE-2023-25577/60382", "specs": [ "<3.18.4" ], @@ -131570,7 +132933,7 @@ "v": "<0.24.2" }, { - "advisory": "Scikit-learn 1.1.0rc1 includes a fix for CVE-2020-28975: svm_predict_values in svm.cpp in Libsvm v324, as used in scikit-learn and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support array. \r\nNOTE: the scikit-learn vendor's position is that the behavior can only occur if the library's API is violated by an application that changes a private attribute.\r\nhttps://github.com/scikit-learn/scikit-learn/commit/1bf13d567d3cd74854aa8343fd25b61dd768bb85", + "advisory": "Scikit-learn 1.1.0rc1 includes a fix for CVE-2020-28975: svm_predict_values in svm.cpp in Libsvm v324, as used in scikit-learn and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support array. \r\nNOTE: the scikit-learn vendor's position is that the behavior can only occur if the library's API is violated by an application that changes a private attribute.", "cve": "CVE-2020-28975", "id": "pyup.io-54297", "more_info_path": "/vulnerabilities/CVE-2020-28975/54297", @@ -133447,20 +134810,20 @@ "v": "<0.7.18b5" }, { - "advisory": "Secretflow 0.7.18b5 requires 'wheel>=0.38.1' to include a security fix.", - "cve": "CVE-2022-40898", - "id": "pyup.io-53873", - "more_info_path": "/vulnerabilities/CVE-2022-40898/53873", + "advisory": "Secretflow 0.7.18b5 updates its dependency 'protobuf' to v3.19.6 to include a security fix.", + "cve": "CVE-2022-1941", + "id": "pyup.io-53872", + "more_info_path": "/vulnerabilities/CVE-2022-1941/53872", "specs": [ "<0.7.18b5" ], "v": "<0.7.18b5" }, { - "advisory": "Secretflow 0.7.18b5 updates its dependency 'protobuf' to v3.19.6 to include a security fix.", - "cve": "CVE-2022-1941", - "id": "pyup.io-53872", - "more_info_path": "/vulnerabilities/CVE-2022-1941/53872", + "advisory": "Secretflow 0.7.18b5 requires 'wheel>=0.38.1' to include a security fix.", + "cve": "CVE-2022-40898", + "id": "pyup.io-53873", + "more_info_path": "/vulnerabilities/CVE-2022-40898/53873", "specs": [ "<0.7.18b5" ], @@ -133676,6 +135039,38 @@ "v": "<1.0.1" } ], + "seismic-zfp": [ + { + "advisory": "Seismic-zfp version 0.3.2 has been updated to enhance security by upgrading its numpy dependency from version 1.21.3 to 1.22.2. This update addresses the vulnerability identified as CVE-2021-41495.", + "cve": "CVE-2021-41495", + "id": "pyup.io-71163", + "more_info_path": "/vulnerabilities/CVE-2021-41495/71163", + "specs": [ + "<0.3.2" + ], + "v": "<0.3.2" + }, + { + "advisory": "Seismic-zfp version 0.3.2 has been updated to enhance security by upgrading its fonttools dependency from 4.38.0 to 4.43.0. This update addresses the vulnerability identified as CVE-2023-45139.", + "cve": "CVE-2023-45139", + "id": "pyup.io-71183", + "more_info_path": "/vulnerabilities/CVE-2023-45139/71183", + "specs": [ + "<0.3.2" + ], + "v": "<0.3.2" + }, + { + "advisory": "Seismic-zfp version 0.3.2 has been updated to enhance security by upgrading its requests dependency from 2.31.0 to 2.32.0. This update addresses several CVEs, including CVE-2024-35195, ensuring the application is protected against vulnerabilities present in the older version.", + "cve": "CVE-2024-35195", + "id": "pyup.io-71182", + "more_info_path": "/vulnerabilities/CVE-2024-35195/71182", + "specs": [ + "<0.3.2" + ], + "v": "<0.3.2" + } + ], "seldon-core": [ { "advisory": "Seldon-core 1.0.1 updates its dependency 'pillow' from 6.2.0 to 7.0.0 to include security fixes.", @@ -135886,6 +137281,16 @@ } ], "sleap": [ + { + "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", + "cve": "CVE-2020-15211", + "id": "pyup.io-39680", + "more_info_path": "/vulnerabilities/CVE-2020-15211/39680", + "specs": [ + "<1.0.10" + ], + "v": "<1.0.10" + }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", "cve": "CVE-2020-15202", @@ -135906,6 +137311,16 @@ ], "v": "<1.0.10" }, + { + "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", + "cve": "CVE-2019-13960", + "id": "pyup.io-43823", + "more_info_path": "/vulnerabilities/CVE-2019-13960/43823", + "specs": [ + "<1.0.10" + ], + "v": "<1.0.10" + }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", "cve": "CVE-2018-17190", @@ -135938,9 +137353,9 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2020-15207", - "id": "pyup.io-43801", - "more_info_path": "/vulnerabilities/CVE-2020-15207/43801", + "cve": "CVE-2020-13434", + "id": "pyup.io-43808", + "more_info_path": "/vulnerabilities/CVE-2020-13434/43808", "specs": [ "<1.0.10" ], @@ -135948,9 +137363,9 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2020-13434", - "id": "pyup.io-43808", - "more_info_path": "/vulnerabilities/CVE-2020-13434/43808", + "cve": "CVE-2020-15207", + "id": "pyup.io-43801", + "more_info_path": "/vulnerabilities/CVE-2020-15207/43801", "specs": [ "<1.0.10" ], @@ -135978,9 +137393,9 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2020-15211", - "id": "pyup.io-39680", - "more_info_path": "/vulnerabilities/CVE-2020-15211/39680", + "cve": "CVE-2020-15208", + "id": "pyup.io-43798", + "more_info_path": "/vulnerabilities/CVE-2020-15208/43798", "specs": [ "<1.0.10" ], @@ -136006,36 +137421,6 @@ ], "v": "<1.0.10" }, - { - "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2018-19664", - "id": "pyup.io-43815", - "more_info_path": "/vulnerabilities/CVE-2018-19664/43815", - "specs": [ - "<1.0.10" - ], - "v": "<1.0.10" - }, - { - "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2018-11770", - "id": "pyup.io-43822", - "more_info_path": "/vulnerabilities/CVE-2018-11770/43822", - "specs": [ - "<1.0.10" - ], - "v": "<1.0.10" - }, - { - "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2020-15208", - "id": "pyup.io-43798", - "more_info_path": "/vulnerabilities/CVE-2020-15208/43798", - "specs": [ - "<1.0.10" - ], - "v": "<1.0.10" - }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", "cve": "CVE-2020-13871", @@ -136066,16 +137451,6 @@ ], "v": "<1.0.10" }, - { - "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2018-20330", - "id": "pyup.io-43820", - "more_info_path": "/vulnerabilities/CVE-2018-20330/43820", - "specs": [ - "<1.0.10" - ], - "v": "<1.0.10" - }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", "cve": "CVE-2020-15195", @@ -136098,9 +137473,9 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2020-15205", - "id": "pyup.io-43795", - "more_info_path": "/vulnerabilities/CVE-2020-15205/43795", + "cve": "CVE-2020-15209", + "id": "pyup.io-43799", + "more_info_path": "/vulnerabilities/CVE-2020-15209/43799", "specs": [ "<1.0.10" ], @@ -136108,9 +137483,9 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2019-19645", - "id": "pyup.io-43817", - "more_info_path": "/vulnerabilities/CVE-2019-19645/43817", + "cve": "CVE-2018-19664", + "id": "pyup.io-43815", + "more_info_path": "/vulnerabilities/CVE-2018-19664/43815", "specs": [ "<1.0.10" ], @@ -136118,9 +137493,9 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2020-11656", - "id": "pyup.io-43806", - "more_info_path": "/vulnerabilities/CVE-2020-11656/43806", + "cve": "CVE-2018-11770", + "id": "pyup.io-43822", + "more_info_path": "/vulnerabilities/CVE-2018-11770/43822", "specs": [ "<1.0.10" ], @@ -136128,9 +137503,9 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2020-9327", - "id": "pyup.io-43812", - "more_info_path": "/vulnerabilities/CVE-2020-9327/43812", + "cve": "CVE-2018-20330", + "id": "pyup.io-43820", + "more_info_path": "/vulnerabilities/CVE-2018-20330/43820", "specs": [ "<1.0.10" ], @@ -136138,9 +137513,9 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2020-15209", - "id": "pyup.io-43799", - "more_info_path": "/vulnerabilities/CVE-2020-15209/43799", + "cve": "CVE-2019-19645", + "id": "pyup.io-43817", + "more_info_path": "/vulnerabilities/CVE-2019-19645/43817", "specs": [ "<1.0.10" ], @@ -136148,9 +137523,9 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2020-13630", - "id": "pyup.io-43804", - "more_info_path": "/vulnerabilities/CVE-2020-13630/43804", + "cve": "CVE-2020-11656", + "id": "pyup.io-43806", + "more_info_path": "/vulnerabilities/CVE-2020-11656/43806", "specs": [ "<1.0.10" ], @@ -136178,29 +137553,39 @@ }, { "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", - "cve": "CVE-2019-13960", - "id": "pyup.io-43823", - "more_info_path": "/vulnerabilities/CVE-2019-13960/43823", + "cve": "CVE-2020-15205", + "id": "pyup.io-43795", + "more_info_path": "/vulnerabilities/CVE-2020-15205/43795", "specs": [ "<1.0.10" ], "v": "<1.0.10" }, { - "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29579", - "id": "pyup.io-46163", - "more_info_path": "/vulnerabilities/CVE-2021-29579/46163", + "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", + "cve": "CVE-2020-9327", + "id": "pyup.io-43812", + "more_info_path": "/vulnerabilities/CVE-2020-9327/43812", "specs": [ - "<1.2.0a0" + "<1.0.10" ], - "v": "<1.2.0a0" + "v": "<1.0.10" + }, + { + "advisory": "Sleap 1.0.10 updates TensorFlow to v2.1.2 for security reasons.", + "cve": "CVE-2020-13630", + "id": "pyup.io-43804", + "more_info_path": "/vulnerabilities/CVE-2020-13630/43804", + "specs": [ + "<1.0.10" + ], + "v": "<1.0.10" }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29528", - "id": "pyup.io-46112", - "more_info_path": "/vulnerabilities/CVE-2021-29528/46112", + "cve": "CVE-2021-29579", + "id": "pyup.io-46163", + "more_info_path": "/vulnerabilities/CVE-2021-29579/46163", "specs": [ "<1.2.0a0" ], @@ -136238,9 +137623,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41227", - "id": "pyup.io-46236", - "more_info_path": "/vulnerabilities/CVE-2021-41227/46236", + "cve": "CVE-2021-29609", + "id": "pyup.io-46193", + "more_info_path": "/vulnerabilities/CVE-2021-29609/46193", "specs": [ "<1.2.0a0" ], @@ -136258,9 +137643,119 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29609", - "id": "pyup.io-46193", - "more_info_path": "/vulnerabilities/CVE-2021-29609/46193", + "cve": "CVE-2021-29538", + "id": "pyup.io-46122", + "more_info_path": "/vulnerabilities/CVE-2021-29538/46122", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", + "cve": "CVE-2021-41212", + "id": "pyup.io-46222", + "more_info_path": "/vulnerabilities/CVE-2021-41212/46222", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", + "cve": "CVE-2021-29527", + "id": "pyup.io-46111", + "more_info_path": "/vulnerabilities/CVE-2021-29527/46111", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", + "cve": "CVE-2021-41195", + "id": "pyup.io-46205", + "more_info_path": "/vulnerabilities/CVE-2021-41195/46205", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", + "cve": "CVE-2021-29602", + "id": "pyup.io-46186", + "more_info_path": "/vulnerabilities/CVE-2021-29602/46186", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", + "cve": "CVE-2021-29603", + "id": "pyup.io-46187", + "more_info_path": "/vulnerabilities/CVE-2021-29603/46187", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", + "cve": "CVE-2021-29605", + "id": "pyup.io-46189", + "more_info_path": "/vulnerabilities/CVE-2021-29605/46189", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", + "cve": "CVE-2021-41205", + "id": "pyup.io-46215", + "more_info_path": "/vulnerabilities/CVE-2021-41205/46215", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", + "cve": "CVE-2021-41221", + "id": "pyup.io-46230", + "more_info_path": "/vulnerabilities/CVE-2021-41221/46230", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", + "cve": "CVE-2021-29576", + "id": "pyup.io-46160", + "more_info_path": "/vulnerabilities/CVE-2021-29576/46160", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", + "cve": "CVE-2021-41198", + "id": "pyup.io-46208", + "more_info_path": "/vulnerabilities/CVE-2021-41198/46208", + "specs": [ + "<1.2.0a0" + ], + "v": "<1.2.0a0" + }, + { + "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", + "cve": "CVE-2021-29587", + "id": "pyup.io-46171", + "more_info_path": "/vulnerabilities/CVE-2021-29587/46171", "specs": [ "<1.2.0a0" ], @@ -136268,9 +137763,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29537", - "id": "pyup.io-46121", - "more_info_path": "/vulnerabilities/CVE-2021-29537/46121", + "cve": "CVE-2021-41209", + "id": "pyup.io-46219", + "more_info_path": "/vulnerabilities/CVE-2021-41209/46219", "specs": [ "<1.2.0a0" ], @@ -136278,9 +137773,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29538", - "id": "pyup.io-46122", - "more_info_path": "/vulnerabilities/CVE-2021-29538/46122", + "cve": "CVE-2021-29524", + "id": "pyup.io-46108", + "more_info_path": "/vulnerabilities/CVE-2021-29524/46108", "specs": [ "<1.2.0a0" ], @@ -136288,9 +137783,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41212", - "id": "pyup.io-46222", - "more_info_path": "/vulnerabilities/CVE-2021-41212/46222", + "cve": "CVE-2021-41215", + "id": "pyup.io-46225", + "more_info_path": "/vulnerabilities/CVE-2021-41215/46225", "specs": [ "<1.2.0a0" ], @@ -136298,9 +137793,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29527", - "id": "pyup.io-46111", - "more_info_path": "/vulnerabilities/CVE-2021-29527/46111", + "cve": "CVE-2021-41216", + "id": "pyup.io-46226", + "more_info_path": "/vulnerabilities/CVE-2021-41216/46226", "specs": [ "<1.2.0a0" ], @@ -136308,9 +137803,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41207", - "id": "pyup.io-46217", - "more_info_path": "/vulnerabilities/CVE-2021-41207/46217", + "cve": "CVE-2021-29558", + "id": "pyup.io-46142", + "more_info_path": "/vulnerabilities/CVE-2021-29558/46142", "specs": [ "<1.2.0a0" ], @@ -136318,9 +137813,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41195", - "id": "pyup.io-46205", - "more_info_path": "/vulnerabilities/CVE-2021-41195/46205", + "cve": "CVE-2020-14155", + "id": "pyup.io-46076", + "more_info_path": "/vulnerabilities/CVE-2020-14155/46076", "specs": [ "<1.2.0a0" ], @@ -136328,9 +137823,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29602", - "id": "pyup.io-46186", - "more_info_path": "/vulnerabilities/CVE-2021-29602/46186", + "cve": "CVE-2021-41207", + "id": "pyup.io-46217", + "more_info_path": "/vulnerabilities/CVE-2021-41207/46217", "specs": [ "<1.2.0a0" ], @@ -136338,9 +137833,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29603", - "id": "pyup.io-46187", - "more_info_path": "/vulnerabilities/CVE-2021-29603/46187", + "cve": "CVE-2021-29596", + "id": "pyup.io-46180", + "more_info_path": "/vulnerabilities/CVE-2021-29596/46180", "specs": [ "<1.2.0a0" ], @@ -136348,9 +137843,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29605", - "id": "pyup.io-46189", - "more_info_path": "/vulnerabilities/CVE-2021-29605/46189", + "cve": "CVE-2021-29584", + "id": "pyup.io-46168", + "more_info_path": "/vulnerabilities/CVE-2021-29584/46168", "specs": [ "<1.2.0a0" ], @@ -136358,9 +137853,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41205", - "id": "pyup.io-46215", - "more_info_path": "/vulnerabilities/CVE-2021-41205/46215", + "cve": "CVE-2021-41213", + "id": "pyup.io-46223", + "more_info_path": "/vulnerabilities/CVE-2021-41213/46223", "specs": [ "<1.2.0a0" ], @@ -136368,9 +137863,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29596", - "id": "pyup.io-46180", - "more_info_path": "/vulnerabilities/CVE-2021-29596/46180", + "cve": "CVE-2021-29600", + "id": "pyup.io-46184", + "more_info_path": "/vulnerabilities/CVE-2021-29600/46184", "specs": [ "<1.2.0a0" ], @@ -136378,9 +137873,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41221", - "id": "pyup.io-46230", - "more_info_path": "/vulnerabilities/CVE-2021-41221/46230", + "cve": "CVE-2021-29611", + "id": "pyup.io-46196", + "more_info_path": "/vulnerabilities/CVE-2021-29611/46196", "specs": [ "<1.2.0a0" ], @@ -136388,9 +137883,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29576", - "id": "pyup.io-46160", - "more_info_path": "/vulnerabilities/CVE-2021-29576/46160", + "cve": "CVE-2021-41196", + "id": "pyup.io-46206", + "more_info_path": "/vulnerabilities/CVE-2021-41196/46206", "specs": [ "<1.2.0a0" ], @@ -136398,9 +137893,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29569", - "id": "pyup.io-46153", - "more_info_path": "/vulnerabilities/CVE-2021-29569/46153", + "cve": "CVE-2021-41223", + "id": "pyup.io-46232", + "more_info_path": "/vulnerabilities/CVE-2021-41223/46232", "specs": [ "<1.2.0a0" ], @@ -136408,9 +137903,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29564", - "id": "pyup.io-46148", - "more_info_path": "/vulnerabilities/CVE-2021-29564/46148", + "cve": "CVE-2021-29588", + "id": "pyup.io-46172", + "more_info_path": "/vulnerabilities/CVE-2021-29588/46172", "specs": [ "<1.2.0a0" ], @@ -136418,9 +137913,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41198", - "id": "pyup.io-46208", - "more_info_path": "/vulnerabilities/CVE-2021-41198/46208", + "cve": "CVE-2021-29522", + "id": "pyup.io-46106", + "more_info_path": "/vulnerabilities/CVE-2021-29522/46106", "specs": [ "<1.2.0a0" ], @@ -136428,9 +137923,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29533", - "id": "pyup.io-46117", - "more_info_path": "/vulnerabilities/CVE-2021-29533/46117", + "cve": "CVE-2021-29512", + "id": "pyup.io-46096", + "more_info_path": "/vulnerabilities/CVE-2021-29512/46096", "specs": [ "<1.2.0a0" ], @@ -136438,9 +137933,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29587", - "id": "pyup.io-46171", - "more_info_path": "/vulnerabilities/CVE-2021-29587/46171", + "cve": "CVE-2021-29597", + "id": "pyup.io-46181", + "more_info_path": "/vulnerabilities/CVE-2021-29597/46181", "specs": [ "<1.2.0a0" ], @@ -136448,9 +137943,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41209", - "id": "pyup.io-46219", - "more_info_path": "/vulnerabilities/CVE-2021-41209/46219", + "cve": "CVE-2021-41200", + "id": "pyup.io-46210", + "more_info_path": "/vulnerabilities/CVE-2021-41200/46210", "specs": [ "<1.2.0a0" ], @@ -136458,9 +137953,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41224", - "id": "pyup.io-46233", - "more_info_path": "/vulnerabilities/CVE-2021-41224/46233", + "cve": "CVE-2021-41218", + "id": "pyup.io-46228", + "more_info_path": "/vulnerabilities/CVE-2021-41218/46228", "specs": [ "<1.2.0a0" ], @@ -136468,9 +137963,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29541", - "id": "pyup.io-46125", - "more_info_path": "/vulnerabilities/CVE-2021-29541/46125", + "cve": "CVE-2021-29575", + "id": "pyup.io-46159", + "more_info_path": "/vulnerabilities/CVE-2021-29575/46159", "specs": [ "<1.2.0a0" ], @@ -136478,9 +137973,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29613", - "id": "pyup.io-46198", - "more_info_path": "/vulnerabilities/CVE-2021-29613/46198", + "cve": "CVE-2021-29582", + "id": "pyup.io-46166", + "more_info_path": "/vulnerabilities/CVE-2021-29582/46166", "specs": [ "<1.2.0a0" ], @@ -136488,9 +137983,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29524", - "id": "pyup.io-46108", - "more_info_path": "/vulnerabilities/CVE-2021-29524/46108", + "cve": "CVE-2021-41227", + "id": "pyup.io-46236", + "more_info_path": "/vulnerabilities/CVE-2021-41227/46236", "specs": [ "<1.2.0a0" ], @@ -136498,9 +137993,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41215", - "id": "pyup.io-46225", - "more_info_path": "/vulnerabilities/CVE-2021-41215/46225", + "cve": "CVE-2021-29541", + "id": "pyup.io-46125", + "more_info_path": "/vulnerabilities/CVE-2021-29541/46125", "specs": [ "<1.2.0a0" ], @@ -136508,9 +138003,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41216", - "id": "pyup.io-46226", - "more_info_path": "/vulnerabilities/CVE-2021-41216/46226", + "cve": "CVE-2021-29613", + "id": "pyup.io-46198", + "more_info_path": "/vulnerabilities/CVE-2021-29613/46198", "specs": [ "<1.2.0a0" ], @@ -136536,16 +138031,6 @@ ], "v": "<1.2.0a0" }, - { - "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29584", - "id": "pyup.io-46168", - "more_info_path": "/vulnerabilities/CVE-2021-29584/46168", - "specs": [ - "<1.2.0a0" - ], - "v": "<1.2.0a0" - }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", "cve": "CVE-2021-29552", @@ -136566,16 +138051,6 @@ ], "v": "<1.2.0a0" }, - { - "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29558", - "id": "pyup.io-46142", - "more_info_path": "/vulnerabilities/CVE-2021-29558/46142", - "specs": [ - "<1.2.0a0" - ], - "v": "<1.2.0a0" - }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", "cve": "CVE-2021-29551", @@ -136608,9 +138083,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-14155", - "id": "pyup.io-46076", - "more_info_path": "/vulnerabilities/CVE-2020-14155/46076", + "cve": "CVE-2021-29573", + "id": "pyup.io-46157", + "more_info_path": "/vulnerabilities/CVE-2021-29573/46157", "specs": [ "<1.2.0a0" ], @@ -136618,9 +138093,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29588", - "id": "pyup.io-46172", - "more_info_path": "/vulnerabilities/CVE-2021-29588/46172", + "cve": "CVE-2021-29598", + "id": "pyup.io-46182", + "more_info_path": "/vulnerabilities/CVE-2021-29598/46182", "specs": [ "<1.2.0a0" ], @@ -136628,9 +138103,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29573", - "id": "pyup.io-46157", - "more_info_path": "/vulnerabilities/CVE-2021-29573/46157", + "cve": "CVE-2021-41214", + "id": "pyup.io-46224", + "more_info_path": "/vulnerabilities/CVE-2021-41214/46224", "specs": [ "<1.2.0a0" ], @@ -136638,9 +138113,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29598", - "id": "pyup.io-46182", - "more_info_path": "/vulnerabilities/CVE-2021-29598/46182", + "cve": "CVE-2021-29548", + "id": "pyup.io-46132", + "more_info_path": "/vulnerabilities/CVE-2021-29548/46132", "specs": [ "<1.2.0a0" ], @@ -136648,9 +138123,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29581", - "id": "pyup.io-46165", - "more_info_path": "/vulnerabilities/CVE-2021-29581/46165", + "cve": "CVE-2021-29580", + "id": "pyup.io-46164", + "more_info_path": "/vulnerabilities/CVE-2021-29580/46164", "specs": [ "<1.2.0a0" ], @@ -136658,9 +138133,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-15265", - "id": "pyup.io-46078", - "more_info_path": "/vulnerabilities/CVE-2020-15265/46078", + "cve": "CVE-2021-29547", + "id": "pyup.io-46131", + "more_info_path": "/vulnerabilities/CVE-2021-29547/46131", "specs": [ "<1.2.0a0" ], @@ -136668,9 +138143,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41213", - "id": "pyup.io-46223", - "more_info_path": "/vulnerabilities/CVE-2021-41213/46223", + "cve": "CVE-2020-26266", + "id": "pyup.io-46080", + "more_info_path": "/vulnerabilities/CVE-2020-26266/46080", "specs": [ "<1.2.0a0" ], @@ -136678,9 +138153,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29546", - "id": "pyup.io-46130", - "more_info_path": "/vulnerabilities/CVE-2021-29546/46130", + "cve": "CVE-2021-29599", + "id": "pyup.io-46183", + "more_info_path": "/vulnerabilities/CVE-2021-29599/46183", "specs": [ "<1.2.0a0" ], @@ -136688,9 +138163,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41201", - "id": "pyup.io-46211", - "more_info_path": "/vulnerabilities/CVE-2021-41201/46211", + "cve": "CVE-2021-29540", + "id": "pyup.io-46124", + "more_info_path": "/vulnerabilities/CVE-2021-29540/46124", "specs": [ "<1.2.0a0" ], @@ -136698,9 +138173,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29611", - "id": "pyup.io-46196", - "more_info_path": "/vulnerabilities/CVE-2021-29611/46196", + "cve": "CVE-2021-22922", + "id": "pyup.io-46091", + "more_info_path": "/vulnerabilities/CVE-2021-22922/46091", "specs": [ "<1.2.0a0" ], @@ -136708,9 +138183,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41196", - "id": "pyup.io-46206", - "more_info_path": "/vulnerabilities/CVE-2021-41196/46206", + "cve": "CVE-2021-29560", + "id": "pyup.io-46144", + "more_info_path": "/vulnerabilities/CVE-2021-29560/46144", "specs": [ "<1.2.0a0" ], @@ -136718,9 +138193,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41223", - "id": "pyup.io-46232", - "more_info_path": "/vulnerabilities/CVE-2021-41223/46232", + "cve": "CVE-2021-29545", + "id": "pyup.io-46129", + "more_info_path": "/vulnerabilities/CVE-2021-29545/46129", "specs": [ "<1.2.0a0" ], @@ -136728,9 +138203,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29600", - "id": "pyup.io-46184", - "more_info_path": "/vulnerabilities/CVE-2021-29600/46184", + "cve": "CVE-2020-8285", + "id": "pyup.io-46089", + "more_info_path": "/vulnerabilities/CVE-2020-8285/46089", "specs": [ "<1.2.0a0" ], @@ -136738,9 +138213,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29553", - "id": "pyup.io-46137", - "more_info_path": "/vulnerabilities/CVE-2021-29553/46137", + "cve": "CVE-2021-29561", + "id": "pyup.io-46145", + "more_info_path": "/vulnerabilities/CVE-2021-29561/46145", "specs": [ "<1.2.0a0" ], @@ -136748,9 +138223,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29516", - "id": "pyup.io-46100", - "more_info_path": "/vulnerabilities/CVE-2021-29516/46100", + "cve": "CVE-2021-29568", + "id": "pyup.io-46152", + "more_info_path": "/vulnerabilities/CVE-2021-29568/46152", "specs": [ "<1.2.0a0" ], @@ -136758,9 +138233,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29619", - "id": "pyup.io-46204", - "more_info_path": "/vulnerabilities/CVE-2021-29619/46204", + "cve": "CVE-2021-29572", + "id": "pyup.io-46156", + "more_info_path": "/vulnerabilities/CVE-2021-29572/46156", "specs": [ "<1.2.0a0" ], @@ -136768,9 +138243,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41197", - "id": "pyup.io-46207", - "more_info_path": "/vulnerabilities/CVE-2021-41197/46207", + "cve": "CVE-2021-29556", + "id": "pyup.io-46140", + "more_info_path": "/vulnerabilities/CVE-2021-29556/46140", "specs": [ "<1.2.0a0" ], @@ -136778,9 +138253,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29517", - "id": "pyup.io-46101", - "more_info_path": "/vulnerabilities/CVE-2021-29517/46101", + "cve": "CVE-2020-26270", + "id": "pyup.io-46083", + "more_info_path": "/vulnerabilities/CVE-2020-26270/46083", "specs": [ "<1.2.0a0" ], @@ -136788,9 +138263,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29591", - "id": "pyup.io-46175", - "more_info_path": "/vulnerabilities/CVE-2021-29591/46175", + "cve": "CVE-2021-29542", + "id": "pyup.io-46126", + "more_info_path": "/vulnerabilities/CVE-2021-29542/46126", "specs": [ "<1.2.0a0" ], @@ -136798,9 +138273,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29590", - "id": "pyup.io-46174", - "more_info_path": "/vulnerabilities/CVE-2021-29590/46174", + "cve": "CVE-2021-29514", + "id": "pyup.io-46098", + "more_info_path": "/vulnerabilities/CVE-2021-29514/46098", "specs": [ "<1.2.0a0" ], @@ -136808,9 +138283,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41214", - "id": "pyup.io-46224", - "more_info_path": "/vulnerabilities/CVE-2021-41214/46224", + "cve": "CVE-2021-29515", + "id": "pyup.io-46099", + "more_info_path": "/vulnerabilities/CVE-2021-29515/46099", "specs": [ "<1.2.0a0" ], @@ -136818,9 +138293,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41204", - "id": "pyup.io-46214", - "more_info_path": "/vulnerabilities/CVE-2021-41204/46214", + "cve": "CVE-2021-41225", + "id": "pyup.io-46234", + "more_info_path": "/vulnerabilities/CVE-2021-41225/46234", "specs": [ "<1.2.0a0" ], @@ -136828,9 +138303,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29548", - "id": "pyup.io-46132", - "more_info_path": "/vulnerabilities/CVE-2021-29548/46132", + "cve": "CVE-2020-15250", + "id": "pyup.io-46077", + "more_info_path": "/vulnerabilities/CVE-2020-15250/46077", "specs": [ "<1.2.0a0" ], @@ -136838,9 +138313,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29519", - "id": "pyup.io-46103", - "more_info_path": "/vulnerabilities/CVE-2021-29519/46103", + "cve": "CVE-2021-22925", + "id": "pyup.io-46094", + "more_info_path": "/vulnerabilities/CVE-2021-22925/46094", "specs": [ "<1.2.0a0" ], @@ -136848,9 +138323,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-26271", - "id": "pyup.io-46084", - "more_info_path": "/vulnerabilities/CVE-2020-26271/46084", + "cve": "CVE-2021-29581", + "id": "pyup.io-46165", + "more_info_path": "/vulnerabilities/CVE-2021-29581/46165", "specs": [ "<1.2.0a0" ], @@ -136858,9 +138333,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29513", - "id": "pyup.io-46097", - "more_info_path": "/vulnerabilities/CVE-2021-29513/46097", + "cve": "CVE-2021-41201", + "id": "pyup.io-46211", + "more_info_path": "/vulnerabilities/CVE-2021-41201/46211", "specs": [ "<1.2.0a0" ], @@ -136868,9 +138343,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29610", - "id": "pyup.io-46194", - "more_info_path": "/vulnerabilities/CVE-2021-29610/46194", + "cve": "CVE-2021-29546", + "id": "pyup.io-46130", + "more_info_path": "/vulnerabilities/CVE-2021-29546/46130", "specs": [ "<1.2.0a0" ], @@ -136878,9 +138353,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-15266", - "id": "pyup.io-46079", - "more_info_path": "/vulnerabilities/CVE-2020-15266/46079", + "cve": "CVE-2020-15265", + "id": "pyup.io-46078", + "more_info_path": "/vulnerabilities/CVE-2020-15265/46078", "specs": [ "<1.2.0a0" ], @@ -136888,9 +138363,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29522", - "id": "pyup.io-46106", - "more_info_path": "/vulnerabilities/CVE-2021-29522/46106", + "cve": "CVE-2021-29553", + "id": "pyup.io-46137", + "more_info_path": "/vulnerabilities/CVE-2021-29553/46137", "specs": [ "<1.2.0a0" ], @@ -136898,9 +138373,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29580", - "id": "pyup.io-46164", - "more_info_path": "/vulnerabilities/CVE-2021-29580/46164", + "cve": "CVE-2021-29516", + "id": "pyup.io-46100", + "more_info_path": "/vulnerabilities/CVE-2021-29516/46100", "specs": [ "<1.2.0a0" ], @@ -136908,9 +138383,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29577", - "id": "pyup.io-46161", - "more_info_path": "/vulnerabilities/CVE-2021-29577/46161", + "cve": "CVE-2021-29619", + "id": "pyup.io-46204", + "more_info_path": "/vulnerabilities/CVE-2021-29619/46204", "specs": [ "<1.2.0a0" ], @@ -136918,9 +138393,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29512", - "id": "pyup.io-46096", - "more_info_path": "/vulnerabilities/CVE-2021-29512/46096", + "cve": "CVE-2021-29591", + "id": "pyup.io-46175", + "more_info_path": "/vulnerabilities/CVE-2021-29591/46175", "specs": [ "<1.2.0a0" ], @@ -136928,9 +138403,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29547", - "id": "pyup.io-46131", - "more_info_path": "/vulnerabilities/CVE-2021-29547/46131", + "cve": "CVE-2021-29590", + "id": "pyup.io-46174", + "more_info_path": "/vulnerabilities/CVE-2021-29590/46174", "specs": [ "<1.2.0a0" ], @@ -136938,9 +138413,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-26266", - "id": "pyup.io-46080", - "more_info_path": "/vulnerabilities/CVE-2020-26266/46080", + "cve": "CVE-2021-29517", + "id": "pyup.io-46101", + "more_info_path": "/vulnerabilities/CVE-2021-29517/46101", "specs": [ "<1.2.0a0" ], @@ -136948,9 +138423,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29599", - "id": "pyup.io-46183", - "more_info_path": "/vulnerabilities/CVE-2021-29599/46183", + "cve": "CVE-2021-41204", + "id": "pyup.io-46214", + "more_info_path": "/vulnerabilities/CVE-2021-41204/46214", "specs": [ "<1.2.0a0" ], @@ -136958,9 +138433,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29540", - "id": "pyup.io-46124", - "more_info_path": "/vulnerabilities/CVE-2021-29540/46124", + "cve": "CVE-2020-26271", + "id": "pyup.io-46084", + "more_info_path": "/vulnerabilities/CVE-2020-26271/46084", "specs": [ "<1.2.0a0" ], @@ -136968,9 +138443,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29615", - "id": "pyup.io-46200", - "more_info_path": "/vulnerabilities/CVE-2021-29615/46200", + "cve": "CVE-2021-29513", + "id": "pyup.io-46097", + "more_info_path": "/vulnerabilities/CVE-2021-29513/46097", "specs": [ "<1.2.0a0" ], @@ -136978,9 +138453,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41217", - "id": "pyup.io-46227", - "more_info_path": "/vulnerabilities/CVE-2021-41217/46227", + "cve": "CVE-2021-29610", + "id": "pyup.io-46194", + "more_info_path": "/vulnerabilities/CVE-2021-29610/46194", "specs": [ "<1.2.0a0" ], @@ -136988,9 +138463,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29549", - "id": "pyup.io-46133", - "more_info_path": "/vulnerabilities/CVE-2021-29549/46133", + "cve": "CVE-2020-15266", + "id": "pyup.io-46079", + "more_info_path": "/vulnerabilities/CVE-2020-15266/46079", "specs": [ "<1.2.0a0" ], @@ -136998,9 +138473,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29559", - "id": "pyup.io-46143", - "more_info_path": "/vulnerabilities/CVE-2021-29559/46143", + "cve": "CVE-2021-29577", + "id": "pyup.io-46161", + "more_info_path": "/vulnerabilities/CVE-2021-29577/46161", "specs": [ "<1.2.0a0" ], @@ -137008,9 +138483,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29597", - "id": "pyup.io-46181", - "more_info_path": "/vulnerabilities/CVE-2021-29597/46181", + "cve": "CVE-2021-29615", + "id": "pyup.io-46200", + "more_info_path": "/vulnerabilities/CVE-2021-29615/46200", "specs": [ "<1.2.0a0" ], @@ -137018,9 +138493,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-22923", - "id": "pyup.io-46092", - "more_info_path": "/vulnerabilities/CVE-2021-22923/46092", + "cve": "CVE-2021-41217", + "id": "pyup.io-46227", + "more_info_path": "/vulnerabilities/CVE-2021-41217/46227", "specs": [ "<1.2.0a0" ], @@ -137028,9 +138503,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-22922", - "id": "pyup.io-46091", - "more_info_path": "/vulnerabilities/CVE-2021-22922/46091", + "cve": "CVE-2021-29559", + "id": "pyup.io-46143", + "more_info_path": "/vulnerabilities/CVE-2021-29559/46143", "specs": [ "<1.2.0a0" ], @@ -137038,9 +138513,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-8169", - "id": "pyup.io-46085", - "more_info_path": "/vulnerabilities/CVE-2020-8169/46085", + "cve": "CVE-2021-22923", + "id": "pyup.io-46092", + "more_info_path": "/vulnerabilities/CVE-2021-22923/46092", "specs": [ "<1.2.0a0" ], @@ -137048,9 +138523,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29566", - "id": "pyup.io-46150", - "more_info_path": "/vulnerabilities/CVE-2021-29566/46150", + "cve": "CVE-2020-8169", + "id": "pyup.io-46085", + "more_info_path": "/vulnerabilities/CVE-2020-8169/46085", "specs": [ "<1.2.0a0" ], @@ -137096,16 +138571,6 @@ ], "v": "<1.2.0a0" }, - { - "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29593", - "id": "pyup.io-46177", - "more_info_path": "/vulnerabilities/CVE-2021-29593/46177", - "specs": [ - "<1.2.0a0" - ], - "v": "<1.2.0a0" - }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", "cve": "CVE-2021-29606", @@ -137146,16 +138611,6 @@ ], "v": "<1.2.0a0" }, - { - "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29560", - "id": "pyup.io-46144", - "more_info_path": "/vulnerabilities/CVE-2021-29560/46144", - "specs": [ - "<1.2.0a0" - ], - "v": "<1.2.0a0" - }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", "cve": "CVE-2021-29614", @@ -137206,26 +138661,6 @@ ], "v": "<1.2.0a0" }, - { - "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29617", - "id": "pyup.io-46202", - "more_info_path": "/vulnerabilities/CVE-2021-29617/46202", - "specs": [ - "<1.2.0a0" - ], - "v": "<1.2.0a0" - }, - { - "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29545", - "id": "pyup.io-46129", - "more_info_path": "/vulnerabilities/CVE-2021-29545/46129", - "specs": [ - "<1.2.0a0" - ], - "v": "<1.2.0a0" - }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", "cve": "CVE-2021-29618", @@ -137236,16 +138671,6 @@ ], "v": "<1.2.0a0" }, - { - "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-8285", - "id": "pyup.io-46089", - "more_info_path": "/vulnerabilities/CVE-2020-8285/46089", - "specs": [ - "<1.2.0a0" - ], - "v": "<1.2.0a0" - }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", "cve": "CVE-2021-29578", @@ -137266,16 +138691,6 @@ ], "v": "<1.2.0a0" }, - { - "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41200", - "id": "pyup.io-46210", - "more_info_path": "/vulnerabilities/CVE-2021-41200/46210", - "specs": [ - "<1.2.0a0" - ], - "v": "<1.2.0a0" - }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", "cve": "CVE-2021-41199", @@ -137298,9 +138713,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29568", - "id": "pyup.io-46152", - "more_info_path": "/vulnerabilities/CVE-2021-29568/46152", + "cve": "CVE-2021-29586", + "id": "pyup.io-46170", + "more_info_path": "/vulnerabilities/CVE-2021-29586/46170", "specs": [ "<1.2.0a0" ], @@ -137308,9 +138723,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29586", - "id": "pyup.io-46170", - "more_info_path": "/vulnerabilities/CVE-2021-29586/46170", + "cve": "CVE-2021-41206", + "id": "pyup.io-46216", + "more_info_path": "/vulnerabilities/CVE-2021-41206/46216", "specs": [ "<1.2.0a0" ], @@ -137318,9 +138733,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29561", - "id": "pyup.io-46145", - "more_info_path": "/vulnerabilities/CVE-2021-29561/46145", + "cve": "CVE-2021-29583", + "id": "pyup.io-46167", + "more_info_path": "/vulnerabilities/CVE-2021-29583/46167", "specs": [ "<1.2.0a0" ], @@ -137328,9 +138743,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29572", - "id": "pyup.io-46156", - "more_info_path": "/vulnerabilities/CVE-2021-29572/46156", + "cve": "CVE-2021-29604", + "id": "pyup.io-46188", + "more_info_path": "/vulnerabilities/CVE-2021-29604/46188", "specs": [ "<1.2.0a0" ], @@ -137338,9 +138753,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-22924", - "id": "pyup.io-46093", - "more_info_path": "/vulnerabilities/CVE-2021-22924/46093", + "cve": "CVE-2021-29518", + "id": "pyup.io-46102", + "more_info_path": "/vulnerabilities/CVE-2021-29518/46102", "specs": [ "<1.2.0a0" ], @@ -137348,9 +138763,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41206", - "id": "pyup.io-46216", - "more_info_path": "/vulnerabilities/CVE-2021-41206/46216", + "cve": "CVE-2021-29539", + "id": "pyup.io-46123", + "more_info_path": "/vulnerabilities/CVE-2021-29539/46123", "specs": [ "<1.2.0a0" ], @@ -137358,9 +138773,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29583", - "id": "pyup.io-46167", - "more_info_path": "/vulnerabilities/CVE-2021-29583/46167", + "cve": "CVE-2021-29530", + "id": "pyup.io-46114", + "more_info_path": "/vulnerabilities/CVE-2021-29530/46114", "specs": [ "<1.2.0a0" ], @@ -137368,9 +138783,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29534", - "id": "pyup.io-46118", - "more_info_path": "/vulnerabilities/CVE-2021-29534/46118", + "cve": "CVE-2021-29610", + "id": "pyup.io-46195", + "more_info_path": "/vulnerabilities/CVE-2021-29610/46195", "specs": [ "<1.2.0a0" ], @@ -137378,9 +138793,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29604", - "id": "pyup.io-46188", - "more_info_path": "/vulnerabilities/CVE-2021-29604/46188", + "cve": "CVE-2021-29565", + "id": "pyup.io-46149", + "more_info_path": "/vulnerabilities/CVE-2021-29565/46149", "specs": [ "<1.2.0a0" ], @@ -137388,9 +138803,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29557", - "id": "pyup.io-46141", - "more_info_path": "/vulnerabilities/CVE-2021-29557/46141", + "cve": "CVE-2021-29595", + "id": "pyup.io-46179", + "more_info_path": "/vulnerabilities/CVE-2021-29595/46179", "specs": [ "<1.2.0a0" ], @@ -137398,9 +138813,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41218", - "id": "pyup.io-46228", - "more_info_path": "/vulnerabilities/CVE-2021-41218/46228", + "cve": "CVE-2021-41208", + "id": "pyup.io-46218", + "more_info_path": "/vulnerabilities/CVE-2021-41208/46218", "specs": [ "<1.2.0a0" ], @@ -137408,9 +138823,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29518", - "id": "pyup.io-46102", - "more_info_path": "/vulnerabilities/CVE-2021-29518/46102", + "cve": "CVE-2021-29607", + "id": "pyup.io-46191", + "more_info_path": "/vulnerabilities/CVE-2021-29607/46191", "specs": [ "<1.2.0a0" ], @@ -137418,9 +138833,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41219", - "id": "pyup.io-46229", - "more_info_path": "/vulnerabilities/CVE-2021-41219/46229", + "cve": "CVE-2021-29532", + "id": "pyup.io-46116", + "more_info_path": "/vulnerabilities/CVE-2021-29532/46116", "specs": [ "<1.2.0a0" ], @@ -137428,9 +138843,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29539", - "id": "pyup.io-46123", - "more_info_path": "/vulnerabilities/CVE-2021-29539/46123", + "cve": "CVE-2021-29616", + "id": "pyup.io-46201", + "more_info_path": "/vulnerabilities/CVE-2021-29616/46201", "specs": [ "<1.2.0a0" ], @@ -137438,9 +138853,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29589", - "id": "pyup.io-46173", - "more_info_path": "/vulnerabilities/CVE-2021-29589/46173", + "cve": "CVE-2021-29529", + "id": "pyup.io-46113", + "more_info_path": "/vulnerabilities/CVE-2021-29529/46113", "specs": [ "<1.2.0a0" ], @@ -137448,9 +138863,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29570", - "id": "pyup.io-46154", - "more_info_path": "/vulnerabilities/CVE-2021-29570/46154", + "cve": "CVE-2020-26268", + "id": "pyup.io-46082", + "more_info_path": "/vulnerabilities/CVE-2020-26268/46082", "specs": [ "<1.2.0a0" ], @@ -137458,9 +138873,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29530", - "id": "pyup.io-46114", - "more_info_path": "/vulnerabilities/CVE-2021-29530/46114", + "cve": "CVE-2021-29520", + "id": "pyup.io-46104", + "more_info_path": "/vulnerabilities/CVE-2021-29520/46104", "specs": [ "<1.2.0a0" ], @@ -137468,9 +138883,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29610", - "id": "pyup.io-46195", - "more_info_path": "/vulnerabilities/CVE-2021-29610/46195", + "cve": "CVE-2021-41222", + "id": "pyup.io-46231", + "more_info_path": "/vulnerabilities/CVE-2021-41222/46231", "specs": [ "<1.2.0a0" ], @@ -137478,9 +138893,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29565", - "id": "pyup.io-46149", - "more_info_path": "/vulnerabilities/CVE-2021-29565/46149", + "cve": "CVE-2021-41211", + "id": "pyup.io-46221", + "more_info_path": "/vulnerabilities/CVE-2021-41211/46221", "specs": [ "<1.2.0a0" ], @@ -137488,9 +138903,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29595", - "id": "pyup.io-46179", - "more_info_path": "/vulnerabilities/CVE-2021-29595/46179", + "cve": "CVE-2021-41203", + "id": "pyup.io-46213", + "more_info_path": "/vulnerabilities/CVE-2021-41203/46213", "specs": [ "<1.2.0a0" ], @@ -137498,9 +138913,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41208", - "id": "pyup.io-46218", - "more_info_path": "/vulnerabilities/CVE-2021-41208/46218", + "cve": "CVE-2021-29594", + "id": "pyup.io-46178", + "more_info_path": "/vulnerabilities/CVE-2021-29594/46178", "specs": [ "<1.2.0a0" ], @@ -137508,9 +138923,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29607", - "id": "pyup.io-46191", - "more_info_path": "/vulnerabilities/CVE-2021-29607/46191", + "cve": "CVE-2021-29523", + "id": "pyup.io-46107", + "more_info_path": "/vulnerabilities/CVE-2021-29523/46107", "specs": [ "<1.2.0a0" ], @@ -137518,9 +138933,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29532", - "id": "pyup.io-46116", - "more_info_path": "/vulnerabilities/CVE-2021-29532/46116", + "cve": "CVE-2021-29563", + "id": "pyup.io-46147", + "more_info_path": "/vulnerabilities/CVE-2021-29563/46147", "specs": [ "<1.2.0a0" ], @@ -137528,9 +138943,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29616", - "id": "pyup.io-46201", - "more_info_path": "/vulnerabilities/CVE-2021-29616/46201", + "cve": "CVE-2021-29567", + "id": "pyup.io-46151", + "more_info_path": "/vulnerabilities/CVE-2021-29567/46151", "specs": [ "<1.2.0a0" ], @@ -137538,9 +138953,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29575", - "id": "pyup.io-46159", - "more_info_path": "/vulnerabilities/CVE-2021-29575/46159", + "cve": "CVE-2021-29571", + "id": "pyup.io-46155", + "more_info_path": "/vulnerabilities/CVE-2021-29571/46155", "specs": [ "<1.2.0a0" ], @@ -137548,9 +138963,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29601", - "id": "pyup.io-46185", - "more_info_path": "/vulnerabilities/CVE-2021-29601/46185", + "cve": "CVE-2021-29544", + "id": "pyup.io-46128", + "more_info_path": "/vulnerabilities/CVE-2021-29544/46128", "specs": [ "<1.2.0a0" ], @@ -137558,9 +138973,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29542", - "id": "pyup.io-46126", - "more_info_path": "/vulnerabilities/CVE-2021-29542/46126", + "cve": "CVE-2020-8284", + "id": "pyup.io-46088", + "more_info_path": "/vulnerabilities/CVE-2020-8284/46088", "specs": [ "<1.2.0a0" ], @@ -137568,9 +138983,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29529", - "id": "pyup.io-46113", - "more_info_path": "/vulnerabilities/CVE-2021-29529/46113", + "cve": "CVE-2020-13790", + "id": "pyup.io-46075", + "more_info_path": "/vulnerabilities/CVE-2020-13790/46075", "specs": [ "<1.2.0a0" ], @@ -137578,9 +138993,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29582", - "id": "pyup.io-46166", - "more_info_path": "/vulnerabilities/CVE-2021-29582/46166", + "cve": "CVE-2020-8286", + "id": "pyup.io-46090", + "more_info_path": "/vulnerabilities/CVE-2020-8286/46090", "specs": [ "<1.2.0a0" ], @@ -137588,9 +139003,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-26268", - "id": "pyup.io-46082", - "more_info_path": "/vulnerabilities/CVE-2020-26268/46082", + "cve": "CVE-2021-29528", + "id": "pyup.io-46112", + "more_info_path": "/vulnerabilities/CVE-2021-29528/46112", "specs": [ "<1.2.0a0" ], @@ -137598,9 +139013,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29520", - "id": "pyup.io-46104", - "more_info_path": "/vulnerabilities/CVE-2021-29520/46104", + "cve": "CVE-2021-29537", + "id": "pyup.io-46121", + "more_info_path": "/vulnerabilities/CVE-2021-29537/46121", "specs": [ "<1.2.0a0" ], @@ -137608,9 +139023,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41222", - "id": "pyup.io-46231", - "more_info_path": "/vulnerabilities/CVE-2021-41222/46231", + "cve": "CVE-2021-29569", + "id": "pyup.io-46153", + "more_info_path": "/vulnerabilities/CVE-2021-29569/46153", "specs": [ "<1.2.0a0" ], @@ -137618,9 +139033,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41211", - "id": "pyup.io-46221", - "more_info_path": "/vulnerabilities/CVE-2021-41211/46221", + "cve": "CVE-2021-29564", + "id": "pyup.io-46148", + "more_info_path": "/vulnerabilities/CVE-2021-29564/46148", "specs": [ "<1.2.0a0" ], @@ -137628,9 +139043,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-26270", - "id": "pyup.io-46083", - "more_info_path": "/vulnerabilities/CVE-2020-26270/46083", + "cve": "CVE-2021-29533", + "id": "pyup.io-46117", + "more_info_path": "/vulnerabilities/CVE-2021-29533/46117", "specs": [ "<1.2.0a0" ], @@ -137638,9 +139053,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41203", - "id": "pyup.io-46213", - "more_info_path": "/vulnerabilities/CVE-2021-41203/46213", + "cve": "CVE-2021-41224", + "id": "pyup.io-46233", + "more_info_path": "/vulnerabilities/CVE-2021-41224/46233", "specs": [ "<1.2.0a0" ], @@ -137648,9 +139063,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29556", - "id": "pyup.io-46140", - "more_info_path": "/vulnerabilities/CVE-2021-29556/46140", + "cve": "CVE-2021-41197", + "id": "pyup.io-46207", + "more_info_path": "/vulnerabilities/CVE-2021-41197/46207", "specs": [ "<1.2.0a0" ], @@ -137658,9 +139073,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29594", - "id": "pyup.io-46178", - "more_info_path": "/vulnerabilities/CVE-2021-29594/46178", + "cve": "CVE-2021-29519", + "id": "pyup.io-46103", + "more_info_path": "/vulnerabilities/CVE-2021-29519/46103", "specs": [ "<1.2.0a0" ], @@ -137668,9 +139083,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29514", - "id": "pyup.io-46098", - "more_info_path": "/vulnerabilities/CVE-2021-29514/46098", + "cve": "CVE-2021-29549", + "id": "pyup.io-46133", + "more_info_path": "/vulnerabilities/CVE-2021-29549/46133", "specs": [ "<1.2.0a0" ], @@ -137678,9 +139093,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29523", - "id": "pyup.io-46107", - "more_info_path": "/vulnerabilities/CVE-2021-29523/46107", + "cve": "CVE-2021-29566", + "id": "pyup.io-46150", + "more_info_path": "/vulnerabilities/CVE-2021-29566/46150", "specs": [ "<1.2.0a0" ], @@ -137688,9 +139103,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29563", - "id": "pyup.io-46147", - "more_info_path": "/vulnerabilities/CVE-2021-29563/46147", + "cve": "CVE-2021-29593", + "id": "pyup.io-46177", + "more_info_path": "/vulnerabilities/CVE-2021-29593/46177", "specs": [ "<1.2.0a0" ], @@ -137698,9 +139113,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29515", - "id": "pyup.io-46099", - "more_info_path": "/vulnerabilities/CVE-2021-29515/46099", + "cve": "CVE-2021-29617", + "id": "pyup.io-46202", + "more_info_path": "/vulnerabilities/CVE-2021-29617/46202", "specs": [ "<1.2.0a0" ], @@ -137708,9 +139123,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29554", - "id": "pyup.io-46138", - "more_info_path": "/vulnerabilities/CVE-2021-29554/46138", + "cve": "CVE-2021-22924", + "id": "pyup.io-46093", + "more_info_path": "/vulnerabilities/CVE-2021-22924/46093", "specs": [ "<1.2.0a0" ], @@ -137718,9 +139133,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29567", - "id": "pyup.io-46151", - "more_info_path": "/vulnerabilities/CVE-2021-29567/46151", + "cve": "CVE-2021-29534", + "id": "pyup.io-46118", + "more_info_path": "/vulnerabilities/CVE-2021-29534/46118", "specs": [ "<1.2.0a0" ], @@ -137728,9 +139143,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-41225", - "id": "pyup.io-46234", - "more_info_path": "/vulnerabilities/CVE-2021-41225/46234", + "cve": "CVE-2021-29557", + "id": "pyup.io-46141", + "more_info_path": "/vulnerabilities/CVE-2021-29557/46141", "specs": [ "<1.2.0a0" ], @@ -137738,9 +139153,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29571", - "id": "pyup.io-46155", - "more_info_path": "/vulnerabilities/CVE-2021-29571/46155", + "cve": "CVE-2021-41219", + "id": "pyup.io-46229", + "more_info_path": "/vulnerabilities/CVE-2021-41219/46229", "specs": [ "<1.2.0a0" ], @@ -137748,9 +139163,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-29544", - "id": "pyup.io-46128", - "more_info_path": "/vulnerabilities/CVE-2021-29544/46128", + "cve": "CVE-2021-29589", + "id": "pyup.io-46173", + "more_info_path": "/vulnerabilities/CVE-2021-29589/46173", "specs": [ "<1.2.0a0" ], @@ -137758,9 +139173,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-8231", - "id": "pyup.io-46087", - "more_info_path": "/vulnerabilities/CVE-2020-8231/46087", + "cve": "CVE-2021-29570", + "id": "pyup.io-46154", + "more_info_path": "/vulnerabilities/CVE-2021-29570/46154", "specs": [ "<1.2.0a0" ], @@ -137768,9 +139183,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-15250", - "id": "pyup.io-46077", - "more_info_path": "/vulnerabilities/CVE-2020-15250/46077", + "cve": "CVE-2021-29601", + "id": "pyup.io-46185", + "more_info_path": "/vulnerabilities/CVE-2021-29601/46185", "specs": [ "<1.2.0a0" ], @@ -137778,9 +139193,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-8284", - "id": "pyup.io-46088", - "more_info_path": "/vulnerabilities/CVE-2020-8284/46088", + "cve": "CVE-2021-29554", + "id": "pyup.io-46138", + "more_info_path": "/vulnerabilities/CVE-2021-29554/46138", "specs": [ "<1.2.0a0" ], @@ -137788,9 +139203,9 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-13790", - "id": "pyup.io-46075", - "more_info_path": "/vulnerabilities/CVE-2020-13790/46075", + "cve": "CVE-2020-8231", + "id": "pyup.io-46087", + "more_info_path": "/vulnerabilities/CVE-2020-8231/46087", "specs": [ "<1.2.0a0" ], @@ -137798,39 +139213,39 @@ }, { "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2020-8286", - "id": "pyup.io-46090", - "more_info_path": "/vulnerabilities/CVE-2020-8286/46090", + "cve": "CVE-2021-22926", + "id": "pyup.io-46095", + "more_info_path": "/vulnerabilities/CVE-2021-22926/46095", "specs": [ "<1.2.0a0" ], "v": "<1.2.0a0" }, { - "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-22925", - "id": "pyup.io-46094", - "more_info_path": "/vulnerabilities/CVE-2021-22925/46094", + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-23584", + "id": "pyup.io-46547", + "more_info_path": "/vulnerabilities/CVE-2022-23584/46547", "specs": [ - "<1.2.0a0" + "<1.2.0a6" ], - "v": "<1.2.0a0" + "v": "<1.2.0a6" }, { - "advisory": "Sleap 1.2.0a0 updates its dependency 'TensorFlow' to v2.7.0 to include security fixes.", - "cve": "CVE-2021-22926", - "id": "pyup.io-46095", - "more_info_path": "/vulnerabilities/CVE-2021-22926/46095", + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-23571", + "id": "pyup.io-46534", + "more_info_path": "/vulnerabilities/CVE-2022-23571/46534", "specs": [ - "<1.2.0a0" + "<1.2.0a6" ], - "v": "<1.2.0a0" + "v": "<1.2.0a6" }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-21733", - "id": "pyup.io-46511", - "more_info_path": "/vulnerabilities/CVE-2022-21733/46511", + "cve": "CVE-2022-23565", + "id": "pyup.io-46528", + "more_info_path": "/vulnerabilities/CVE-2022-23565/46528", "specs": [ "<1.2.0a6" ], @@ -137838,9 +139253,19 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23584", - "id": "pyup.io-46547", - "more_info_path": "/vulnerabilities/CVE-2022-23584/46547", + "cve": "CVE-2022-21737", + "id": "pyup.io-46515", + "more_info_path": "/vulnerabilities/CVE-2022-21737/46515", + "specs": [ + "<1.2.0a6" + ], + "v": "<1.2.0a6" + }, + { + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-21727", + "id": "pyup.io-46505", + "more_info_path": "/vulnerabilities/CVE-2022-21727/46505", "specs": [ "<1.2.0a6" ], @@ -137858,9 +139283,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23567", - "id": "pyup.io-46530", - "more_info_path": "/vulnerabilities/CVE-2022-23567/46530", + "cve": "CVE-2022-23587", + "id": "pyup.io-46550", + "more_info_path": "/vulnerabilities/CVE-2022-23587/46550", "specs": [ "<1.2.0a6" ], @@ -137868,9 +139293,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23571", - "id": "pyup.io-46534", - "more_info_path": "/vulnerabilities/CVE-2022-23571/46534", + "cve": "CVE-2022-21734", + "id": "pyup.io-46512", + "more_info_path": "/vulnerabilities/CVE-2022-21734/46512", "specs": [ "<1.2.0a6" ], @@ -137878,9 +139303,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23565", - "id": "pyup.io-46528", - "more_info_path": "/vulnerabilities/CVE-2022-23565/46528", + "cve": "CVE-2022-23590", + "id": "pyup.io-46553", + "more_info_path": "/vulnerabilities/CVE-2022-23590/46553", "specs": [ "<1.2.0a6" ], @@ -137888,9 +139313,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23587", - "id": "pyup.io-46550", - "more_info_path": "/vulnerabilities/CVE-2022-23587/46550", + "cve": "CVE-2022-21740", + "id": "pyup.io-46518", + "more_info_path": "/vulnerabilities/CVE-2022-21740/46518", "specs": [ "<1.2.0a6" ], @@ -137898,9 +139323,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-21737", - "id": "pyup.io-46515", - "more_info_path": "/vulnerabilities/CVE-2022-21737/46515", + "cve": "CVE-2022-23585", + "id": "pyup.io-46548", + "more_info_path": "/vulnerabilities/CVE-2022-23585/46548", "specs": [ "<1.2.0a6" ], @@ -137908,9 +139333,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23573", - "id": "pyup.io-46536", - "more_info_path": "/vulnerabilities/CVE-2022-23573/46536", + "cve": "CVE-2022-23575", + "id": "pyup.io-46538", + "more_info_path": "/vulnerabilities/CVE-2022-23575/46538", "specs": [ "<1.2.0a6" ], @@ -137918,9 +139343,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-21739", - "id": "pyup.io-46517", - "more_info_path": "/vulnerabilities/CVE-2022-21739/46517", + "cve": "CVE-2022-23588", + "id": "pyup.io-46551", + "more_info_path": "/vulnerabilities/CVE-2022-23588/46551", "specs": [ "<1.2.0a6" ], @@ -137928,9 +139353,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-21727", - "id": "pyup.io-46505", - "more_info_path": "/vulnerabilities/CVE-2022-21727/46505", + "cve": "CVE-2022-23583", + "id": "pyup.io-46546", + "more_info_path": "/vulnerabilities/CVE-2022-23583/46546", "specs": [ "<1.2.0a6" ], @@ -137938,9 +139363,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-21725", - "id": "pyup.io-46503", - "more_info_path": "/vulnerabilities/CVE-2022-21725/46503", + "cve": "CVE-2022-21733", + "id": "pyup.io-46511", + "more_info_path": "/vulnerabilities/CVE-2022-21733/46511", "specs": [ "<1.2.0a6" ], @@ -137948,9 +139373,29 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23585", - "id": "pyup.io-46548", - "more_info_path": "/vulnerabilities/CVE-2022-23585/46548", + "cve": "CVE-2022-23567", + "id": "pyup.io-46530", + "more_info_path": "/vulnerabilities/CVE-2022-23567/46530", + "specs": [ + "<1.2.0a6" + ], + "v": "<1.2.0a6" + }, + { + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-23573", + "id": "pyup.io-46536", + "more_info_path": "/vulnerabilities/CVE-2022-23573/46536", + "specs": [ + "<1.2.0a6" + ], + "v": "<1.2.0a6" + }, + { + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-21725", + "id": "pyup.io-46503", + "more_info_path": "/vulnerabilities/CVE-2022-21725/46503", "specs": [ "<1.2.0a6" ], @@ -137968,9 +139413,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23574", - "id": "pyup.io-46537", - "more_info_path": "/vulnerabilities/CVE-2022-23574/46537", + "cve": "CVE-2022-23589", + "id": "pyup.io-46552", + "more_info_path": "/vulnerabilities/CVE-2022-23589/46552", "specs": [ "<1.2.0a6" ], @@ -137978,9 +139423,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-21726", - "id": "pyup.io-46504", - "more_info_path": "/vulnerabilities/CVE-2022-21726/46504", + "cve": "CVE-2022-23582", + "id": "pyup.io-46545", + "more_info_path": "/vulnerabilities/CVE-2022-23582/46545", "specs": [ "<1.2.0a6" ], @@ -137988,9 +139433,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23590", - "id": "pyup.io-46553", - "more_info_path": "/vulnerabilities/CVE-2022-23590/46553", + "cve": "CVE-2022-23564", + "id": "pyup.io-46527", + "more_info_path": "/vulnerabilities/CVE-2022-23564/46527", "specs": [ "<1.2.0a6" ], @@ -137998,9 +139443,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-21734", - "id": "pyup.io-46512", - "more_info_path": "/vulnerabilities/CVE-2022-21734/46512", + "cve": "CVE-2022-23581", + "id": "pyup.io-46544", + "more_info_path": "/vulnerabilities/CVE-2022-23581/46544", "specs": [ "<1.2.0a6" ], @@ -138008,9 +139453,69 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-21740", - "id": "pyup.io-46518", - "more_info_path": "/vulnerabilities/CVE-2022-21740/46518", + "cve": "CVE-2022-23591", + "id": "pyup.io-46554", + "more_info_path": "/vulnerabilities/CVE-2022-23591/46554", + "specs": [ + "<1.2.0a6" + ], + "v": "<1.2.0a6" + }, + { + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-21729", + "id": "pyup.io-46507", + "more_info_path": "/vulnerabilities/CVE-2022-21729/46507", + "specs": [ + "<1.2.0a6" + ], + "v": "<1.2.0a6" + }, + { + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-21730", + "id": "pyup.io-46508", + "more_info_path": "/vulnerabilities/CVE-2022-21730/46508", + "specs": [ + "<1.2.0a6" + ], + "v": "<1.2.0a6" + }, + { + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-23562", + "id": "pyup.io-46525", + "more_info_path": "/vulnerabilities/CVE-2022-23562/46525", + "specs": [ + "<1.2.0a6" + ], + "v": "<1.2.0a6" + }, + { + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2020-10531", + "id": "pyup.io-46501", + "more_info_path": "/vulnerabilities/CVE-2020-10531/46501", + "specs": [ + "<1.2.0a6" + ], + "v": "<1.2.0a6" + }, + { + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-21726", + "id": "pyup.io-46504", + "more_info_path": "/vulnerabilities/CVE-2022-21726/46504", + "specs": [ + "<1.2.0a6" + ], + "v": "<1.2.0a6" + }, + { + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-23574", + "id": "pyup.io-46537", + "more_info_path": "/vulnerabilities/CVE-2022-23574/46537", "specs": [ "<1.2.0a6" ], @@ -138046,26 +139551,6 @@ ], "v": "<1.2.0a6" }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23589", - "id": "pyup.io-46552", - "more_info_path": "/vulnerabilities/CVE-2022-23589/46552", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23582", - "id": "pyup.io-46545", - "more_info_path": "/vulnerabilities/CVE-2022-23582/46545", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", "cve": "CVE-2022-23566", @@ -138076,26 +139561,6 @@ ], "v": "<1.2.0a6" }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23564", - "id": "pyup.io-46527", - "more_info_path": "/vulnerabilities/CVE-2022-23564/46527", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23575", - "id": "pyup.io-46538", - "more_info_path": "/vulnerabilities/CVE-2022-23575/46538", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", "cve": "CVE-2022-21735", @@ -138116,46 +139581,6 @@ ], "v": "<1.2.0a6" }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23560", - "id": "pyup.io-46523", - "more_info_path": "/vulnerabilities/CVE-2022-23560/46523", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23581", - "id": "pyup.io-46544", - "more_info_path": "/vulnerabilities/CVE-2022-23581/46544", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23591", - "id": "pyup.io-46554", - "more_info_path": "/vulnerabilities/CVE-2022-23591/46554", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-21731", - "id": "pyup.io-46509", - "more_info_path": "/vulnerabilities/CVE-2022-21731/46509", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", "cve": "CVE-2022-23578", @@ -138176,16 +139601,6 @@ ], "v": "<1.2.0a6" }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-21729", - "id": "pyup.io-46507", - "more_info_path": "/vulnerabilities/CVE-2022-21729/46507", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", "cve": "CVE-2022-21732", @@ -138216,36 +139631,6 @@ ], "v": "<1.2.0a6" }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23577", - "id": "pyup.io-46540", - "more_info_path": "/vulnerabilities/CVE-2022-23577/46540", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-21730", - "id": "pyup.io-46508", - "more_info_path": "/vulnerabilities/CVE-2022-21730/46508", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23588", - "id": "pyup.io-46551", - "more_info_path": "/vulnerabilities/CVE-2022-23588/46551", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", "cve": "CVE-2022-21736", @@ -138296,16 +139681,6 @@ ], "v": "<1.2.0a6" }, - { - "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23583", - "id": "pyup.io-46546", - "more_info_path": "/vulnerabilities/CVE-2022-23583/46546", - "specs": [ - "<1.2.0a6" - ], - "v": "<1.2.0a6" - }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", "cve": "CVE-2022-23579", @@ -138338,9 +139713,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23562", - "id": "pyup.io-46525", - "more_info_path": "/vulnerabilities/CVE-2022-23562/46525", + "cve": "CVE-2022-23559", + "id": "pyup.io-46522", + "more_info_path": "/vulnerabilities/CVE-2022-23559/46522", "specs": [ "<1.2.0a6" ], @@ -138348,9 +139723,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23559", - "id": "pyup.io-46522", - "more_info_path": "/vulnerabilities/CVE-2022-23559/46522", + "cve": "CVE-2022-21739", + "id": "pyup.io-46517", + "more_info_path": "/vulnerabilities/CVE-2022-21739/46517", "specs": [ "<1.2.0a6" ], @@ -138358,9 +139733,9 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2022-23572", - "id": "pyup.io-46535", - "more_info_path": "/vulnerabilities/CVE-2022-23572/46535", + "cve": "CVE-2022-23560", + "id": "pyup.io-46523", + "more_info_path": "/vulnerabilities/CVE-2022-23560/46523", "specs": [ "<1.2.0a6" ], @@ -138368,9 +139743,29 @@ }, { "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", - "cve": "CVE-2020-10531", - "id": "pyup.io-46501", - "more_info_path": "/vulnerabilities/CVE-2020-10531/46501", + "cve": "CVE-2022-21731", + "id": "pyup.io-46509", + "more_info_path": "/vulnerabilities/CVE-2022-21731/46509", + "specs": [ + "<1.2.0a6" + ], + "v": "<1.2.0a6" + }, + { + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-23577", + "id": "pyup.io-46540", + "more_info_path": "/vulnerabilities/CVE-2022-23577/46540", + "specs": [ + "<1.2.0a6" + ], + "v": "<1.2.0a6" + }, + { + "advisory": "Sleap 1.2.0a6 requires Tensorflow v2.6.3 to include security fixes.", + "cve": "CVE-2022-23572", + "id": "pyup.io-46535", + "more_info_path": "/vulnerabilities/CVE-2022-23572/46535", "specs": [ "<1.2.0a6" ], @@ -138968,16 +140363,6 @@ ], "v": "<2.2.4" }, - { - "advisory": "Snyk-tags version 2.2.4 updates its dependency on the cryptography library to version 42.0.4. This change is made to address the security issue identified as CVE-2024-0727.", - "cve": "CVE-2024-0727", - "id": "pyup.io-67576", - "more_info_path": "/vulnerabilities/CVE-2024-0727/67576", - "specs": [ - "<2.2.4" - ], - "v": "<2.2.4" - }, { "advisory": "Snyk-tags version 2.2.4 updates its dependency on the cryptography library to version 42.0.4. This change is made to address the security issue identified as CVE-2023-50782.", "cve": "CVE-2023-50782", @@ -138998,6 +140383,16 @@ ], "v": "<2.2.4" }, + { + "advisory": "Snyk-tags version 2.2.4 updates its dependency on the cryptography library to version 42.0.4. This change is made to address the security issue identified as CVE-2024-0727.", + "cve": "CVE-2024-0727", + "id": "pyup.io-67576", + "more_info_path": "/vulnerabilities/CVE-2024-0727/67576", + "specs": [ + "<2.2.4" + ], + "v": "<2.2.4" + }, { "advisory": "Snyk-tags version 2.2.4 updates its dependency on the cryptography library to version 42.0.4. This change is made to address the security issue identified as CVE-2023-6237.", "cve": "CVE-2023-6237", @@ -139065,6 +140460,18 @@ "v": "<0.12.6" } ], + "social-auth-app-django": [ + { + "advisory": "Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field. See CVE-2024-32879.", + "cve": "CVE-2024-32879", + "id": "pyup.io-70713", + "more_info_path": "/vulnerabilities/CVE-2024-32879/70713", + "specs": [ + "<5.4.1" + ], + "v": "<5.4.1" + } + ], "socketshark": [ { "advisory": "Socketshark 0.2.2 includes a fix for a sensitive information exposure vulnerability.\r\nhttps://github.com/closeio/socketshark/pull/42", @@ -139304,10 +140711,10 @@ ], "spark-on-k8s": [ { - "advisory": "Version 0.2.0 of Spark-on-k8s updates its `aiohttp` dependency to require version 3.9.2 or newer. This change aims to protect against the potential security risks outlined in CVE-2024-23829.", - "cve": "CVE-2024-23829", - "id": "pyup.io-65465", - "more_info_path": "/vulnerabilities/CVE-2024-23829/65465", + "advisory": "Version 0.2.0 of Spark-on-k8s updates its `aiohttp` dependency to require version 3.9.2 or newer. This change aims to protect against the potential security risks outlined in CVE-2024-23334.", + "cve": "CVE-2024-23334", + "id": "pyup.io-65492", + "more_info_path": "/vulnerabilities/CVE-2024-23334/65492", "specs": [ "<0.2.0" ], @@ -139324,10 +140731,10 @@ "v": "<0.2.0" }, { - "advisory": "Version 0.2.0 of Spark-on-k8s updates its `aiohttp` dependency to require version 3.9.2 or newer. This change aims to protect against the potential security risks outlined in CVE-2024-23334.", - "cve": "CVE-2024-23334", - "id": "pyup.io-65492", - "more_info_path": "/vulnerabilities/CVE-2024-23334/65492", + "advisory": "Version 0.2.0 of Spark-on-k8s updates its `aiohttp` dependency to require version 3.9.2 or newer. This change aims to protect against the potential security risks outlined in CVE-2024-23829.", + "cve": "CVE-2024-23829", + "id": "pyup.io-65465", + "more_info_path": "/vulnerabilities/CVE-2024-23829/65465", "specs": [ "<0.2.0" ], @@ -139363,6 +140770,16 @@ ], "v": "<0.4.0" }, + { + "advisory": "Spark-on-k8s version 0.5.0 includes a security update to address CVE-2024-29735 by upgrading the Apache Airflow dependency to a more secure version.", + "cve": "CVE-2024-29735", + "id": "pyup.io-70484", + "more_info_path": "/vulnerabilities/CVE-2024-29735/70484", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + }, { "advisory": "Spark-on-k8s version 0.5.0 has updated its idna dependency from version 3.6 to 3.7 to address the security vulnerability detailed in CVE-2024-3651.", "cve": "CVE-2024-3651", @@ -139374,14 +140791,86 @@ "v": "<0.5.0" }, { - "advisory": "Spark-on-k8s version 0.5.0 includes a security update to address CVE-2024-29735 by upgrading the Apache Airflow dependency to a more secure version.", - "cve": "CVE-2024-29735", - "id": "pyup.io-70484", - "more_info_path": "/vulnerabilities/CVE-2024-29735/70484", + "advisory": "Spark-on-k8s version 0.5.1 upgrades its Gunicorn dependency to address security concerns related to CVE-2024-1135.", + "cve": "CVE-2024-1135", + "id": "pyup.io-70740", + "more_info_path": "/vulnerabilities/CVE-2024-1135/70740", "specs": [ - "<0.5.0" + "<0.5.1" ], - "v": "<0.5.0" + "v": "<0.5.1" + }, + { + "advisory": "Spark-on-k8s version 0.5.1 updates its aiohttp dependency to address the security vulnerability listed in CVE-2024-27306.", + "cve": "CVE-2024-27306", + "id": "pyup.io-70618", + "more_info_path": "/vulnerabilities/CVE-2024-27306/70618", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + }, + { + "advisory": "Spark-on-k8s version 0.5.1 updates its Apache Airflow dependency to mitigate risks associated with CVE-2024-31869.", + "cve": "CVE-2024-31869", + "id": "pyup.io-70739", + "more_info_path": "/vulnerabilities/CVE-2024-31869/70739", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + }, + { + "advisory": "Affected versions of Spark-on-k8s are vulnerable to sensitive information disclosure. Exception details are returned to the the API users.", + "cve": "PVE-2024-70850", + "id": "pyup.io-70850", + "more_info_path": "/vulnerabilities/PVE-2024-70850/70850", + "specs": [ + "<0.7.0" + ], + "v": "<0.7.0" + }, + { + "advisory": "Spark-on-k8s version 0.7.1 upgrades Jinja2 from 3.1.3 to 3.1.4 to address the security issue identified in CVE-2024-34064.", + "cve": "CVE-2024-34064", + "id": "pyup.io-70903", + "more_info_path": "/vulnerabilities/CVE-2024-34064/70903", + "specs": [ + "<0.7.1" + ], + "v": "<0.7.1" + } + ], + "sparkfish-python-pptx": [ + { + "advisory": "Sparkfish-python-pptx version 0.6.12 updates its dependencies to avoid using a vulnerable version of Pillow. The Pillow library version is updated from 2.6.1 to >=3.3.2 to address the security issue identified in CVE-2016-9190.", + "cve": "CVE-2016-9190", + "id": "pyup.io-71094", + "more_info_path": "/vulnerabilities/CVE-2016-9190/71094", + "specs": [ + "<0.6.12" + ], + "v": "<0.6.12" + }, + { + "advisory": "Sparkfish-python-pptx version 0.6.12 updates its dependencies to avoid using a vulnerable version of Pillow. The Pillow library version is updated from 2.6.1 to >=3.3.2 to address the security issue identified in CVE-2016-9189.", + "cve": "CVE-2016-9189", + "id": "pyup.io-71102", + "more_info_path": "/vulnerabilities/CVE-2016-9189/71102", + "specs": [ + "<0.6.12" + ], + "v": "<0.6.12" + }, + { + "advisory": "Sparkfish-python-pptx version 0.6.23 updates its support for Pillow to version 10+ to address security vulnerabilities, including CVE-2023-44271.", + "cve": "CVE-2023-44271", + "id": "pyup.io-71093", + "more_info_path": "/vulnerabilities/CVE-2023-44271/71093", + "specs": [ + "<0.6.23" + ], + "v": "<0.6.23" } ], "sparkpipelineframework": [ @@ -139791,9 +141280,9 @@ "spectrafit": [ { "advisory": "Spectrafit 0.11.0 updates python in Dockerfile from '3.8-slim' to '3.9-slim' to include security fixes.", - "cve": "CVE-2022-2068", - "id": "pyup.io-51388", - "more_info_path": "/vulnerabilities/CVE-2022-2068/51388", + "cve": "CVE-2022-34903", + "id": "pyup.io-51354", + "more_info_path": "/vulnerabilities/CVE-2022-34903/51354", "specs": [ "<0.11.0" ], @@ -139801,9 +141290,9 @@ }, { "advisory": "Spectrafit 0.11.0 updates python in Dockerfile from '3.8-slim' to '3.9-slim' to include security fixes.", - "cve": "CVE-2022-34903", - "id": "pyup.io-51354", - "more_info_path": "/vulnerabilities/CVE-2022-34903/51354", + "cve": "CVE-2022-2068", + "id": "pyup.io-51388", + "more_info_path": "/vulnerabilities/CVE-2022-2068/51388", "specs": [ "<0.11.0" ], @@ -140065,9 +141554,9 @@ "splitio-client": [ { "advisory": "Splitio-client 9.1.2 updates its dependency 'pyyaml' minimum requirement to v5.4 to include security fixes.", - "cve": "CVE-2020-1747", - "id": "pyup.io-48015", - "more_info_path": "/vulnerabilities/CVE-2020-1747/48015", + "cve": "CVE-2019-20477", + "id": "pyup.io-48016", + "more_info_path": "/vulnerabilities/CVE-2019-20477/48016", "specs": [ "<9.1.2" ], @@ -140075,9 +141564,9 @@ }, { "advisory": "Splitio-client 9.1.2 updates its dependency 'pyyaml' minimum requirement to v5.4 to include security fixes.", - "cve": "CVE-2019-20477", - "id": "pyup.io-48016", - "more_info_path": "/vulnerabilities/CVE-2019-20477/48016", + "cve": "CVE-2020-1747", + "id": "pyup.io-48015", + "more_info_path": "/vulnerabilities/CVE-2020-1747/48015", "specs": [ "<9.1.2" ], @@ -140413,6 +141902,18 @@ "v": ">=0" } ], + "sqllineage": [ + { + "advisory": "Sqllineage 1.5.3 updates its dependency 'sqlparse' to v0.5.0 to include a security fix.", + "cve": "CVE-2024-4340", + "id": "pyup.io-70828", + "more_info_path": "/vulnerabilities/CVE-2024-4340/70828", + "specs": [ + "<1.5.3" + ], + "v": "<1.5.3" + } + ], "sqlmesh": [ { "advisory": "Sqlmesh 0.1.0 includes a fix for a Race Condition vulnerability that happens during SQLMesh schema creation in the Airflow plugin.\r\nhttps://github.com/TobikoData/sqlmesh/pull/332", @@ -140707,6 +142208,16 @@ "<1.51.2" ], "v": "<1.51.2" + }, + { + "advisory": "Affected versions of Starlite are vulnerable to Path Traversal. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server.", + "cve": "CVE-2024-32982", + "id": "pyup.io-70851", + "more_info_path": "/vulnerabilities/CVE-2024-32982/70851", + "specs": [ + ">=1.37.0,<=1.51.14" + ], + "v": ">=1.37.0,<=1.51.14" } ], "starwhale": [ @@ -140981,20 +142492,20 @@ ], "streamlink": [ { - "advisory": "Streamlink 5.3.0 fixes a race condition that was present in the DASH stream implementation, where queued segments were being downloaded even after the stream had been closed. This was addressed by ensuring that the downloading of segments is properly stopped when a stream is closed, preventing unnecessary network traffic and potential errors.\r\nhttps://github.com/streamlink/streamlink/commit/498efd523c10672d3c2224b71bb513e0907bbe6e", - "cve": "PVE-2024-64310", - "id": "pyup.io-64310", - "more_info_path": "/vulnerabilities/PVE-2024-64310/64310", + "advisory": "Streamlink 5.3.0 fixes a race condition that affected the proper closure and data flushing of substreams when being muxed using FFMPEG. The issue arose from the incorrect handling of substream buffers, which could result in missing data if the buffers weren't fully drained before the stream was closed. \r\nhttps://github.com/streamlink/streamlink/commit/546386208cf620e7dd90e400f953e0442ca3976d", + "cve": "PVE-2024-64212", + "id": "pyup.io-64212", + "more_info_path": "/vulnerabilities/PVE-2024-64212/64212", "specs": [ "<5.3.0" ], "v": "<5.3.0" }, { - "advisory": "Streamlink 5.3.0 fixes a race condition that affected the proper closure and data flushing of substreams when being muxed using FFMPEG. The issue arose from the incorrect handling of substream buffers, which could result in missing data if the buffers weren't fully drained before the stream was closed. \r\nhttps://github.com/streamlink/streamlink/commit/546386208cf620e7dd90e400f953e0442ca3976d", - "cve": "PVE-2024-64212", - "id": "pyup.io-64212", - "more_info_path": "/vulnerabilities/PVE-2024-64212/64212", + "advisory": "Streamlink 5.3.0 fixes a race condition that was present in the DASH stream implementation, where queued segments were being downloaded even after the stream had been closed. This was addressed by ensuring that the downloading of segments is properly stopped when a stream is closed, preventing unnecessary network traffic and potential errors.\r\nhttps://github.com/streamlink/streamlink/commit/498efd523c10672d3c2224b71bb513e0907bbe6e", + "cve": "PVE-2024-64310", + "id": "pyup.io-64310", + "more_info_path": "/vulnerabilities/PVE-2024-64310/64310", "specs": [ "<5.3.0" ], @@ -141215,6 +142726,18 @@ "v": "<4.7.1" } ], + "subsearch": [ + { + "advisory": "Subsearch version 2.44.1 updates the Pillow library from version 10.2.0 to 10.3.0 due to CVE-2024-28219.", + "cve": "CVE-2024-28219", + "id": "pyup.io-70891", + "more_info_path": "/vulnerabilities/CVE-2024-28219/70891", + "specs": [ + "<2.44.1" + ], + "v": "<2.44.1" + } + ], "substra": [ { "advisory": "Substra 0.0.19 fixes a vulnerability in lodash.", @@ -141310,6 +142833,18 @@ "v": "<3.6.1" } ], + "superagi": [ + { + "advisory": "SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. This vulnerability can lead to the disclosure of information and communications.", + "cve": "CVE-2023-48055", + "id": "pyup.io-70894", + "more_info_path": "/vulnerabilities/CVE-2023-48055/70894", + "specs": [ + "<=0.0.13" + ], + "v": "<=0.0.13" + } + ], "superdesk-planning": [ { "advisory": "Superdesk-planning 2.0.2 includes a security patch which requires authentication for all API endpoints.", @@ -141598,14 +143133,14 @@ ], "supervisor": [ { - "advisory": "A vulnerability in Supervisor up to version 4.0.2 allows an unauthenticated user to read log files or restart a service when the inet_http_server component is enabled without a password. While this component is not activated by default, failure to secure it with a password, despite logged warnings and documentation advisories, exposes the system to unauthorized access.", + "advisory": "Affected versions of Supervisor allow an unauthenticated user to read log files or restart a service when the inet_http_server component is enabled without a password. While this component is not activated by default, failure to secure it with a password exposes the system to unauthorized access. Logged warnings and documentation advisories were added to prevent this risky usage.", "cve": "CVE-2019-12105", "id": "pyup.io-70372", "more_info_path": "/vulnerabilities/CVE-2019-12105/70372", "specs": [ - ">=0,<4.0.3" + "<4.0.4" ], - "v": ">=0,<4.0.3" + "v": "<4.0.4" }, { "advisory": "Supervisor versions 3.0.1, 3.1.4, 3.2.4 and 3.3.3 include a fix for CVE-2017-11610: The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.", @@ -142206,6 +143741,16 @@ ], "v": "<0.8.2b40" }, + { + "advisory": "Syft 0.8.4b4 updates its dependency 'pygments' to 2.15.0 to include a security fix on the CVE-2021-20270.\r\nhttps://github.com/OpenMined/PySyft/pull/8356", + "cve": "CVE-2021-20270", + "id": "pyup.io-63098", + "more_info_path": "/vulnerabilities/CVE-2021-20270/63098", + "specs": [ + "<0.8.4b4" + ], + "v": "<0.8.4b4" + }, { "advisory": "Syft 0.8.4b4 updates its dependency 'pygments' to 2.15.0 to include a security fix on the CVE-2022-40896.\r\nhttps://github.com/OpenMined/PySyft/pull/8356", "cve": "CVE-2022-40896", @@ -142216,6 +143761,16 @@ ], "v": "<0.8.4b4" }, + { + "advisory": "Syft 0.8.4b4 updates its dependency 'certifi' to 2023.7.22 to include a security fix on the CVE-2022-23491.\r\nhttps://github.com/OpenMined/PySyft/pull/8356", + "cve": "CVE-2022-23491", + "id": "pyup.io-63086", + "more_info_path": "/vulnerabilities/CVE-2022-23491/63086", + "specs": [ + "<0.8.4b4" + ], + "v": "<0.8.4b4" + }, { "advisory": "Syft 0.8.4b4 updates its dependency 'pygments' to 2.15.0 to include a security fix on the CVE-2021-27291.\r\nhttps://github.com/OpenMined/PySyft/pull/8356", "cve": "CVE-2021-27291", @@ -142246,16 +143801,6 @@ ], "v": "<0.8.4b4" }, - { - "advisory": "Syft 0.8.4b4 updates its dependency 'pygments' to 2.15.0 to include a security fix on the CVE-2021-20270.\r\nhttps://github.com/OpenMined/PySyft/pull/8356", - "cve": "CVE-2021-20270", - "id": "pyup.io-63098", - "more_info_path": "/vulnerabilities/CVE-2021-20270/63098", - "specs": [ - "<0.8.4b4" - ], - "v": "<0.8.4b4" - }, { "advisory": "Syft 0.8.4b4 updates its dependency 'requests' to 2.31.0 to include a security fix on the CVE-2023-32681.\r\nhttps://github.com/OpenMined/PySyft/pull/8356", "cve": "CVE-2023-32681", @@ -142266,16 +143811,6 @@ ], "v": "<0.8.4b4" }, - { - "advisory": "Syft 0.8.4b4 updates its dependency 'certifi' to 2023.7.22 to include a security fix on the CVE-2022-23491.\r\nhttps://github.com/OpenMined/PySyft/pull/8356", - "cve": "CVE-2022-23491", - "id": "pyup.io-63086", - "more_info_path": "/vulnerabilities/CVE-2022-23491/63086", - "specs": [ - "<0.8.4b4" - ], - "v": "<0.8.4b4" - }, { "advisory": "Syft version 0.8.5 updates its setuptools requirement to version 65.5.1 from the prior 39.0.1 to address the security vulnerability identified as CVE-2022-40897.", "cve": "CVE-2022-40897", @@ -142642,20 +144177,20 @@ "v": "<0.5.0" }, { - "advisory": "Syngen version 0.7.16 upgrades its mlflow dependency to version 2.10.* from 2.9.2 in response to the security vulnerability CVE-2023-6977.", - "cve": "CVE-2023-6977", - "id": "pyup.io-67017", - "more_info_path": "/vulnerabilities/CVE-2023-6977/67017", + "advisory": "Syngen version 0.7.16 upgrades its mlflow dependency to version 2.10.* from 2.9.2 in response to the security vulnerability CVE-2023-50447.", + "cve": "CVE-2023-50447", + "id": "pyup.io-67145", + "more_info_path": "/vulnerabilities/CVE-2023-50447/67145", "specs": [ "<0.7.16" ], "v": "<0.7.16" }, { - "advisory": "Syngen version 0.7.16 upgrades its mlflow dependency to version 2.10.* from 2.9.2 in response to the security vulnerability CVE-2023-50447.", - "cve": "CVE-2023-50447", - "id": "pyup.io-67145", - "more_info_path": "/vulnerabilities/CVE-2023-50447/67145", + "advisory": "Syngen version 0.7.16 upgrades its mlflow dependency to version 2.10.* from 2.9.2 in response to the security vulnerability CVE-2023-6977.", + "cve": "CVE-2023-6977", + "id": "pyup.io-67017", + "more_info_path": "/vulnerabilities/CVE-2023-6977/67017", "specs": [ "<0.7.16" ], @@ -143383,9 +144918,9 @@ }, { "advisory": "Tendenci 11.0.4 updates its requirements.txt to require django >=1.11.16 because there are vulnerabilities in Django 1.11.x before 1.11.15.", - "cve": "CVE-2018-7536", - "id": "pyup.io-49768", - "more_info_path": "/vulnerabilities/CVE-2018-7536/49768", + "cve": "CVE-2018-14574", + "id": "pyup.io-49770", + "more_info_path": "/vulnerabilities/CVE-2018-14574/49770", "specs": [ "<11.0.4" ], @@ -143393,9 +144928,9 @@ }, { "advisory": "Tendenci 11.0.4 updates its requirements.txt to require django >=1.11.16 because there are vulnerabilities in Django 1.11.x before 1.11.15.", - "cve": "CVE-2018-14574", - "id": "pyup.io-49770", - "more_info_path": "/vulnerabilities/CVE-2018-14574/49770", + "cve": "CVE-2018-6188", + "id": "pyup.io-49767", + "more_info_path": "/vulnerabilities/CVE-2018-6188/49767", "specs": [ "<11.0.4" ], @@ -143413,9 +144948,9 @@ }, { "advisory": "Tendenci 11.0.4 updates its requirements.txt to require django >=1.11.16 because there are vulnerabilities in Django 1.11.x before 1.11.15.", - "cve": "CVE-2018-6188", - "id": "pyup.io-49767", - "more_info_path": "/vulnerabilities/CVE-2018-6188/49767", + "cve": "CVE-2018-7536", + "id": "pyup.io-49768", + "more_info_path": "/vulnerabilities/CVE-2018-7536/49768", "specs": [ "<11.0.4" ], @@ -143451,16 +144986,6 @@ ], "v": "<11.2.8" }, - { - "advisory": "Tendenci 11.2.8 upgrades its dependency 'bootstrap' from 3.3.1 to 3.4.1. There are several XSS vulnerabilities in versions lower than 3.4.1.", - "cve": "CVE-2018-20676", - "id": "pyup.io-42993", - "more_info_path": "/vulnerabilities/CVE-2018-20676/42993", - "specs": [ - "<11.2.8" - ], - "v": "<11.2.8" - }, { "advisory": "Tendenci 11.2.8 upgrades its dependency 'bootstrap' from 3.3.1 to 3.4.1. There are several XSS vulnerabilities in versions lower than 3.4.1.", "cve": "CVE-2016-10735", @@ -143501,6 +145026,16 @@ ], "v": "<11.2.8" }, + { + "advisory": "Tendenci 11.2.8 upgrades its dependency 'bootstrap' from 3.3.1 to 3.4.1. There are several XSS vulnerabilities in versions lower than 3.4.1.", + "cve": "CVE-2018-20676", + "id": "pyup.io-42993", + "more_info_path": "/vulnerabilities/CVE-2018-20676/42993", + "specs": [ + "<11.2.8" + ], + "v": "<11.2.8" + }, { "advisory": "Tendenci 11.4.7 prevents unauthorized use of renewal URLs.", "cve": "PVE-2021-38509", @@ -143582,20 +145117,20 @@ "v": "<12.3.2" }, { - "advisory": "Tendenci 12.4.13 upgrades its dependency 'jQuery' from 3.4.1 to 3.6.0 to fix a XSS vulnerability in versions <3.5.0.", - "cve": "CVE-2020-11023", - "id": "pyup.io-42991", - "more_info_path": "/vulnerabilities/CVE-2020-11023/42991", + "advisory": "Tendenci 12.4.13 upgrades its dependency 'jQuery' from 3.4.1 to 3.6.0 to fix a XSS vulnerability.", + "cve": "CVE-2020-11022", + "id": "pyup.io-40826", + "more_info_path": "/vulnerabilities/CVE-2020-11022/40826", "specs": [ "<12.4.13" ], "v": "<12.4.13" }, { - "advisory": "Tendenci 12.4.13 upgrades its dependency 'jQuery' from 3.4.1 to 3.6.0 to fix a XSS vulnerability.", - "cve": "CVE-2020-11022", - "id": "pyup.io-40826", - "more_info_path": "/vulnerabilities/CVE-2020-11022/40826", + "advisory": "Tendenci 12.4.13 upgrades its dependency 'jQuery' from 3.4.1 to 3.6.0 to fix a XSS vulnerability in versions <3.5.0.", + "cve": "CVE-2020-11023", + "id": "pyup.io-42991", + "more_info_path": "/vulnerabilities/CVE-2020-11023/42991", "specs": [ "<12.4.13" ], @@ -143603,9 +145138,9 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-25291", - "id": "pyup.io-43491", - "more_info_path": "/vulnerabilities/CVE-2021-25291/43491", + "cve": "CVE-2021-25293", + "id": "pyup.io-43493", + "more_info_path": "/vulnerabilities/CVE-2021-25293/43493", "specs": [ "<12.4.8" ], @@ -143613,9 +145148,9 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-25289", - "id": "pyup.io-40133", - "more_info_path": "/vulnerabilities/CVE-2021-25289/40133", + "cve": "CVE-2021-27921", + "id": "pyup.io-43489", + "more_info_path": "/vulnerabilities/CVE-2021-27921/43489", "specs": [ "<12.4.8" ], @@ -143623,9 +145158,9 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-27923", - "id": "pyup.io-43490", - "more_info_path": "/vulnerabilities/CVE-2021-27923/43490", + "cve": "CVE-2021-25290", + "id": "pyup.io-43487", + "more_info_path": "/vulnerabilities/CVE-2021-25290/43487", "specs": [ "<12.4.8" ], @@ -143633,29 +145168,29 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-27922", - "id": "pyup.io-43488", - "more_info_path": "/vulnerabilities/CVE-2021-27922/43488", + "cve": "CVE-2021-25292", + "id": "pyup.io-43492", + "more_info_path": "/vulnerabilities/CVE-2021-25292/43492", "specs": [ "<12.4.8" ], "v": "<12.4.8" }, { - "advisory": "Tendenci 12.4.8 tightens the security check for the password change page.\r\nhttps://github.com/tendenci/tendenci/commit/4101194640b5d5dc99c01efdfa80c34bdba2b158", - "cve": "PVE-2021-40133", - "id": "pyup.io-43486", - "more_info_path": "/vulnerabilities/PVE-2021-40133/43486", + "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", + "cve": "CVE-2021-25291", + "id": "pyup.io-43491", + "more_info_path": "/vulnerabilities/CVE-2021-25291/43491", "specs": [ "<12.4.8" ], "v": "<12.4.8" }, { - "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-25292", - "id": "pyup.io-43492", - "more_info_path": "/vulnerabilities/CVE-2021-25292/43492", + "advisory": "Tendenci 12.4.8 tightens the security check for the password change page.\r\nhttps://github.com/tendenci/tendenci/commit/4101194640b5d5dc99c01efdfa80c34bdba2b158", + "cve": "PVE-2021-40133", + "id": "pyup.io-43486", + "more_info_path": "/vulnerabilities/PVE-2021-40133/43486", "specs": [ "<12.4.8" ], @@ -143663,9 +145198,9 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-25293", - "id": "pyup.io-43493", - "more_info_path": "/vulnerabilities/CVE-2021-25293/43493", + "cve": "CVE-2021-27923", + "id": "pyup.io-43490", + "more_info_path": "/vulnerabilities/CVE-2021-27923/43490", "specs": [ "<12.4.8" ], @@ -143673,9 +145208,9 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-27921", - "id": "pyup.io-43489", - "more_info_path": "/vulnerabilities/CVE-2021-27921/43489", + "cve": "CVE-2021-25289", + "id": "pyup.io-40133", + "more_info_path": "/vulnerabilities/CVE-2021-25289/40133", "specs": [ "<12.4.8" ], @@ -143683,9 +145218,9 @@ }, { "advisory": "Tendenci 12.4.8 updates its dependency 'Pillow' to v8.1.2 to include security fixes.", - "cve": "CVE-2021-25290", - "id": "pyup.io-43487", - "more_info_path": "/vulnerabilities/CVE-2021-25290/43487", + "cve": "CVE-2021-27922", + "id": "pyup.io-43488", + "more_info_path": "/vulnerabilities/CVE-2021-27922/43488", "specs": [ "<12.4.8" ], @@ -143777,6 +145312,18 @@ ], "v": "<1.15.0rc0" }, + { + "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"libjpeg-turbo\" to handle CVE-2019-13960.", + "cve": "CVE-2019-13960", + "id": "pyup.io-39823", + "more_info_path": "/vulnerabilities/CVE-2019-13960/39823", + "specs": [ + "<1.15.3", + ">=2.0.0a0,<2.0.2", + ">=2.1.0rc0,<2.1.1" + ], + "v": "<1.15.3,>=2.0.0a0,<2.0.2,>=2.1.0rc0,<2.1.1" + }, { "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"Apache Spark\" to handle CVE-2019-10099.", "cve": "CVE-2019-10099", @@ -143873,18 +145420,6 @@ ], "v": "<1.15.3,>=2.0.0a0,<2.0.2,>=2.1.0rc0,<2.1.1" }, - { - "advisory": "Tensorflow versions 1.15.3, 2.0.2 and 2.1.1 updates its dependency \"libjpeg-turbo\" to handle CVE-2019-13960.", - "cve": "CVE-2019-13960", - "id": "pyup.io-39823", - "more_info_path": "/vulnerabilities/CVE-2019-13960/39823", - "specs": [ - "<1.15.3", - ">=2.0.0a0,<2.0.2", - ">=2.1.0rc0,<2.1.1" - ], - "v": "<1.15.3,>=2.0.0a0,<2.0.2,>=2.1.0rc0,<2.1.1" - }, { "advisory": "Tensorflow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1 include a fix for CVE-2020-15205: In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the 'data_splits' argument of 'tf.raw_ops.StringNGrams' lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory In the linked code snippet, all the binary strings after 'ee ff' are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR.\r\nhttps://github.com/tensorflow/tensorflow/security/advisories/GHSA-g7p5-5759-qv46", "cve": "CVE-2020-15205", @@ -158575,6 +160110,16 @@ } ], "tensorflow-directml": [ + { + "advisory": "Tensorflow-directml 1.15.3 updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2019-13960", + "id": "pyup.io-39830", + "more_info_path": "/vulnerabilities/CVE-2019-13960/39830", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, { "advisory": "Tensorflow-directml 1.15.3 updates 'SQLite3' to v3.31.01 to include security fixes.", "cve": "CVE-2019-19880", @@ -158655,16 +160200,6 @@ ], "v": "<1.15.3" }, - { - "advisory": "Tensorflow-directml 1.15.3 updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", - "cve": "CVE-2019-13960", - "id": "pyup.io-39830", - "more_info_path": "/vulnerabilities/CVE-2019-13960/39830", - "specs": [ - "<1.15.3" - ], - "v": "<1.15.3" - }, { "advisory": "Tensorflow-directml 1.15.4 updates its dependency \"SQlite3\" to v3.33.0 to include security fixes.", "cve": "CVE-2020-9327", @@ -158991,9 +160526,9 @@ "tensorflow-federated": [ { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-30115", - "id": "pyup.io-49296", - "more_info_path": "/vulnerabilities/CVE-2022-30115/49296", + "cve": "CVE-2022-29208", + "id": "pyup.io-49289", + "more_info_path": "/vulnerabilities/CVE-2022-29208/49289", "specs": [ "<0.25.0" ], @@ -159001,9 +160536,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27780", - "id": "pyup.io-49269", - "more_info_path": "/vulnerabilities/CVE-2022-27780/49269", + "cve": "CVE-2022-29204", + "id": "pyup.io-49285", + "more_info_path": "/vulnerabilities/CVE-2022-29204/49285", "specs": [ "<0.25.0" ], @@ -159011,9 +160546,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2018-25032", - "id": "pyup.io-49261", - "more_info_path": "/vulnerabilities/CVE-2018-25032/49261", + "cve": "CVE-2022-29205", + "id": "pyup.io-49286", + "more_info_path": "/vulnerabilities/CVE-2022-29205/49286", "specs": [ "<0.25.0" ], @@ -159021,9 +160556,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29212", - "id": "pyup.io-49293", - "more_info_path": "/vulnerabilities/CVE-2022-29212/49293", + "cve": "CVE-2022-29203", + "id": "pyup.io-49284", + "more_info_path": "/vulnerabilities/CVE-2022-29203/49284", "specs": [ "<0.25.0" ], @@ -159031,9 +160566,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29210", - "id": "pyup.io-49291", - "more_info_path": "/vulnerabilities/CVE-2022-29210/49291", + "cve": "CVE-2022-29197", + "id": "pyup.io-49278", + "more_info_path": "/vulnerabilities/CVE-2022-29197/49278", "specs": [ "<0.25.0" ], @@ -159041,9 +160576,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29196", - "id": "pyup.io-49277", - "more_info_path": "/vulnerabilities/CVE-2022-29196/49277", + "cve": "CVE-2022-29209", + "id": "pyup.io-49290", + "more_info_path": "/vulnerabilities/CVE-2022-29209/49290", "specs": [ "<0.25.0" ], @@ -159051,9 +160586,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29211", - "id": "pyup.io-49292", - "more_info_path": "/vulnerabilities/CVE-2022-29211/49292", + "cve": "CVE-2022-29200", + "id": "pyup.io-49281", + "more_info_path": "/vulnerabilities/CVE-2022-29200/49281", "specs": [ "<0.25.0" ], @@ -159061,9 +160596,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29206", - "id": "pyup.io-49287", - "more_info_path": "/vulnerabilities/CVE-2022-29206/49287", + "cve": "CVE-2022-29213", + "id": "pyup.io-49294", + "more_info_path": "/vulnerabilities/CVE-2022-29213/49294", "specs": [ "<0.25.0" ], @@ -159071,9 +160606,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29207", - "id": "pyup.io-49288", - "more_info_path": "/vulnerabilities/CVE-2022-29207/49288", + "cve": "CVE-2022-27779", + "id": "pyup.io-49268", + "more_info_path": "/vulnerabilities/CVE-2022-27779/49268", "specs": [ "<0.25.0" ], @@ -159081,9 +160616,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29198", - "id": "pyup.io-49279", - "more_info_path": "/vulnerabilities/CVE-2022-29198/49279", + "cve": "CVE-2022-29216", + "id": "pyup.io-49295", + "more_info_path": "/vulnerabilities/CVE-2022-29216/49295", "specs": [ "<0.25.0" ], @@ -159091,9 +160626,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27775", - "id": "pyup.io-49265", - "more_info_path": "/vulnerabilities/CVE-2022-27775/49265", + "cve": "CVE-2022-29210", + "id": "pyup.io-49291", + "more_info_path": "/vulnerabilities/CVE-2022-29210/49291", "specs": [ "<0.25.0" ], @@ -159101,9 +160636,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-22576", - "id": "pyup.io-49263", - "more_info_path": "/vulnerabilities/CVE-2022-22576/49263", + "cve": "CVE-2022-29199", + "id": "pyup.io-49280", + "more_info_path": "/vulnerabilities/CVE-2022-29199/49280", "specs": [ "<0.25.0" ], @@ -159111,9 +160646,19 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29216", - "id": "pyup.io-49295", - "more_info_path": "/vulnerabilities/CVE-2022-29216/49295", + "cve": "CVE-2022-27776", + "id": "pyup.io-49266", + "more_info_path": "/vulnerabilities/CVE-2022-27776/49266", + "specs": [ + "<0.25.0" + ], + "v": "<0.25.0" + }, + { + "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", + "cve": "CVE-2022-29191", + "id": "pyup.io-49272", + "more_info_path": "/vulnerabilities/CVE-2022-29191/49272", "specs": [ "<0.25.0" ], @@ -159131,9 +160676,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29194", - "id": "pyup.io-49275", - "more_info_path": "/vulnerabilities/CVE-2022-29194/49275", + "cve": "CVE-2022-22576", + "id": "pyup.io-49263", + "more_info_path": "/vulnerabilities/CVE-2022-22576/49263", "specs": [ "<0.25.0" ], @@ -159141,9 +160686,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29191", - "id": "pyup.io-49272", - "more_info_path": "/vulnerabilities/CVE-2022-29191/49272", + "cve": "CVE-2022-29211", + "id": "pyup.io-49292", + "more_info_path": "/vulnerabilities/CVE-2022-29211/49292", "specs": [ "<0.25.0" ], @@ -159151,9 +160696,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29192", - "id": "pyup.io-49273", - "more_info_path": "/vulnerabilities/CVE-2022-29192/49273", + "cve": "CVE-2022-29196", + "id": "pyup.io-49277", + "more_info_path": "/vulnerabilities/CVE-2022-29196/49277", "specs": [ "<0.25.0" ], @@ -159161,9 +160706,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27776", - "id": "pyup.io-49266", - "more_info_path": "/vulnerabilities/CVE-2022-27776/49266", + "cve": "CVE-2022-29212", + "id": "pyup.io-49293", + "more_info_path": "/vulnerabilities/CVE-2022-29212/49293", "specs": [ "<0.25.0" ], @@ -159171,9 +160716,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29202", - "id": "pyup.io-49283", - "more_info_path": "/vulnerabilities/CVE-2022-29202/49283", + "cve": "CVE-2018-25032", + "id": "pyup.io-49261", + "more_info_path": "/vulnerabilities/CVE-2018-25032/49261", "specs": [ "<0.25.0" ], @@ -159181,9 +160726,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29199", - "id": "pyup.io-49280", - "more_info_path": "/vulnerabilities/CVE-2022-29199/49280", + "cve": "CVE-2022-27780", + "id": "pyup.io-49269", + "more_info_path": "/vulnerabilities/CVE-2022-27780/49269", "specs": [ "<0.25.0" ], @@ -159191,9 +160736,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27774", - "id": "pyup.io-49264", - "more_info_path": "/vulnerabilities/CVE-2022-27774/49264", + "cve": "CVE-2022-27778", + "id": "pyup.io-49267", + "more_info_path": "/vulnerabilities/CVE-2022-27778/49267", "specs": [ "<0.25.0" ], @@ -159211,9 +160756,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29208", - "id": "pyup.io-49289", - "more_info_path": "/vulnerabilities/CVE-2022-29208/49289", + "cve": "CVE-2022-27781", + "id": "pyup.io-49270", + "more_info_path": "/vulnerabilities/CVE-2022-27781/49270", "specs": [ "<0.25.0" ], @@ -159221,9 +160766,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27778", - "id": "pyup.io-49267", - "more_info_path": "/vulnerabilities/CVE-2022-27778/49267", + "cve": "CVE-2022-29195", + "id": "pyup.io-49276", + "more_info_path": "/vulnerabilities/CVE-2022-29195/49276", "specs": [ "<0.25.0" ], @@ -159231,9 +160776,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29204", - "id": "pyup.io-49285", - "more_info_path": "/vulnerabilities/CVE-2022-29204/49285", + "cve": "CVE-2022-27774", + "id": "pyup.io-49264", + "more_info_path": "/vulnerabilities/CVE-2022-27774/49264", "specs": [ "<0.25.0" ], @@ -159241,9 +160786,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29205", - "id": "pyup.io-49286", - "more_info_path": "/vulnerabilities/CVE-2022-29205/49286", + "cve": "CVE-2022-29202", + "id": "pyup.io-49283", + "more_info_path": "/vulnerabilities/CVE-2022-29202/49283", "specs": [ "<0.25.0" ], @@ -159251,9 +160796,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29203", - "id": "pyup.io-49284", - "more_info_path": "/vulnerabilities/CVE-2022-29203/49284", + "cve": "CVE-2022-29192", + "id": "pyup.io-49273", + "more_info_path": "/vulnerabilities/CVE-2022-29192/49273", "specs": [ "<0.25.0" ], @@ -159261,9 +160806,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29197", - "id": "pyup.io-49278", - "more_info_path": "/vulnerabilities/CVE-2022-29197/49278", + "cve": "CVE-2022-29194", + "id": "pyup.io-49275", + "more_info_path": "/vulnerabilities/CVE-2022-29194/49275", "specs": [ "<0.25.0" ], @@ -159271,9 +160816,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29213", - "id": "pyup.io-49294", - "more_info_path": "/vulnerabilities/CVE-2022-29213/49294", + "cve": "CVE-2022-27775", + "id": "pyup.io-49265", + "more_info_path": "/vulnerabilities/CVE-2022-27775/49265", "specs": [ "<0.25.0" ], @@ -159281,9 +160826,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29209", - "id": "pyup.io-49290", - "more_info_path": "/vulnerabilities/CVE-2022-29209/49290", + "cve": "CVE-2022-29198", + "id": "pyup.io-49279", + "more_info_path": "/vulnerabilities/CVE-2022-29198/49279", "specs": [ "<0.25.0" ], @@ -159291,9 +160836,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29200", - "id": "pyup.io-49281", - "more_info_path": "/vulnerabilities/CVE-2022-29200/49281", + "cve": "CVE-2022-29207", + "id": "pyup.io-49288", + "more_info_path": "/vulnerabilities/CVE-2022-29207/49288", "specs": [ "<0.25.0" ], @@ -159301,9 +160846,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-29195", - "id": "pyup.io-49276", - "more_info_path": "/vulnerabilities/CVE-2022-29195/49276", + "cve": "CVE-2022-29206", + "id": "pyup.io-49287", + "more_info_path": "/vulnerabilities/CVE-2022-29206/49287", "specs": [ "<0.25.0" ], @@ -159311,9 +160856,9 @@ }, { "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27779", - "id": "pyup.io-49268", - "more_info_path": "/vulnerabilities/CVE-2022-27779/49268", + "cve": "CVE-2022-30115", + "id": "pyup.io-49296", + "more_info_path": "/vulnerabilities/CVE-2022-30115/49296", "specs": [ "<0.25.0" ], @@ -159328,16 +160873,6 @@ "<0.25.0" ], "v": "<0.25.0" - }, - { - "advisory": "Tensorflow-federated 0.25.0 updates its dependency 'TensorFlow' to v2.9.0 to include security fixes.", - "cve": "CVE-2022-27781", - "id": "pyup.io-49270", - "more_info_path": "/vulnerabilities/CVE-2022-27781/49270", - "specs": [ - "<0.25.0" - ], - "v": "<0.25.0" } ], "tensorflow-gpu": [ @@ -179202,6 +180737,16 @@ ], "v": "<1.5.0" }, + { + "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", + "cve": "CVE-2019-13960", + "id": "pyup.io-44399", + "more_info_path": "/vulnerabilities/CVE-2019-13960/44399", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, { "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", "cve": "CVE-2018-17190", @@ -179292,16 +180837,6 @@ ], "v": "<1.5.0" }, - { - "advisory": "Tensorpy 1.5.0 updates Tensorflow to v1.15.4 to include security fixes.", - "cve": "CVE-2019-13960", - "id": "pyup.io-44399", - "more_info_path": "/vulnerabilities/CVE-2019-13960/44399", - "specs": [ - "<1.5.0" - ], - "v": "<1.5.0" - }, { "advisory": "Tensorpy versions 1.6.1 and prior require as dependency TensorFlow v1.15.4 or lower, that have several known vulnerabilities.", "cve": "CVE-2021-41228", @@ -181795,9 +183330,9 @@ }, { "advisory": "Timezonefinder 6.0.2 updates its dependency 'numpy' to v1.22.4 to include security fixes.", - "cve": "CVE-2021-34141", - "id": "pyup.io-49800", - "more_info_path": "/vulnerabilities/CVE-2021-34141/49800", + "cve": "CVE-2021-41495", + "id": "pyup.io-49903", + "more_info_path": "/vulnerabilities/CVE-2021-41495/49903", "specs": [ "<6.0.2" ], @@ -181805,9 +183340,9 @@ }, { "advisory": "Timezonefinder 6.0.2 updates its dependency 'numpy' to v1.22.4 to include security fixes.", - "cve": "CVE-2021-41495", - "id": "pyup.io-49903", - "more_info_path": "/vulnerabilities/CVE-2021-41495/49903", + "cve": "CVE-2021-34141", + "id": "pyup.io-49800", + "more_info_path": "/vulnerabilities/CVE-2021-34141/49800", "specs": [ "<6.0.2" ], @@ -181966,16 +183501,6 @@ ], "v": "<0.3.0.dev15" }, - { - "advisory": "Toga-core 0.3.0.dev15 updates its dependency 'Django' minimum requirement to versions ~2.2 to include security fixes.", - "cve": "CVE-2017-7233", - "id": "pyup.io-48157", - "more_info_path": "/vulnerabilities/CVE-2017-7233/48157", - "specs": [ - "<0.3.0.dev15" - ], - "v": "<0.3.0.dev15" - }, { "advisory": "Toga-core 0.3.0.dev15 updates its NPM dependency 'webpack-dev-server' minimum requirement to versions >=3.1.11 to include a security fix.", "cve": "CVE-2018-14732", @@ -181996,6 +183521,16 @@ ], "v": "<0.3.0.dev15" }, + { + "advisory": "Toga-core 0.3.0.dev15 updates its dependency 'Django' minimum requirement to versions ~2.2 to include security fixes.", + "cve": "CVE-2017-7233", + "id": "pyup.io-48157", + "more_info_path": "/vulnerabilities/CVE-2017-7233/48157", + "specs": [ + "<0.3.0.dev15" + ], + "v": "<0.3.0.dev15" + }, { "advisory": "Toga-core 0.3.0.dev15 updates its NPM dependency 'bootstrap' minimum requirement to versions >=4.3.1 to include a security fix.", "cve": "CVE-2019-8331", @@ -182076,66 +183611,6 @@ ], "v": "<1.6.1" }, - { - "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2019-14232", - "id": "pyup.io-49474", - "more_info_path": "/vulnerabilities/CVE-2019-14232/49474", - "specs": [ - "<1.6.1" - ], - "v": "<1.6.1" - }, - { - "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2019-19844", - "id": "pyup.io-49469", - "more_info_path": "/vulnerabilities/CVE-2019-19844/49469", - "specs": [ - "<1.6.1" - ], - "v": "<1.6.1" - }, - { - "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2019-12308", - "id": "pyup.io-49476", - "more_info_path": "/vulnerabilities/CVE-2019-12308/49476", - "specs": [ - "<1.6.1" - ], - "v": "<1.6.1" - }, - { - "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2019-14235", - "id": "pyup.io-49472", - "more_info_path": "/vulnerabilities/CVE-2019-14235/49472", - "specs": [ - "<1.6.1" - ], - "v": "<1.6.1" - }, - { - "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2019-14233", - "id": "pyup.io-49473", - "more_info_path": "/vulnerabilities/CVE-2019-14233/49473", - "specs": [ - "<1.6.1" - ], - "v": "<1.6.1" - }, - { - "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2019-14234", - "id": "pyup.io-49471", - "more_info_path": "/vulnerabilities/CVE-2019-14234/49471", - "specs": [ - "<1.6.1" - ], - "v": "<1.6.1" - }, { "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", "cve": "CVE-2020-7471", @@ -182158,9 +183633,19 @@ }, { "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", - "cve": "CVE-2019-12781", - "id": "pyup.io-49475", - "more_info_path": "/vulnerabilities/CVE-2019-12781/49475", + "cve": "CVE-2019-14232", + "id": "pyup.io-49474", + "more_info_path": "/vulnerabilities/CVE-2019-14232/49474", + "specs": [ + "<1.6.1" + ], + "v": "<1.6.1" + }, + { + "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", + "cve": "CVE-2019-14233", + "id": "pyup.io-49473", + "more_info_path": "/vulnerabilities/CVE-2019-14233/49473", "specs": [ "<1.6.1" ], @@ -182176,6 +183661,16 @@ ], "v": "<1.6.1" }, + { + "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", + "cve": "CVE-2019-14234", + "id": "pyup.io-49471", + "more_info_path": "/vulnerabilities/CVE-2019-14234/49471", + "specs": [ + "<1.6.1" + ], + "v": "<1.6.1" + }, { "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", "cve": "CVE-2020-9402", @@ -182186,6 +183681,46 @@ ], "v": "<1.6.1" }, + { + "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", + "cve": "CVE-2019-12308", + "id": "pyup.io-49476", + "more_info_path": "/vulnerabilities/CVE-2019-12308/49476", + "specs": [ + "<1.6.1" + ], + "v": "<1.6.1" + }, + { + "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", + "cve": "CVE-2019-19844", + "id": "pyup.io-49469", + "more_info_path": "/vulnerabilities/CVE-2019-19844/49469", + "specs": [ + "<1.6.1" + ], + "v": "<1.6.1" + }, + { + "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", + "cve": "CVE-2019-14235", + "id": "pyup.io-49472", + "more_info_path": "/vulnerabilities/CVE-2019-14235/49472", + "specs": [ + "<1.6.1" + ], + "v": "<1.6.1" + }, + { + "advisory": "Tomtoolkit 1.6.1 updates its dependency 'Django' requirement to '>=3.0.7' to include security fixes.", + "cve": "CVE-2019-12781", + "id": "pyup.io-49475", + "more_info_path": "/vulnerabilities/CVE-2019-12781/49475", + "specs": [ + "<1.6.1" + ], + "v": "<1.6.1" + }, { "advisory": "Tomtoolkit 2.14.1 disables multiple file uploads to fix CVE-2023-31047.\r\nhttps://github.com/TOMToolkit/tom_base/commit/eb2d7903e29f6f592452544d2c48e1a1236ca1e7", "cve": "CVE-2023-31047", @@ -182323,20 +183858,20 @@ ], "torchserve": [ { - "advisory": "Torchserve 0.5.1 updates its dependency 'log4j' to v2.16.0 to include a fix for a critical vulnerability.", - "cve": "CVE-2021-44228", - "id": "pyup.io-43736", - "more_info_path": "/vulnerabilities/CVE-2021-44228/43736", + "advisory": "Torchserve 0.5.1 updates its dependency 'log4j2' to v2.16.0 to fix critical vulnerabilities.", + "cve": "CVE-2021-45046", + "id": "pyup.io-43744", + "more_info_path": "/vulnerabilities/CVE-2021-45046/43744", "specs": [ "<0.5.1" ], "v": "<0.5.1" }, { - "advisory": "Torchserve 0.5.1 updates its dependency 'log4j2' to v2.16.0 to fix critical vulnerabilities.", - "cve": "CVE-2021-45046", - "id": "pyup.io-43744", - "more_info_path": "/vulnerabilities/CVE-2021-45046/43744", + "advisory": "Torchserve 0.5.1 updates its dependency 'log4j' to v2.16.0 to include a fix for a critical vulnerability.", + "cve": "CVE-2021-44228", + "id": "pyup.io-43736", + "more_info_path": "/vulnerabilities/CVE-2021-44228/43736", "specs": [ "<0.5.1" ], @@ -182364,9 +183899,9 @@ }, { "advisory": "Torchserve 0.5.3 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22815", - "id": "pyup.io-48563", - "more_info_path": "/vulnerabilities/CVE-2022-22815/48563", + "cve": "CVE-2022-22816", + "id": "pyup.io-48564", + "more_info_path": "/vulnerabilities/CVE-2022-22816/48564", "specs": [ "<0.5.3" ], @@ -182384,9 +183919,9 @@ }, { "advisory": "Torchserve 0.5.3 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "PVE-2021-44525", - "id": "pyup.io-48565", - "more_info_path": "/vulnerabilities/PVE-2021-44525/48565", + "cve": "CVE-2022-22815", + "id": "pyup.io-48563", + "more_info_path": "/vulnerabilities/CVE-2022-22815/48563", "specs": [ "<0.5.3" ], @@ -182394,9 +183929,9 @@ }, { "advisory": "Torchserve 0.5.3 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "PVE-2022-44524", - "id": "pyup.io-48566", - "more_info_path": "/vulnerabilities/PVE-2022-44524/48566", + "cve": "PVE-2021-44525", + "id": "pyup.io-48565", + "more_info_path": "/vulnerabilities/PVE-2021-44525/48565", "specs": [ "<0.5.3" ], @@ -182404,9 +183939,9 @@ }, { "advisory": "Torchserve 0.5.3 updates its dependency 'pillow' to v9.0.0 to include security fixes.", - "cve": "CVE-2022-22816", - "id": "pyup.io-48564", - "more_info_path": "/vulnerabilities/CVE-2022-22816/48564", + "cve": "PVE-2022-44524", + "id": "pyup.io-48566", + "more_info_path": "/vulnerabilities/PVE-2022-44524/48566", "specs": [ "<0.5.3" ], @@ -182574,6 +184109,16 @@ "<4.11.2" ], "v": "<4.11.2" + }, + { + "advisory": "Tqdm version 4.66.3 addresses CVE-2024-34062, a vulnerability where optional non-boolean CLI arguments like `--delim`, `--buf-size`, and `--manpath` were passed through Python's `eval`, allowing for arbitrary code execution. This security risk, only locally exploitable, has been mitigated in this release. Users are advised to upgrade to version 4.66.3 immediately as there are no workarounds for this issue.", + "cve": "CVE-2024-34062", + "id": "pyup.io-70790", + "more_info_path": "/vulnerabilities/CVE-2024-34062/70790", + "specs": [ + "<4.66.3" + ], + "v": "<4.66.3" } ], "trac": [ @@ -182783,6 +184328,46 @@ } ], "transformers": [ + { + "advisory": "Transformers version 2.0 updates its aiohttp dependency from 3.8.5 to 3.9.0 to address the security vulnerability identified as CVE-2023-49081.", + "cve": "CVE-2023-49081", + "id": "pyup.io-71286", + "more_info_path": "/vulnerabilities/CVE-2023-49081/71286", + "specs": [ + "<2.0" + ], + "v": "<2.0" + }, + { + "advisory": "Transformers version 2.0 updates its aiohttp dependency from 3.8.5 to 3.9.0 to address the security vulnerability identified as CVE-2023-49082.", + "cve": "CVE-2023-49082", + "id": "pyup.io-71287", + "more_info_path": "/vulnerabilities/CVE-2023-49082/71287", + "specs": [ + "<2.0" + ], + "v": "<2.0" + }, + { + "advisory": "Transformers version 2.0 updates its tensorflow dependency from 2.8.1 to 2.11.1 to address the security vulnerability identified as CVE-2023-25668.", + "cve": "CVE-2023-25668", + "id": "pyup.io-71289", + "more_info_path": "/vulnerabilities/CVE-2023-25668/71289", + "specs": [ + "<2.0" + ], + "v": "<2.0" + }, + { + "advisory": "Transformers version 2.0 updates its black dependency from 22.1.0 to 24.3.0 to address the security vulnerability identified as CVE-2024-21503.", + "cve": "CVE-2024-21503", + "id": "pyup.io-71288", + "more_info_path": "/vulnerabilities/CVE-2024-21503/71288", + "specs": [ + "<2.0" + ], + "v": "<2.0" + }, { "advisory": "Transformers 4.23.0 includes a fix for a link vulnerable to repojacking.\r\nhttps://github.com/huggingface/transformers/commit/ce2620194b4a8f070cd29504d34a79758affdf95", "cve": "PVE-2022-51450", @@ -182823,6 +184408,36 @@ ], "v": "<4.37.0" }, + { + "advisory": "Transformers version 4.41.0 updates its `aiohttp` dependency from version 3.8.5 to 3.9.0 to address the security vulnerability identified as CVE-2023-49081.", + "cve": "CVE-2023-49081", + "id": "pyup.io-71037", + "more_info_path": "/vulnerabilities/CVE-2023-49081/71037", + "specs": [ + "<4.41.0" + ], + "v": "<4.41.0" + }, + { + "advisory": "Transformers version 4.41.0 updates its `aiohttp` dependency from version 3.8.5 to 3.9.0 to address the security vulnerability identified as CVE-2023-49082.", + "cve": "CVE-2023-49082", + "id": "pyup.io-71048", + "more_info_path": "/vulnerabilities/CVE-2023-49082/71048", + "specs": [ + "<4.41.0" + ], + "v": "<4.41.0" + }, + { + "advisory": "Transformers version 4.41.0 updates its `black` dependency from version 22.1.0 to 24.3.0 to address the security vulnerability identified as CVE-2024-21503.", + "cve": "CVE-2024-21503", + "id": "pyup.io-71049", + "more_info_path": "/vulnerabilities/CVE-2024-21503/71049", + "specs": [ + "<4.41.0" + ], + "v": "<4.41.0" + }, { "advisory": "Transformers 4.5.0 includes various vulnerability fixes.", "cve": "PVE-2021-40187", @@ -182835,9 +184450,9 @@ }, { "advisory": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.", - "cve": "CVE-2023-6730", - "id": "pyup.io-65215", - "more_info_path": "/vulnerabilities/CVE-2023-6730/65215", + "cve": "CVE-2023-7018", + "id": "pyup.io-65398", + "more_info_path": "/vulnerabilities/CVE-2023-7018/65398", "specs": [ ">=0,<4.36.0" ], @@ -182845,9 +184460,9 @@ }, { "advisory": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.", - "cve": "CVE-2023-7018", - "id": "pyup.io-65398", - "more_info_path": "/vulnerabilities/CVE-2023-7018/65398", + "cve": "CVE-2023-6730", + "id": "pyup.io-65215", + "more_info_path": "/vulnerabilities/CVE-2023-6730/65215", "specs": [ ">=0,<4.36.0" ], @@ -183094,16 +184709,6 @@ "<=6.0.0" ], "v": "<=6.0.0" - }, - { - "advisory": "Tripleo-ansible is affected by CVE-2023-6725: An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.", - "cve": "CVE-2023-6725", - "id": "pyup.io-66950", - "more_info_path": "/vulnerabilities/CVE-2023-6725/66950", - "specs": [ - "<=6.0.0" - ], - "v": "<=6.0.0" } ], "tripleo-heat-templates": [ @@ -183283,10 +184888,10 @@ "v": "<2.4.0" }, { - "advisory": "file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.", - "cve": "CVE-2016-1242", - "id": "pyup.io-54111", - "more_info_path": "/vulnerabilities/CVE-2016-1242/54111", + "advisory": "Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.", + "cve": "CVE-2016-1241", + "id": "pyup.io-54110", + "more_info_path": "/vulnerabilities/CVE-2016-1241/54110", "specs": [ ">=0,<3.2.17", ">=3.4,<3.4.14", @@ -183297,10 +184902,10 @@ "v": ">=0,<3.2.17,>=3.4,<3.4.14,>=3.6,<3.6.12,>=3.8,<3.8.8,>=4.0,<4.0.4" }, { - "advisory": "Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.", - "cve": "CVE-2016-1241", - "id": "pyup.io-54110", - "more_info_path": "/vulnerabilities/CVE-2016-1241/54110", + "advisory": "file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.", + "cve": "CVE-2016-1242", + "id": "pyup.io-54111", + "more_info_path": "/vulnerabilities/CVE-2016-1242/54111", "specs": [ ">=0,<3.2.17", ">=3.4,<3.4.14", @@ -183631,9 +185236,9 @@ "tulflow": [ { "advisory": "Tulflow 0.9.1 updates its dependency 'apache-airflow' to v2.4.3 to include security fixes.", - "cve": "CVE-2022-43982", - "id": "pyup.io-58737", - "more_info_path": "/vulnerabilities/CVE-2022-43982/58737", + "cve": "CVE-2022-43985", + "id": "pyup.io-58740", + "more_info_path": "/vulnerabilities/CVE-2022-43985/58740", "specs": [ "<0.9.1" ], @@ -183641,9 +185246,9 @@ }, { "advisory": "Tulflow 0.9.1 updates its dependency 'apache-airflow' to v2.4.3 to include security fixes.", - "cve": "CVE-2022-45402", - "id": "pyup.io-58741", - "more_info_path": "/vulnerabilities/CVE-2022-45402/58741", + "cve": "CVE-2022-43982", + "id": "pyup.io-58737", + "more_info_path": "/vulnerabilities/CVE-2022-43982/58737", "specs": [ "<0.9.1" ], @@ -183651,9 +185256,9 @@ }, { "advisory": "Tulflow 0.9.1 updates its dependency 'apache-airflow' to v2.4.3 to include security fixes.", - "cve": "CVE-2022-43985", - "id": "pyup.io-58740", - "more_info_path": "/vulnerabilities/CVE-2022-43985/58740", + "cve": "CVE-2022-45402", + "id": "pyup.io-58741", + "more_info_path": "/vulnerabilities/CVE-2022-45402/58741", "specs": [ "<0.9.1" ], @@ -184005,9 +185610,9 @@ }, { "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", - "cve": "CVE-2019-12308", - "id": "pyup.io-40921", - "more_info_path": "/vulnerabilities/CVE-2019-12308/40921", + "cve": "CVE-2019-14232", + "id": "pyup.io-49774", + "more_info_path": "/vulnerabilities/CVE-2019-14232/49774", "specs": [ "<3.9.0" ], @@ -184015,9 +185620,9 @@ }, { "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", - "cve": "CVE-2019-19118", - "id": "pyup.io-49778", - "more_info_path": "/vulnerabilities/CVE-2019-19118/49778", + "cve": "CVE-2019-19844", + "id": "pyup.io-49779", + "more_info_path": "/vulnerabilities/CVE-2019-19844/49779", "specs": [ "<3.9.0" ], @@ -184025,9 +185630,9 @@ }, { "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", - "cve": "CVE-2019-19844", - "id": "pyup.io-49779", - "more_info_path": "/vulnerabilities/CVE-2019-19844/49779", + "cve": "CVE-2019-19118", + "id": "pyup.io-49778", + "more_info_path": "/vulnerabilities/CVE-2019-19118/49778", "specs": [ "<3.9.0" ], @@ -184035,9 +185640,9 @@ }, { "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", - "cve": "CVE-2019-14234", - "id": "pyup.io-49776", - "more_info_path": "/vulnerabilities/CVE-2019-14234/49776", + "cve": "CVE-2019-12308", + "id": "pyup.io-40921", + "more_info_path": "/vulnerabilities/CVE-2019-12308/40921", "specs": [ "<3.9.0" ], @@ -184045,9 +185650,9 @@ }, { "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", - "cve": "CVE-2019-14233", - "id": "pyup.io-49775", - "more_info_path": "/vulnerabilities/CVE-2019-14233/49775", + "cve": "CVE-2019-14235", + "id": "pyup.io-49777", + "more_info_path": "/vulnerabilities/CVE-2019-14235/49777", "specs": [ "<3.9.0" ], @@ -184065,9 +185670,9 @@ }, { "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", - "cve": "CVE-2019-14235", - "id": "pyup.io-49777", - "more_info_path": "/vulnerabilities/CVE-2019-14235/49777", + "cve": "CVE-2019-14233", + "id": "pyup.io-49775", + "more_info_path": "/vulnerabilities/CVE-2019-14233/49775", "specs": [ "<3.9.0" ], @@ -184075,9 +185680,9 @@ }, { "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", - "cve": "CVE-2019-14232", - "id": "pyup.io-49774", - "more_info_path": "/vulnerabilities/CVE-2019-14232/49774", + "cve": "CVE-2019-14234", + "id": "pyup.io-49776", + "more_info_path": "/vulnerabilities/CVE-2019-14234/49776", "specs": [ "<3.9.0" ], @@ -184156,6 +185761,16 @@ "<9.0.5" ], "v": "<9.0.5" + }, + { + "advisory": "Twilio version 9.1.0 includes a security upgrade for the aiohttp dependency, updating it from version 3.8.6 to 3.9.4. This update addresses the vulnerability identified as CVE-2024-27306.", + "cve": "CVE-2024-27306", + "id": "pyup.io-71167", + "more_info_path": "/vulnerabilities/CVE-2024-27306/71167", + "specs": [ + "<9.1.0" + ], + "v": "<9.1.0" } ], "twine": [ @@ -184532,6 +186147,18 @@ "v": ">0" } ], + "typst": [ + { + "advisory": "Typst version 0.11.1 addresses a security vulnerability that allowed image files from known paths outside of the project directory to be embedded into the PDF. This update ensures that only files within the project directory can be embedded, preventing unauthorized access to and inclusion of external files.", + "cve": "PVE-2024-71076", + "id": "pyup.io-71076", + "more_info_path": "/vulnerabilities/PVE-2024-71076/71076", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + } + ], "ua-parser": [ { "advisory": "Certain versions of ua_parser, a Python library for parsing browser user agents, are susceptible to arbitrary code execution attacks due to the use of the insecure YAML.load() function.", @@ -184902,6 +186529,114 @@ "v": ">=0,<2.0.0rc1" } ], + "unicorn-binance-local-depth-cache": [ + { + "advisory": "Unicorn-binance-local-depth-cache version 2.0.0 updates its `cryptography` dependency due to CVE-2023-38325, which has a high severity score of 7.5. This vulnerability affects versions prior to 41.0.2 of the cryptography package for Python and involves mishandling SSH certificates with critical options.", + "cve": "CVE-2023-38325", + "id": "pyup.io-71038", + "more_info_path": "/vulnerabilities/CVE-2023-38325/71038", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + }, + { + "advisory": "Unicorn-binance-local-depth-cache version 2.0.0 updates its `certifi` dependency due to CVE-2023-37920, which has a high severity score of 9.8. This vulnerability involved certifi versions 1.0.1 through 2023.5.7 recognizing \"e-Tugra\" root certificates, which were found to have security issues. Certifi version 2023.07.22 removes these root certificates from the root store to address the vulnerability.", + "cve": "CVE-2023-37920", + "id": "pyup.io-71050", + "more_info_path": "/vulnerabilities/CVE-2023-37920/71050", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + } + ], + "unicorn-binance-rest-api": [ + { + "advisory": "Unicorn-binance-rest-api version 2.4.0 has increased the minimum required version of `certifi` to `2023.7.22` due to vulnerabilities found in earlier versions, notably CVE-2023-37920.", + "cve": "CVE-2023-37920", + "id": "pyup.io-70973", + "more_info_path": "/vulnerabilities/CVE-2023-37920/70973", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + }, + { + "advisory": "Unicorn-binance-rest-api version 2.4.0 has updated the minimum required version of `requests` to `2.31.0` due to vulnerabilities discovered in prior versions, including CVE-2023-32681.", + "cve": "CVE-2023-32681", + "id": "pyup.io-70979", + "more_info_path": "/vulnerabilities/CVE-2023-32681/70979", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + }, + { + "advisory": "Unicorn-binance-rest-api version 2.4.0 has raised the minimum required version of `cryptography` to `42.0.4` due to identified vulnerabilities in previous versions, including CVE-2023-38325.", + "cve": "CVE-2023-38325", + "id": "pyup.io-70978", + "more_info_path": "/vulnerabilities/CVE-2023-38325/70978", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + } + ], + "unicorn-binance-websocket-api": [ + { + "advisory": "Unicorn-binance-websocket-api 2.7.1 updates its dependency 'cryptography' to include a security fix.", + "cve": "CVE-2023-49083", + "id": "pyup.io-71002", + "more_info_path": "/vulnerabilities/CVE-2023-49083/71002", + "specs": [ + "<2.7.1" + ], + "v": "<2.7.1" + }, + { + "advisory": "Unicorn-binance-websocket-api 2.7.1 updates its dependency 'requests' to include a security fix.", + "cve": "CVE-2023-32681", + "id": "pyup.io-70996", + "more_info_path": "/vulnerabilities/CVE-2023-32681/70996", + "specs": [ + "<2.7.1" + ], + "v": "<2.7.1" + }, + { + "advisory": "Unicorn-binance-websocket-api 2.7.1 updates its dependency 'cryptography' to include a security fix.", + "cve": "CVE-2023-38325", + "id": "pyup.io-71001", + "more_info_path": "/vulnerabilities/CVE-2023-38325/71001", + "specs": [ + "<2.7.1" + ], + "v": "<2.7.1" + }, + { + "advisory": "Unicorn-binance-websocket-api 2.7.1 updates its dependency 'certifi' to include a security fix.", + "cve": "CVE-2023-37920", + "id": "pyup.io-71000", + "more_info_path": "/vulnerabilities/CVE-2023-37920/71000", + "specs": [ + "<2.7.1" + ], + "v": "<2.7.1" + } + ], + "unipacker": [ + { + "advisory": "A heap-based buffer overflow was discovered in upx, during the variable 'bucket' points to an inaccessible address. The issue is being triggered in the function PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688.", + "cve": "CVE-2021-43313", + "id": "pyup.io-70905", + "more_info_path": "/vulnerabilities/CVE-2021-43313/70905", + "specs": [ + "<4.0.0" + ], + "v": "<4.0.0" + } + ], "uniplot": [ { "advisory": "Uniplot version 0.8.1 updates its numpy dependency to version 1.22.0 or later, responding to CVE-2021-34141.\r\nhttps://github.com/olavolav/uniplot/commit/bd978d09a9b637e8a8bbd90d0cbb2a951b66e5b1", @@ -184936,6 +186671,18 @@ "v": "<0.1.6" } ], + "unkey.py": [ + { + "advisory": "Unkey.py version 0.7.2 resolves a race condition within its protected decorator, which occurred when a single client session was initiated and terminated amidst multiple simultaneous requests.", + "cve": "PVE-2024-70858", + "id": "pyup.io-70858", + "more_info_path": "/vulnerabilities/PVE-2024-70858/70858", + "specs": [ + "<0.7.2" + ], + "v": "<0.7.2" + } + ], "unleashclient": [ { "advisory": "Unleashclient 1.0.2 updates its dependency 'requests' to address a security issue.", @@ -185293,20 +187040,20 @@ ], "uvicorn": [ { - "advisory": "The request logger provided by Uvicorn prior to version 0.11.7 is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file). See: CVE-2020-7694.", - "cve": "CVE-2020-7694", - "id": "pyup.io-38664", - "more_info_path": "/vulnerabilities/CVE-2020-7694/38664", + "advisory": "Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.", + "cve": "CVE-2020-7695", + "id": "pyup.io-38665", + "more_info_path": "/vulnerabilities/CVE-2020-7695/38665", "specs": [ "<0.11.7" ], "v": "<0.11.7" }, { - "advisory": "Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.", - "cve": "CVE-2020-7695", - "id": "pyup.io-38665", - "more_info_path": "/vulnerabilities/CVE-2020-7695/38665", + "advisory": "The request logger provided by Uvicorn prior to version 0.11.7 is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file). See: CVE-2020-7694.", + "cve": "CVE-2020-7694", + "id": "pyup.io-38664", + "more_info_path": "/vulnerabilities/CVE-2020-7694/38664", "specs": [ "<0.11.7" ], @@ -185413,20 +187160,20 @@ ], "vantage6": [ { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowed to run an algorithm. There may also be other places in the code where such a mixup of resource ID or name leads to issues. Version 4.0.0 contains a patch for this issue. The best solution is to check when resources are created or modified, that the resource name always starts with a character.", - "cve": "CVE-2023-28635", - "id": "pyup.io-62909", - "more_info_path": "/vulnerabilities/CVE-2023-28635/62909", + "advisory": "Vantage6 4.0.0 includes a fix for CVE-2023-23930: Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Users may specify JSON serialization as a workaround.\r\nhttps://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6", + "cve": "CVE-2023-23930", + "id": "pyup.io-61778", + "more_info_path": "/vulnerabilities/CVE-2023-23930/61778", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { - "advisory": "Vantage6 4.0.0 includes a fix for CVE-2023-23930: Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Users may specify JSON serialization as a workaround.\r\nhttps://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6", - "cve": "CVE-2023-23930", - "id": "pyup.io-61778", - "more_info_path": "/vulnerabilities/CVE-2023-23930/61778", + "advisory": "vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowed to run an algorithm. There may also be other places in the code where such a mixup of resource ID or name leads to issues. Version 4.0.0 contains a patch for this issue. The best solution is to check when resources are created or modified, that the resource name always starts with a character.", + "cve": "CVE-2023-28635", + "id": "pyup.io-62909", + "more_info_path": "/vulnerabilities/CVE-2023-28635/62909", "specs": [ "<4.0.0" ], @@ -185483,20 +187230,20 @@ "v": "<4.2.0" }, { - "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0.", - "cve": "CVE-2024-22193", - "id": "pyup.io-66723", - "more_info_path": "/vulnerabilities/CVE-2024-22193/66723", + "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.", + "cve": "CVE-2024-21649", + "id": "pyup.io-66729", + "more_info_path": "/vulnerabilities/CVE-2024-21649/66729", "specs": [ "<4.2.0" ], "v": "<4.2.0" }, { - "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.", - "cve": "CVE-2024-21649", - "id": "pyup.io-66729", - "more_info_path": "/vulnerabilities/CVE-2024-21649/66729", + "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0.", + "cve": "CVE-2024-22193", + "id": "pyup.io-66723", + "more_info_path": "/vulnerabilities/CVE-2024-22193/66723", "specs": [ "<4.2.0" ], @@ -185535,10 +187282,10 @@ ], "vantage6-client": [ { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.", - "cve": "CVE-2023-41882", - "id": "pyup.io-65240", - "more_info_path": "/vulnerabilities/CVE-2023-41882/65240", + "advisory": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.", + "cve": "CVE-2023-41881", + "id": "pyup.io-65245", + "more_info_path": "/vulnerabilities/CVE-2023-41881/65245", "specs": [ "<4.0.0" ], @@ -185555,10 +187302,10 @@ "v": "<4.0.0" }, { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.", - "cve": "CVE-2023-41881", - "id": "pyup.io-65245", - "more_info_path": "/vulnerabilities/CVE-2023-41881/65245", + "advisory": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.", + "cve": "CVE-2023-41882", + "id": "pyup.io-65240", + "more_info_path": "/vulnerabilities/CVE-2023-41882/65240", "specs": [ "<4.0.0" ], @@ -185577,20 +187324,20 @@ ], "vantage6-common": [ { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.", - "cve": "CVE-2023-41882", - "id": "pyup.io-65241", - "more_info_path": "/vulnerabilities/CVE-2023-41882/65241", + "advisory": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.", + "cve": "CVE-2023-41881", + "id": "pyup.io-65246", + "more_info_path": "/vulnerabilities/CVE-2023-41881/65246", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.", - "cve": "CVE-2023-41881", - "id": "pyup.io-65246", - "more_info_path": "/vulnerabilities/CVE-2023-41881/65246", + "advisory": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.", + "cve": "CVE-2023-41882", + "id": "pyup.io-65241", + "more_info_path": "/vulnerabilities/CVE-2023-41882/65241", "specs": [ "<4.0.0" ], @@ -185609,20 +187356,20 @@ "v": "<4.0.0" }, { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.", - "cve": "CVE-2023-41882", - "id": "pyup.io-65242", - "more_info_path": "/vulnerabilities/CVE-2023-41882/65242", + "advisory": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.", + "cve": "CVE-2023-41881", + "id": "pyup.io-65247", + "more_info_path": "/vulnerabilities/CVE-2023-41881/65247", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.", - "cve": "CVE-2023-41881", - "id": "pyup.io-65247", - "more_info_path": "/vulnerabilities/CVE-2023-41881/65247", + "advisory": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.", + "cve": "CVE-2023-41882", + "id": "pyup.io-65242", + "more_info_path": "/vulnerabilities/CVE-2023-41882/65242", "specs": [ "<4.0.0" ], @@ -185651,20 +187398,20 @@ "v": "<4.0.0" }, { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowed to run an algorithm. There may also be other places in the code where such a mixup of resource ID or name leads to issues. Version 4.0.0 contains a patch for this issue. The best solution is to check when resources are created or modified, that the resource name always starts with a character.", - "cve": "CVE-2023-28635", - "id": "pyup.io-62912", - "more_info_path": "/vulnerabilities/CVE-2023-28635/62912", + "advisory": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.", + "cve": "CVE-2023-41881", + "id": "pyup.io-65248", + "more_info_path": "/vulnerabilities/CVE-2023-41881/65248", "specs": [ "<4.0.0" ], "v": "<4.0.0" }, { - "advisory": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.", - "cve": "CVE-2023-41881", - "id": "pyup.io-65248", - "more_info_path": "/vulnerabilities/CVE-2023-41881/65248", + "advisory": "vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowed to run an algorithm. There may also be other places in the code where such a mixup of resource ID or name leads to issues. Version 4.0.0 contains a patch for this issue. The best solution is to check when resources are created or modified, that the resource name always starts with a character.", + "cve": "CVE-2023-28635", + "id": "pyup.io-62912", + "more_info_path": "/vulnerabilities/CVE-2023-28635/62912", "specs": [ "<4.0.0" ], @@ -185681,40 +187428,40 @@ "v": "<4.1.2" }, { - "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.", - "cve": "CVE-2024-21671", - "id": "pyup.io-66726", - "more_info_path": "/vulnerabilities/CVE-2024-21671/66726", + "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.", + "cve": "CVE-2024-21649", + "id": "pyup.io-66730", + "more_info_path": "/vulnerabilities/CVE-2024-21649/66730", "specs": [ "<4.2.0" ], "v": "<4.2.0" }, { - "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability.", - "cve": "CVE-2024-21653", - "id": "pyup.io-66728", - "more_info_path": "/vulnerabilities/CVE-2024-21653/66728", + "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0.", + "cve": "CVE-2024-22193", + "id": "pyup.io-66724", + "more_info_path": "/vulnerabilities/CVE-2024-22193/66724", "specs": [ "<4.2.0" ], "v": "<4.2.0" }, { - "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.", - "cve": "CVE-2024-21649", - "id": "pyup.io-66730", - "more_info_path": "/vulnerabilities/CVE-2024-21649/66730", + "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.", + "cve": "CVE-2024-21671", + "id": "pyup.io-66726", + "more_info_path": "/vulnerabilities/CVE-2024-21671/66726", "specs": [ "<4.2.0" ], "v": "<4.2.0" }, { - "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0.", - "cve": "CVE-2024-22193", - "id": "pyup.io-66724", - "more_info_path": "/vulnerabilities/CVE-2024-22193/66724", + "advisory": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability.", + "cve": "CVE-2024-21653", + "id": "pyup.io-66728", + "more_info_path": "/vulnerabilities/CVE-2024-21653/66728", "specs": [ "<4.2.0" ], @@ -186139,9 +187886,9 @@ }, { "advisory": "Virustotal-python 0.0.9 updates its dependency 'bleach' to v3.1.4 to include security fixes.", - "cve": "CVE-2020-6817", - "id": "pyup.io-38227", - "more_info_path": "/vulnerabilities/CVE-2020-6817/38227", + "cve": "CVE-2020-6816", + "id": "pyup.io-45021", + "more_info_path": "/vulnerabilities/CVE-2020-6816/45021", "specs": [ "<0.0.9" ], @@ -186149,9 +187896,9 @@ }, { "advisory": "Virustotal-python 0.0.9 updates its dependency 'bleach' to v3.1.4 to include security fixes.", - "cve": "CVE-2020-6816", - "id": "pyup.io-45021", - "more_info_path": "/vulnerabilities/CVE-2020-6816/45021", + "cve": "CVE-2020-6817", + "id": "pyup.io-38227", + "more_info_path": "/vulnerabilities/CVE-2020-6817/38227", "specs": [ "<0.0.9" ], @@ -186550,6 +188297,18 @@ "v": "<0.18.0" } ], + "vvspy": [ + { + "advisory": "Vvspy version 2.1.0 has dropped support for Python 3.6 and 3.7 to address the vulnerability CVE-2024-35195 in its `requests` dependency. This update ensures that the package remains secure by leveraging the improvements and fixes available in later versions of Python and the `requests` library.", + "cve": "CVE-2024-35195", + "id": "pyup.io-71104", + "more_info_path": "/vulnerabilities/CVE-2024-35195/71104", + "specs": [ + "<2.1.0" + ], + "v": "<2.1.0" + } + ], "vyper": [ { "advisory": "Vyper 0.2.12 includes a security fix: Memory corruption using function calls within arrays.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-22wc-c9wj-6q2v", @@ -186571,6 +188330,26 @@ ], "v": "<0.2.6" }, + { + "advisory": "Vyper version 0.3.0 includes a fix for CVE-2021-41121: In affected versions, when performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the stack.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-xv8x-pr4h-73jv\r\nhttps://github.com/vyperlang/vyper/pull/2447", + "cve": "CVE-2021-41121", + "id": "pyup.io-42056", + "more_info_path": "/vulnerabilities/CVE-2021-41121/42056", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + }, + { + "advisory": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue. See CVE-2024-32648.", + "cve": "CVE-2024-32648", + "id": "pyup.io-70711", + "more_info_path": "/vulnerabilities/CVE-2024-32648/70711", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + }, { "advisory": "Vyper version 0.3.0 includes a fix for CVE-2021-41122: In affected versions, external functions don't properly validate the bounds of decimal arguments. That can lead to logic errors.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-c7pr-343r-5c46\r\nhttps://github.com/vyperlang/vyper/pull/2447", "cve": "CVE-2021-41122", @@ -186582,14 +188361,14 @@ "v": "<0.3.0" }, { - "advisory": "Vyper version 0.3.0 includes a fix for CVE-2021-41121: In affected versions, when performing a function call inside a literal struct, there is a memory corruption issue that occurs because of an incorrect pointer to the the top of the stack.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-xv8x-pr4h-73jv\r\nhttps://github.com/vyperlang/vyper/pull/2447", - "cve": "CVE-2021-41121", - "id": "pyup.io-42056", - "more_info_path": "/vulnerabilities/CVE-2021-41121/42056", + "advisory": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. The `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics. As of time of publication, no fixed version is available. See CVE-2024-32645.", + "cve": "CVE-2024-32645", + "id": "pyup.io-70708", + "more_info_path": "/vulnerabilities/CVE-2024-32645/70708", "specs": [ - "<0.3.0" + "<0.3.10" ], - "v": "<0.3.0" + "v": "<0.3.10" }, { "advisory": "Vyper is affected by CVE-2023-42443: In version 0.3.9 and prior, under certain conditions, the memory used by the builtins 'raw_call', 'create_from_blueprint' and 'create_copy_of' can be corrupted.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-c647-pxm2-c52w", @@ -186602,34 +188381,34 @@ "v": "<0.3.10" }, { - "advisory": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. If an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to exploitations in contracts that use arrays within `_abi_decode`. This vulnerability affects 0.3.10 and earlier versions. See CVE-2024-26149.", - "cve": "CVE-2024-26149", - "id": "pyup.io-65700", - "more_info_path": "/vulnerabilities/CVE-2024-26149/65700", + "advisory": "Vyper 0.3.10 includes a fix for CVE-2023-41052: In affected versions the order of evaluation of the arguments of the builtin functions 'uint256_addmod', 'uint256_mulmod', 'ecadd' and 'ecmul' does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", + "cve": "CVE-2023-41052", + "id": "pyup.io-60966", + "more_info_path": "/vulnerabilities/CVE-2023-41052/60966", "specs": [ "<0.3.10" ], "v": "<0.3.10" }, { - "advisory": "Vyper 0.3.10 includes a fix for CVE-2023-41052: In affected versions the order of evaluation of the arguments of the builtin functions 'uint256_addmod', 'uint256_mulmod', 'ecadd' and 'ecmul' does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. A patch is currently being developed on pull request #3583. When using builtins from the list above, users should make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq", - "cve": "CVE-2023-41052", - "id": "pyup.io-60966", - "more_info_path": "/vulnerabilities/CVE-2023-41052/60966", + "advisory": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn't cache the argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available. See CVE-2024-32649.", + "cve": "CVE-2024-32649", + "id": "pyup.io-70712", + "more_info_path": "/vulnerabilities/CVE-2024-32649/70712", "specs": [ "<0.3.10" ], "v": "<0.3.10" }, { - "advisory": "Vyper 0.3.2 includes a fix for CVE-2022-24845: In affected versions, the return of '.returns_int128()' is not validated to fall within the bounds of 'int128'. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0, '.returns_int128()' is validated in simple expressions, but not complex expressions.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h", - "cve": "CVE-2022-24845", - "id": "pyup.io-48133", - "more_info_path": "/vulnerabilities/CVE-2022-24845/48133", + "advisory": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. If an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to exploitations in contracts that use arrays within `_abi_decode`. This vulnerability affects 0.3.10 and earlier versions. See CVE-2024-26149.", + "cve": "CVE-2024-26149", + "id": "pyup.io-65700", + "more_info_path": "/vulnerabilities/CVE-2024-26149/65700", "specs": [ - "<0.3.2" + "<0.3.10" ], - "v": "<0.3.2" + "v": "<0.3.10" }, { "advisory": "Vyper 0.3.2 includes a fix for CVE-2022-24788: Versions of Vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns 'bytes' generates bytecode which does not clamp bytes length, potentially resulting in a buffer overrun.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-4mrx-6fxm-8jpg", @@ -186641,6 +188420,16 @@ ], "v": "<0.3.2" }, + { + "advisory": "Vyper 0.3.2 includes a fix for CVE-2022-24845: In affected versions, the return of '.returns_int128()' is not validated to fall within the bounds of 'int128'. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0, '.returns_int128()' is validated in simple expressions, but not complex expressions.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-j2x6-9323-fp7h", + "cve": "CVE-2022-24845", + "id": "pyup.io-48133", + "more_info_path": "/vulnerabilities/CVE-2022-24845/48133", + "specs": [ + "<0.3.2" + ], + "v": "<0.3.2" + }, { "advisory": "Vyper 0.3.2 includes a fix for CVE-2022-24787: In version 0.3.1 and prior, bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one ends with \"\\x00\" because there is no comparison of the length. \r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-7vrm-3jc8-5wwm", "cve": "CVE-2022-24787", @@ -186672,40 +188461,40 @@ "v": "<0.3.8" }, { - "advisory": "Vyper 0.3.8 includes a fix for CVE-2023-32675: In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked 'nonpayable'. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global 'calldatasize' check in commit '02339dfda'. Users unable to upgrade should avoid use of nonpayable default functions.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762", - "cve": "CVE-2023-32675", - "id": "pyup.io-58743", - "more_info_path": "/vulnerabilities/CVE-2023-32675/58743", + "advisory": "Vyper 0.3.8 includes a fix for CVE-2023-30837: The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6", + "cve": "CVE-2023-30837", + "id": "pyup.io-58241", + "more_info_path": "/vulnerabilities/CVE-2023-30837/58241", "specs": [ "<0.3.8" ], "v": "<0.3.8" }, { - "advisory": "Vyper 0.3.8 includes a fix for CVE-2023-30837: The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-mgv8-gggw-mrg6", - "cve": "CVE-2023-30837", - "id": "pyup.io-58241", - "more_info_path": "/vulnerabilities/CVE-2023-30837/58241", + "advisory": "Vyper 0.3.8 includes a fix for CVE-2023-31146: Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv", + "cve": "CVE-2023-31146", + "id": "pyup.io-58658", + "more_info_path": "/vulnerabilities/CVE-2023-31146/58658", "specs": [ "<0.3.8" ], "v": "<0.3.8" }, { - "advisory": "Vyper 0.3.8 includes a fix for CVE-2023-32059: Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g", - "cve": "CVE-2023-32059", - "id": "pyup.io-58660", - "more_info_path": "/vulnerabilities/CVE-2023-32059/58660", + "advisory": "Vyper 0.3.8 includes a fix for CVE-2023-32675: In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked 'nonpayable'. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global 'calldatasize' check in commit '02339dfda'. Users unable to upgrade should avoid use of nonpayable default functions.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762", + "cve": "CVE-2023-32675", + "id": "pyup.io-58743", + "more_info_path": "/vulnerabilities/CVE-2023-32675/58743", "specs": [ "<0.3.8" ], "v": "<0.3.8" }, { - "advisory": "Vyper 0.3.8 includes a fix for CVE-2023-31146: Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment. The issue can cause data corruption across call frames. The expected behavior is to revert due to out-of-bounds array access.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv", - "cve": "CVE-2023-31146", - "id": "pyup.io-58658", - "more_info_path": "/vulnerabilities/CVE-2023-31146/58658", + "advisory": "Vyper 0.3.8 includes a fix for CVE-2023-32059: Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. The ability to pass kwargs to internal functions is an undocumented feature that is not well known about.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g", + "cve": "CVE-2023-32059", + "id": "pyup.io-58660", + "more_info_path": "/vulnerabilities/CVE-2023-32059/58660", "specs": [ "<0.3.8" ], @@ -186732,10 +188521,20 @@ "v": "<=0.3.10" }, { - "advisory": "Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. The vulnerability can't be triggered without writing the `IR` by hand (that is, it cannot be triggered from regular vyper code). `sha3_64` is used for retrieval in mappings. No flow that would cache the `key` was found so the issue shouldn't be possible to trigger when compiling the compiler-generated `IR`. This issue isn't triggered during normal compilation of vyper code so the impact is low. At the time of publication there is no patch available. See CVE-2024-24559.", - "cve": "CVE-2024-24559", - "id": "pyup.io-65288", - "more_info_path": "/vulnerabilities/CVE-2024-24559/65288", + "advisory": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array. See CVE-2024-24561.", + "cve": "CVE-2024-24561", + "id": "pyup.io-65290", + "more_info_path": "/vulnerabilities/CVE-2024-24561/65290", + "specs": [ + "<=0.3.10" + ], + "v": "<=0.3.10" + }, + { + "advisory": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extract `32` bytes from, it could be that some dirty memory is read and returned by `extract32`. This vulnerability affects 0.3.10 and earlier versions. See CVE-2024-24564.", + "cve": "CVE-2024-24564", + "id": "pyup.io-65695", + "more_info_path": "/vulnerabilities/CVE-2024-24564/65695", "specs": [ "<=0.3.10" ], @@ -186752,30 +188551,30 @@ "v": "<=0.3.10" }, { - "advisory": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array. See CVE-2024-24561.", - "cve": "CVE-2024-24561", - "id": "pyup.io-65290", - "more_info_path": "/vulnerabilities/CVE-2024-24561/65290", + "advisory": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. It can be seen that the `_build_create_IR` function of the `create_from_blueprint` builtin doesn't cache the mentioned `args` argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions exist. See CVE-2024-32647.", + "cve": "CVE-2024-32647", + "id": "pyup.io-70710", + "more_info_path": "/vulnerabilities/CVE-2024-32647/70710", "specs": [ "<=0.3.10" ], "v": "<=0.3.10" }, { - "advisory": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extract `32` bytes from, it could be that some dirty memory is read and returned by `extract32`. This vulnerability affects 0.3.10 and earlier versions. See CVE-2024-24564.", - "cve": "CVE-2024-24564", - "id": "pyup.io-65695", - "more_info_path": "/vulnerabilities/CVE-2024-24564/65695", + "advisory": "Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. The vulnerability can't be triggered without writing the `IR` by hand (that is, it cannot be triggered from regular vyper code). `sha3_64` is used for retrieval in mappings. No flow that would cache the `key` was found so the issue shouldn't be possible to trigger when compiling the compiler-generated `IR`. This issue isn't triggered during normal compilation of vyper code so the impact is low. At the time of publication there is no patch available. See CVE-2024-24559.", + "cve": "CVE-2024-24559", + "id": "pyup.io-65288", + "more_info_path": "/vulnerabilities/CVE-2024-24559/65288", "specs": [ "<=0.3.10" ], "v": "<=0.3.10" }, { - "advisory": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions. See CVE-2024-24567.", - "cve": "CVE-2024-24567", - "id": "pyup.io-65292", - "more_info_path": "/vulnerabilities/CVE-2024-24567/65292", + "advisory": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `
.code` and either the `start` or `length` arguments have side-effects. It can be easily triggered only with the versions `<0.3.4` as `0.3.4` introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available. See CVE-2024-32646.", + "cve": "CVE-2024-32646", + "id": "pyup.io-70709", + "more_info_path": "/vulnerabilities/CVE-2024-32646/70709", "specs": [ "<=0.3.10" ], @@ -186791,6 +188590,16 @@ ], "v": "<=0.3.10" }, + { + "advisory": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions. See CVE-2024-24567.", + "cve": "CVE-2024-24567", + "id": "pyup.io-65292", + "more_info_path": "/vulnerabilities/CVE-2024-24567/65292", + "specs": [ + "<=0.3.10" + ], + "v": "<=0.3.10" + }, { "advisory": "Vyper, a Pythonic language for Ethereum Virtual Machine (EVM) smart contracts, had an issue where contracts with large arrays might underallocate the number of slots they need by one. This issue was addressed in version 0.3.8, which corrected a calculation that could produce a rounding error. The calculation, math.ceil(type_.size_in_bytes / 32), could overestimate or underestimate the number of slots needed. The bug is referenced as CVE-2023-46247.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-6m97-7527-mh74", "cve": "CVE-2023-46247", @@ -186801,6 +188610,16 @@ ], "v": "<=0.3.7" }, + { + "advisory": "Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Starting in version 0.3.8 and prior to version 0.4.0b1, when looping over a `range` of the form `range(start, start + N)`, if `start` is negative, the execution will always revert. This issue is caused by an incorrect assertion inserted by the code generation of the range `stmt.parse_For_range()`. The issue arises when `start` is signed, instead of using `sle`, `le` is used and `start` is interpreted as an unsigned integer for the comparison. If it is a negative number, its 255th bit is set to `1` and is hence interpreted as a very large unsigned integer making the assertion always fail. Any contract having a `range(start, start + N)` where `start` is a signed integer with the possibility for `start` to be negative is affected. If a call goes through the loop while supplying a negative `start` the execution will revert. Version 0.4.0b1 fixes the issue. See CVE-2024-32481.", + "cve": "CVE-2024-32481", + "id": "pyup.io-70707", + "more_info_path": "/vulnerabilities/CVE-2024-32481/70707", + "specs": [ + "<=0.3.8" + ], + "v": "<=0.3.8" + }, { "advisory": "Vyper is affected by CVE-2023-40015: For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right. 'unsafe_add, unsafe_sub, unsafe_mul, unsafe_div, pow_mod256, |, &, ^ (bitwise operators), bitwise_or (deprecated), bitwise_and (deprecated), bitwise_xor (deprecated), raw_call, <, >, <=, >=, ==, !=, in, not in (when lhs and rhs are enums)'. This behavior becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect: state modifying external call , state modifying internal call, 'raw_call', 'pop()' when used on a Dynamic Array stored in the storage, 'create_minimal_proxy_to', 'create_copy_of', 'create_from_blueprint'. This issue has not yet been patched. Users are advised to make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.\r\nhttps://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf", "cve": "CVE-2023-40015", @@ -187063,6 +188882,17 @@ ">=1.5rc1,<4.1.4" ], "v": ">=4.2rc1,<4.2.2,>=1.5rc1,<4.1.4" + }, + { + "advisory": "Wagtail is an open source content management system built on Django. In affected versions if a model has been made available for editing through the `wagtail.contrib.settings` module or `ModelViewSet`, and the `permission` argument on `FieldPanel` has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific field can craft an HTTP POST request that bypasses the permission check on the individual field, allowing them to update its value. This vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or by a user who has not been granted edit access to the model in question. The editing interfaces for pages and snippets are also unaffected. Patched versions have been released as Wagtail 6.0.3 and 6.1. Wagtail releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are unable to upgrade to a patched version can avoid the vulnerability as follows: 1.For models registered through `ModelViewSet`, register the model as a snippet instead; 2. For settings models, place the restricted fields in a separate settings model, and configure permission at the model level. See CVE-2024-32882.", + "cve": "CVE-2024-32882", + "id": "pyup.io-71238", + "more_info_path": "/vulnerabilities/CVE-2024-32882/71238", + "specs": [ + ">=6.0.2,<6.0.3", + ">=6.0,<6.1" + ], + "v": ">=6.0.2,<6.0.3,>=6.0,<6.1" } ], "wagtail-2fa": [ @@ -187466,16 +189296,6 @@ ], "v": "<0.12.12" }, - { - "advisory": "Wandb 0.12.18 updates its dependency 'rsa' to v4.7 to include security fixes.", - "cve": "CVE-2020-13757", - "id": "pyup.io-49367", - "more_info_path": "/vulnerabilities/CVE-2020-13757/49367", - "specs": [ - "<0.12.18" - ], - "v": "<0.12.18" - }, { "advisory": "Wandb 0.12.18 updates its dependency 'rsa' to v4.7 to include security fixes.", "cve": "CVE-2020-25658", @@ -187497,10 +189317,10 @@ "v": "<0.12.18" }, { - "advisory": "Wandb 0.12.18 updates its dependency 'httplib2' to v0.19.0 to include security fixes.", - "cve": "CVE-2020-11078", - "id": "pyup.io-49365", - "more_info_path": "/vulnerabilities/CVE-2020-11078/49365", + "advisory": "Wandb 0.12.18 updates its dependency 'rsa' to v4.7 to include security fixes.", + "cve": "CVE-2020-13757", + "id": "pyup.io-49367", + "more_info_path": "/vulnerabilities/CVE-2020-13757/49367", "specs": [ "<0.12.18" ], @@ -187508,9 +189328,9 @@ }, { "advisory": "Wandb 0.12.18 updates its dependency 'urllib3' to v1.26.5 to include security fixes.", - "cve": "CVE-2020-26137", - "id": "pyup.io-49368", - "more_info_path": "/vulnerabilities/CVE-2020-26137/49368", + "cve": "CVE-2021-33503", + "id": "pyup.io-49369", + "more_info_path": "/vulnerabilities/CVE-2021-33503/49369", "specs": [ "<0.12.18" ], @@ -187528,9 +189348,19 @@ }, { "advisory": "Wandb 0.12.18 updates its dependency 'urllib3' to v1.26.5 to include security fixes.", - "cve": "CVE-2021-33503", - "id": "pyup.io-49369", - "more_info_path": "/vulnerabilities/CVE-2021-33503/49369", + "cve": "CVE-2020-26137", + "id": "pyup.io-49368", + "more_info_path": "/vulnerabilities/CVE-2020-26137/49368", + "specs": [ + "<0.12.18" + ], + "v": "<0.12.18" + }, + { + "advisory": "Wandb 0.12.18 updates its dependency 'httplib2' to v0.19.0 to include security fixes.", + "cve": "CVE-2020-11078", + "id": "pyup.io-49365", + "more_info_path": "/vulnerabilities/CVE-2020-11078/49365", "specs": [ "<0.12.18" ], @@ -187655,9 +189485,9 @@ }, { "advisory": "Wasmtime 3.0.0 (Python bindings) downloads a precompiled version of Wastime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/18a742a3457d6edfab7e96af466721e19d2e12cd", - "cve": "CVE-2022-39393", - "id": "pyup.io-51997", - "more_info_path": "/vulnerabilities/CVE-2022-39393/51997", + "cve": "CVE-2022-39392", + "id": "pyup.io-51995", + "more_info_path": "/vulnerabilities/CVE-2022-39392/51995", "specs": [ "<3.0.0" ], @@ -187675,29 +189505,29 @@ }, { "advisory": "Wasmtime 3.0.0 (Python bindings) downloads a precompiled version of Wastime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/18a742a3457d6edfab7e96af466721e19d2e12cd", - "cve": "CVE-2022-39392", - "id": "pyup.io-51995", - "more_info_path": "/vulnerabilities/CVE-2022-39392/51995", + "cve": "CVE-2022-39393", + "id": "pyup.io-51997", + "more_info_path": "/vulnerabilities/CVE-2022-39393/51997", "specs": [ "<3.0.0" ], "v": "<3.0.0" }, { - "advisory": "Wasmtime (Python bindings) 7.0.0 downloads a precompiled version of Wasmtime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/4a52ebbe0a7e577721a30a38170b7472aa153329", - "cve": "CVE-2023-26489", - "id": "pyup.io-53755", - "more_info_path": "/vulnerabilities/CVE-2023-26489/53755", + "advisory": "Wasmtime (Python bindings) 7.0.0 downloads a precompiled version of Wastime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/4a52ebbe0a7e577721a30a38170b7472aa153329", + "cve": "CVE-2023-27477", + "id": "pyup.io-53756", + "more_info_path": "/vulnerabilities/CVE-2023-27477/53756", "specs": [ "<7.0.0" ], "v": "<7.0.0" }, { - "advisory": "Wasmtime (Python bindings) 7.0.0 downloads a precompiled version of Wastime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/4a52ebbe0a7e577721a30a38170b7472aa153329", - "cve": "CVE-2023-27477", - "id": "pyup.io-53756", - "more_info_path": "/vulnerabilities/CVE-2023-27477/53756", + "advisory": "Wasmtime (Python bindings) 7.0.0 downloads a precompiled version of Wasmtime core that includes security fixes.\r\nhttps://github.com/bytecodealliance/wasmtime-py/commit/4a52ebbe0a7e577721a30a38170b7472aa153329", + "cve": "CVE-2023-26489", + "id": "pyup.io-53755", + "more_info_path": "/vulnerabilities/CVE-2023-26489/53755", "specs": [ "<7.0.0" ], @@ -187864,10 +189694,10 @@ "v": "<12.9.3" }, { - "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'pygments>=2.7.4' to include security fixes.", - "cve": "CVE-2021-27291", - "id": "pyup.io-49503", - "more_info_path": "/vulnerabilities/CVE-2021-27291/49503", + "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'numpy>=1.22.2' to include security fixes.", + "cve": "CVE-2021-41495", + "id": "pyup.io-49447", + "more_info_path": "/vulnerabilities/CVE-2021-41495/49447", "specs": [ "<12.9.3" ], @@ -187884,10 +189714,10 @@ "v": "<12.9.3" }, { - "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'numpy>=1.22.2' to include security fixes.", - "cve": "CVE-2021-41495", - "id": "pyup.io-49447", - "more_info_path": "/vulnerabilities/CVE-2021-41495/49447", + "advisory": "Wdmtoolbox 12.9.3 pins the dependency 'pygments>=2.7.4' to include security fixes.", + "cve": "CVE-2021-27291", + "id": "pyup.io-49503", + "more_info_path": "/vulnerabilities/CVE-2021-27291/49503", "specs": [ "<12.9.3" ], @@ -188190,6 +190020,18 @@ "v": "<3.7.0" } ], + "webchecks": [ + { + "advisory": "Webchecks version 0.1.2 updates its `requests` dependency from version 2.31.0 to 2.32.0 to address the security vulnerability identified in CVE-2024-35195. This update ensures the package remains secure by mitigating the potential risks associated with the older version of the `requests` library.", + "cve": "CVE-2024-35195", + "id": "pyup.io-71079", + "more_info_path": "/vulnerabilities/CVE-2024-35195/71079", + "specs": [ + "<0.1.2" + ], + "v": "<0.1.2" + } + ], "webcomix": [ { "advisory": "Webcomix v3.5.1 updates its dependency \"scrapy-splash\" to 0.8.0 to include a security fix.", @@ -189522,20 +191364,20 @@ "v": "<2.3" }, { - "advisory": "Xpra 3.1.1 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/Xpra-org/xpra/commit/d0fc0a889188e70f2d2451089c397a86ce0f71cc", - "cve": "PVE-2023-60576", - "id": "pyup.io-60576", - "more_info_path": "/vulnerabilities/PVE-2023-60576/60576", + "advisory": "Xpra 3.1.1 includes a fix for a Use of Cryptographically Weak Pseudo-Random Number Generator vulnerability.\r\nhttps://github.com/Xpra-org/xpra/commit/73f80840aacba21dd19f8a096f12ce6b88886d63", + "cve": "PVE-2023-60575", + "id": "pyup.io-60575", + "more_info_path": "/vulnerabilities/PVE-2023-60575/60575", "specs": [ "<3.1.1" ], "v": "<3.1.1" }, { - "advisory": "Xpra 3.1.1 includes a fix for a Use of Cryptographically Weak Pseudo-Random Number Generator vulnerability.\r\nhttps://github.com/Xpra-org/xpra/commit/73f80840aacba21dd19f8a096f12ce6b88886d63", - "cve": "PVE-2023-60575", - "id": "pyup.io-60575", - "more_info_path": "/vulnerabilities/PVE-2023-60575/60575", + "advisory": "Xpra 3.1.1 includes a fix for a Race Condition vulnerability.\r\nhttps://github.com/Xpra-org/xpra/commit/d0fc0a889188e70f2d2451089c397a86ce0f71cc", + "cve": "PVE-2023-60576", + "id": "pyup.io-60576", + "more_info_path": "/vulnerabilities/PVE-2023-60576/60576", "specs": [ "<3.1.1" ], @@ -189670,19 +191512,19 @@ "xtgeo": [ { "advisory": "Xtgeo 2.17.1 drops dependency on 'pillow' to avoid security issues with versions <=8.4.\r\nhttps://github.com/equinor/xtgeo/pull/748", - "cve": "PVE-2021-44525", - "id": "pyup.io-48285", - "more_info_path": "/vulnerabilities/PVE-2021-44525/48285", + "cve": "CVE-2022-22816", + "id": "pyup.io-48287", + "more_info_path": "/vulnerabilities/CVE-2022-22816/48287", "specs": [ "<2.17.1" ], "v": "<2.17.1" }, { - "advisory": "Xtgeo 2.17.1 drops dependency on 'pillow' to avoid security issues with versions <=8.4.\r\nhttps://github.com/equinor/xtgeo/pull/748", - "cve": "CVE-2022-22817", - "id": "pyup.io-48284", - "more_info_path": "/vulnerabilities/CVE-2022-22817/48284", + "advisory": "Xtgeo 2.17.1 drops dependency on 'pillow' to avoid security issues affecting versions <=8.4.\r\nhttps://github.com/equinor/xtgeo/pull/748", + "cve": "CVE-2022-24303", + "id": "pyup.io-48264", + "more_info_path": "/vulnerabilities/CVE-2022-24303/48264", "specs": [ "<2.17.1" ], @@ -189690,9 +191532,9 @@ }, { "advisory": "Xtgeo 2.17.1 drops dependency on 'pillow' to avoid security issues with versions <=8.4.\r\nhttps://github.com/equinor/xtgeo/pull/748", - "cve": "PVE-2022-44524", - "id": "pyup.io-48286", - "more_info_path": "/vulnerabilities/PVE-2022-44524/48286", + "cve": "CVE-2022-22817", + "id": "pyup.io-48284", + "more_info_path": "/vulnerabilities/CVE-2022-22817/48284", "specs": [ "<2.17.1" ], @@ -189700,19 +191542,19 @@ }, { "advisory": "Xtgeo 2.17.1 drops dependency on 'pillow' to avoid security issues with versions <=8.4.\r\nhttps://github.com/equinor/xtgeo/pull/748", - "cve": "CVE-2022-22816", - "id": "pyup.io-48287", - "more_info_path": "/vulnerabilities/CVE-2022-22816/48287", + "cve": "PVE-2021-44525", + "id": "pyup.io-48285", + "more_info_path": "/vulnerabilities/PVE-2021-44525/48285", "specs": [ "<2.17.1" ], "v": "<2.17.1" }, { - "advisory": "Xtgeo 2.17.1 drops dependency on 'pillow' to avoid security issues affecting versions <=8.4.\r\nhttps://github.com/equinor/xtgeo/pull/748", - "cve": "CVE-2022-24303", - "id": "pyup.io-48264", - "more_info_path": "/vulnerabilities/CVE-2022-24303/48264", + "advisory": "Xtgeo 2.17.1 drops dependency on 'pillow' to avoid security issues with versions <=8.4.\r\nhttps://github.com/equinor/xtgeo/pull/748", + "cve": "CVE-2022-22815", + "id": "pyup.io-48288", + "more_info_path": "/vulnerabilities/CVE-2022-22815/48288", "specs": [ "<2.17.1" ], @@ -189720,9 +191562,9 @@ }, { "advisory": "Xtgeo 2.17.1 drops dependency on 'pillow' to avoid security issues with versions <=8.4.\r\nhttps://github.com/equinor/xtgeo/pull/748", - "cve": "CVE-2022-22815", - "id": "pyup.io-48288", - "more_info_path": "/vulnerabilities/CVE-2022-22815/48288", + "cve": "PVE-2022-44524", + "id": "pyup.io-48286", + "more_info_path": "/vulnerabilities/PVE-2022-44524/48286", "specs": [ "<2.17.1" ], @@ -190345,9 +192187,9 @@ }, { "advisory": "Zenml 0.46.0 updates its dependency 'langchain' to versions \">=0.0.325\" to include security fixes.", - "cve": "CVE-2023-44467", - "id": "pyup.io-62195", - "more_info_path": "/vulnerabilities/CVE-2023-44467/62195", + "cve": "CVE-2023-39631", + "id": "pyup.io-62202", + "more_info_path": "/vulnerabilities/CVE-2023-39631/62202", "specs": [ "<0.46.0" ], @@ -190355,9 +192197,9 @@ }, { "advisory": "Zenml 0.46.0 updates its dependency 'langchain' to versions \">=0.0.325\" to include security fixes.", - "cve": "CVE-2023-39631", - "id": "pyup.io-62202", - "more_info_path": "/vulnerabilities/CVE-2023-39631/62202", + "cve": "CVE-2023-44467", + "id": "pyup.io-62195", + "more_info_path": "/vulnerabilities/CVE-2023-44467/62195", "specs": [ "<0.46.0" ], @@ -190373,16 +192215,6 @@ ], "v": "<0.46.7" }, - { - "advisory": "Zenml version 0.56.3 has broadened its compatibility with FastAPI, now requiring versions \">=0.75,<0.111\" to address the security concerns outlined in CVE-2024-24762.", - "cve": "CVE-2024-24762", - "id": "pyup.io-67571", - "more_info_path": "/vulnerabilities/CVE-2024-24762/67571", - "specs": [ - "<0.56.3" - ], - "v": "<0.56.3" - }, { "advisory": "Zenml version 0.56.3 updates its python-multipart dependency from \"~0.0.5\" to \"~0.0.9\" in response to GHSA-qf9m-vfgh-m389. This change addresses a vulnerability in python-multipart that impacts its use with FastAPI.", "cve": "PVE-2024-67582", @@ -190402,6 +192234,16 @@ "<0.56.3" ], "v": "<0.56.3" + }, + { + "advisory": "Zenml version 0.56.3 has broadened its compatibility with FastAPI, now requiring versions \">=0.75,<0.111\" to address the security concerns outlined in CVE-2024-24762.", + "cve": "CVE-2024-24762", + "id": "pyup.io-67571", + "more_info_path": "/vulnerabilities/CVE-2024-24762/67571", + "specs": [ + "<0.56.3" + ], + "v": "<0.56.3" } ], "zeo": [